Let's Encrypt

PDNS Manager allows you to easily use the service of the fully automated CA Let's Encrypt or any other ACME compiliant CA by using the dehydrated client in combination with the PDNS Manager API.

This tutorial will guide you through the setup step by step. While the information is in parts redundant to the API tutorial, it also assumes that you have PDNS Manager up and running.

Getting required components

The software depends on the following tools:

On Debian you can get those using:

sudo apt-get install openssl jq curl git

Afterwards change into the directory you want the tools located and clone the following repositories.

git clone https://github.com/loewexy/pdns-client
git clone https://github.com/loewexy/pdns-acme
git clone https://github.com/lukas2511/dehydrated

Configure pdns-client

Then change to the directory of pdns-client, generate a keypair and output the public key:

cd pdns-client
./pdns-keygen
cat pdns.public.pem

Copy the generated public key to your clipboard.

In the next step, open a browser and login to your PDNS Manager instance. Add a record to your domain with the name _acme-challenge.<yourdomain>, type TXT and content none. Use a Priority of 0 and a TTL of 60.

Afterwards, click on to share icon which is the last icon in the row of the record. Click on Add Key. Enter a description like ACME and paste the public key from your clipboard into the field. Confirm with Add. You now need to remember the ID of the permission you have added, which is displayed in the table on the left.

Configure pdns-acme

Change to the directory of pdns-acme and copy the example config.

cd ../pdns-acme
cp pdns-acme.json.example pdns-acme.json

Open the file pdns-acme.json with an editor of your choice. In the config section adjust the path of your PDNS Manager installation and also the deploy-wait value. The deploy-wait parameter determines how long the script should wait for the DNS servers to get the right results. This value depends on your nameserver setup. The default of 300 should do well for most setups. After these changes, the section looks like that:

"config": {
        "server": "https://<yourdomain>/",
        "pdns-client": "../pdns-client/pdns-client",
        "deploy-wait": 300
    }

Now look at the examples of the domains. They show you how you can add hook commands when a new certificate has been deployed, such as restarting Apache or anything else. You can add none, one or multiple commands in an array. Set the id property to the value you remember from before. Adjust the domain name to your situation. You can remove the remaining domain entrys.

Configure dehydrated

Change to the directory of dehydrated.

cd ../dehydrated

Create a file named config with the following content.

# Make dehydrated use the dns-01 challenge
CHALLENGETYPE="dns-01"

# Supply the path to the pdns-acme hook script
HOOK=${BASEDIR}/../pdns-acme/pdns-acme

Now, the domains.txt file must be created. This file contains the information which certificates dehydrated will be generating and trying to sign. The file looks as follows:

example.com www.example.com
cloud.example.com

Where each line stands for one certificate. The first domain on the line will be used as common name of the certificate, all other domains will be used as alternate names.

Afterwards run dehydrated to check whether everything works as expected or - if not - open an Issue on github.

./dehydrated -c

If everything is okay, you can find your new certificate in the directory certs.

Automate renewal

For automatic renewal of your certificates, add an entry to /etc/crontab as follows:

0 2     * * *   root    /root/dehydrated/dehydrated -c