Over the past few months I’ve been gradually rolling out TLS to the various domains and services that I run for myself and clients using the free certificate service LetsEncrypt. In order to request a certificate, you have to prove that you own or control the host in question by making a change.
Initially I proved host ownership by uploading files with specific content to locations requested by the LetsEncrypt client software. Whilst this worked, it wasn’t ideal for two reasons:
- I had to create Apache virtual hosts for hosts which would never serve up websites, such as my IMAP server.
- Adding arbitrary files became messy when I was using a content management system like WordPress, which expects to control all the content.
Fortunately, LetsEncrypt also supports proving host ownership via the upload of DNS records, and letsencrypt.sh is a helpful script which manages most of the process for you. In order to complete the process, I had to write an additional hook script which would take data from letsencrypt.sh and produce the relevant records for my provider’s DNS software, djbdns, as well as checking that those records exist before continuing.
I released the hook script as free software as that’s my default action for anything which I have developed for my own use, and you can get it from the descriptively-named letsencrypt.sh-djbdns repository on GitHub. I’ve already merged one pull request which fixed an edge-case bug and I’m open to patches or suggestions for improvements.