Validation Methods¶
Let’s Encrypt can validate by checking the contents of a TXT record in DNS, or by fetching a file in a known location from a web server running on the hostname it is validating.
nsupdate¶
The nsupdate method uses RFC2136 style DNS updates to populate a TXT record
in DNS to validate ownership of the domain.
We recommend using this method as it does not require external inbound access, so it can be used for internal systems that do not allow or cannot receive Internet traffic.
Before starting, an appropriate DNS key and settings must be in place in the DNS
infrastructure for the domain to allow the host to update a TXT DNS record for
_acme-challenge.<domain name>.
To use this method:
Add an entry to the Domain SAN list
Mode: Enabled
Enter domain name (e.g.
myhost.example.com)Set Method to DNS-NSupdate / RFC 2136
Click + to expand the method-specific settings
Fill in the info
- Server
The IP address or hostname of the DNS server to which the updates are sent.
- Key Name
The name of the update key. Leave blank unless it is different than
_acme-challenge.<domain name>.- Key Algorithm
The algorithm used for the key
- Key
The update key for this record
Ensure the other options are set properly, per Create a certificate.
Click Save
Click Issue/Renew
DNS-Manual¶
The manual DNS method can be utilized when a firewall cannot receive inbound traffic and it does not have access to any automatic DNS-based method.
The manual in the name indicates that the process must be performed by hand both initially and when it is time to renew the certificate. The firewall obtains the authorization value and then the TXT record must be manually created or updated with this value.
We do not recommend using this method unless no other method is available.
To use this method:
Add an entry to the Domain SAN list
Mode: Enabled
Enter domain name (e.g.
myhost.example.com)Set Method to DNS-Manual
Click Save
Click Issue
Locate the record info in the output:
[Mon Feb 6 14:49:23 EST 2017] Add the following TXT record: [Mon Feb 6 14:49:23 EST 2017] Domain: '_acme-challenge.www.example.com' [Mon Feb 6 14:49:23 EST 2017] TXT value: 'xPrykHSri5epT5yrJJWyY536Z1T51r_Ef4LkWJry-iw' [Mon Feb 6 14:49:23 EST 2017] Please be aware that you prepend _acme-challenge. before your domain [Mon Feb 6 14:49:23 EST 2017] so the resulting subdomain will be: _acme-challenge.www.example.com [Mon Feb 6 14:49:23 EST 2017] Please add the TXT records to the domains, and retry again.
Add or update the TXT record in the domain’s DNS server for
_acme-challenge.<domain name>with the TXT value from the outputWait approximately 2 minutes, or longer, for DNS to propagate
Click Renew
Namecheap API¶
For certain accounts with Namecheap, API access may be obtained that allows remote manipulation of DNS records. This can be used with the ACME package to validate certificates for domains with DNS hosted at Namecheap using their BasicDNS servers. This requires ACME package version 0.5.1 or later.
Warning
The Namecheap DNS API requires that the client read all records and then write them all back when making any change. This is potentially dangerous. Take a backup of all DNS records on the domain before attempting to use the API.
The first step is to request API access:
Login to a Namecheap account
Navigate to Profile > Tools under the account
Look for Namecheap API Access under Business & Dev Tools
If the status does not say On, then click Manage and change the slider to On.
Note
API access must be approved by Namecheap. There are qualifications to meet, such as a specific number of domains or a balance on the account. Check the Namecheap API documentation for more information. The process is documented as taking 2 days, but may take longer. If API access is not enabled after several days, contact Namecheap support.
Once the API is enabled, then perform the following steps:
Login to a Namecheap account
Navigate to Profile > Tools under the account
Look for Namecheap API Access under Business & Dev Tools
Click Manage
Note the API key for use in the ACME package
Click Edit and add whitelisted IP addresses that can contact the API using this API key.
Now setup the account in the ACME package:
Add an entry to the Domain SAN list
Mode: Enabled
Enter domain name (e.g.
myhost.example.com)Set Method to DNS-Namecheap
Click + to expand the method-specific settings
Fill in the info
- API Key
The API Key displayed in the Namecheap API Access manager, as described previously.
- Username
The Namecheap account username associated with the API Key.
Ensure the other options are set properly, per Create a certificate.
Click Save
Click Issue/Renew
Other DNS Methods¶
The package contains several additional DNS-based methods for other providers. These work similar to the nsupdate method above, but have configuration values specific to each provider. Contact the DNS provider or server administrator to obtain the necessary settings or credentials.
FTP Webroot¶
The FTP webroot method is useful when the firewall is performing NAT (port forward or 1:1) or reverse proxy duty for handling traffic for the domain. The firewall can use SFTP or FTPS to store the domain validation files on a web server behind the firewall so it does not have to host the files itself.
We recommend using this method when no DNS update method is available for use by the firewall.
To use this method:
Add an entry to the Domain SAN list
Mode: Enabled
Enter domain name (e.g.
myhost.example.com)Set Method to webroot FTP
Click + to expand the method-specific settings
Fill in the required info:
- Server
The server where the package will send the challenge response files, e.g.
sftp://x.x.x.xNote
This method supports supports
sftp://andftps://servers.- Username/password
Credentials for the SFTP/FTPS account
- Folder
Full path to the target directory including
/.well-known/acme-challengeat the endWarning
Make sure the specified user has write permissions to the directory!
Click Save
Click Issue/Renew
Webroot Local Folder¶
This method works similar to FTP Webroot but with the files hosted on the firewall itself. This method cannot be utilized by the WebGUI web server as that would mean exposing the GUI to the Internet, which is a major security issue.
This method can, however, be used in conjunction with the HAProxy package to host the files on the firewall itself in some circumstances. See https://forum.netgate.com/post/677786 for details.
Standalone¶
The Standalone method runs a small web server natively that is active only while the validation process is running.
Warning
This service must be accessible using port 80 for security reasons!
If the firewall is using port 80 for another service, such as the WebGUI, then this method may not be viable. If the service on the port is public, then it cannot be used. If the service is private, then it may be possible to relocate the existing service or bind the update method to an alternate port, then port forward on the WAN interface. The standalone binding should only be changed if the port is forwarded via NAT to a different port (e.g. 80 forwarded to 8080)
A firewall rule must allow traffic to the target port at all times, it cannot be
automatically enabled and disabled in the current package. If port 80 is used by
the standalone service, the WebGUI redirect must be disabled on System >
Advanced using the Disable webConfigurator redirect rule option. If the
redirect is active when standalone mode attempts to use the port, it will print
an error message stating that socat is unable to bind to the port.
Warning
We do not recommend using this method as it exposes a service on the firewall to the Internet. Only use this method if no other method is available.
To use this method:
Add an entry to the Domain SAN list
Mode: Enabled
Enter domain name (e.g.
myhost.example.com)Set Method to standalone HTTP server
Click + to expand the method-specific settings
Fill in the port number when using a non-default port
If the domain name for the firewall has both an A and AAAA DNS record, check Bind to IPv6 instead of IPv4 so that validation can occur over IPv6.
Click Save
Click Issue/Renew