Commands I used to get a wildcard certificate from letsencrypt under Debian

20241120.certbot-dynamic-dns-challenges

## Prepare certbot user and dynamic update key:
sudo adduser --system --group --home /var/lib/letsencrypt --shell /usr/sbin/nologin certbot
/usr/sbin/tsig-keygen -a HMAC-SHA256 certbotkey | sudo sh -c 'umask 077 ; cat > /etc/bind/certbotkeys.conf'
sudo chown root:bind /etc/bind/certbotkeys.conf
sudo chmod g+r /etc/bind/certbotkeys.conf
sudo setfacl -m 'u:certbot:r--' /etc/bind/certbotkeys.conf

## Insert the following stanzas in /etc/bind/named.conf.local:
# include "/etc/bind/certbotkeys.conf";
# zone "_acme-challenge.example.net" {
# 	type master;
# 	file "/var/cache/bind/acme-challenge.example.net.zone";
# 	check-names warn;
# 	allow-update { key "certbotkey"; };
# 	serial-update-method date;
# };
# zone "_acme-challenge.example.org" {
# 	type master;
# 	file "/var/cache/bind/acme-challenge.example.org.zone";
# 	check-names warn;
# 	allow-update { key "certbotkey"; };
# 	serial-update-method date;
# };
## Also include in the example.net zone file(s) something like this:
# _acme-challenge	NS	dns-server-machine.example.net.
## Create initial zone files:
for domain in example.net example.org ; do
echo "_acme-challenge.${domain}. 60 IN SOA dns-server-machine.example.net. admin.example.net. 2024112000 900 300 604800 300" | sudo -u bind sh -c "cat > /var/cache/bind/acme-challenge.${domain}.zone"
echo "_acme-challenge.${domain}. 60 IN NS dns-server-machine.example.net." | sudo -u bind sh -c "cat >> /var/cache/bind/acme-challenge.${domain}.zone"
done
## And reload bind9:
sudo systemctl reload bind9

## Check with nsupdate whether it can make updates to _acme-challenge.example.net
## before going forward:
sudo -u certbot nsupdate -k /etc/bind/certbotkeys.conf -v
server dns-server-machine.example.net.
zone _acme-challenge.example.net.
update add test._acme-challenge.example.net. 60 TXT "foobar"
send
update del test._acme-challenge.example.net.
send
quit

## Install certbot:
sudo apt-get install certbot python3-certbot-dns-rfc2136 sudo apt-get install certbot python3-certbot-dns-rfc2136
sudo mkdir /var/log/letsencrypt
sudo chown certbot /etc/letsencrypt /var/log/letsencrypt /var/lib/letsencrypt
sudo mkdir /etc/letsencrypt/renewal-hooks/post /etc/letsencrypt/renewal-hooks/pre
sudo -u certbot sh -c 'umask 077 ; cat > /etc/letsencrypt/rfc2136.ini' << '__EOF__'
# Target DNS server (inexplicably, this must be a numeric IP)
dns_rfc2136_server = 192.88.99.1
# Target DNS port
dns_rfc2136_port = 53
# TSIG key name
dns_rfc2136_name = certbotkey
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA256
__EOF__
perl -ne 'print "# TSIG key secret\ndns_rfc2136_secret = $1\n" if m/secret\s+\"(\S*)\"/' /etc/bind/certbotkeys.conf | sudo -u certbot sh -c 'cat >> /etc/letsencrypt/rfc2136.ini'

## Now get the keys themselves
## First, a test key:
sudo -u certbot certbot certonly --test-cert --reuse-key --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d '*.example.org' -d example.org -d '*.example.net' -d example.net

## Then, if all went well, a production key:
sudo -u certbot certbot certonly --reuse-key --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d '*.example.org' -d example.org -d '*.example.net' -d example.net

## Edit systemd task:
sudo systemctl edit certbot.service
## Write something like this:
# # Service edited to run as a nonprivileged user
# [Service]
# User=certbot
# Group=certbot
# Type=oneshot
# ExecStart=/usr/bin/certbot -q renew --reuse-key --no-random-sleep-on-renew
# PrivateTmp=true