Create a DNS integration to automate DV certificates on load balancers
Before DigiCert can issue a DV certificate, you must demonstrate control over the domains included in the certificate request.
For automating DV certificate installation, use DNS integration to prove your control over the domains in your DV certificate request. For this DCV method, you must create a DNS integration before submitting the request.
Your DNS integration allows the DigiCert automation services to use your credentials to place the DNS challenge on the DNS server and complete the validation check. The DNS challenge is generated automatically as part of the automation process. Once the domain validation is completed, the automation will succeed and install the DV certificate.
You can create a DNS integration using a supported DNS provider or a customized DNS script.
Example: DNS challenge
example.com,example1.com,example2.com dns-txt-token 342893284294sfjdkfjshfCOPY
Before you begin
Verify the target load balancer was added to the sensor. See Verify and finalize sensor configuration.
Use a supported DNS provider. See View automation-supported DNS providers below.
View automation-supported DNS providers
Log in to the sensor host.
Go to sensor CLI directory.
cd install_dir/cli
Where install_dir is the installation directory for the sensor.
Run the
listsupporteddnscommand.Windows:
listsupporteddns.batLinux:
./listsupporteddns.sh
Current list of automation-supported DNS providers:
Amazon Route 53 |
Azure |
Cloudflare |
CloudXNS |
Digital Ocean |
DNS Trust Manager (DNS Made Easy) |
DreamHost |
GoogleDNS |
Go Daddy |
NS1 |
OVH |
RFC2136 |
Sakura Cloud |
Create a DNS integration with a DNS provider
Log in to the sensor host.
Go to the sensor CLI directory.
cd install_dir/cli
Where install_dir is the installation directory for the sensor.
Run the
adddnsintegrationcommand.Windows:
adddnsintegration.bat -type <dns_provider_name>Linux:
./adddnsintegration.sh -type <dns_provider_name>
When you enter the command, a series of prompts appear for each provider. Provide the information and press Enter.
Example: adddnsintegration.bat -type route53
C:\Program Files\DigiCert\DigiCert sensor\cli>adddnsintegration.bat -type route53 Sensor CLI. Copyright 2023, DigiCert Inc. Add a DNS integration to automate DV certificates. Enter alias:Route53Valid Access key id:AKIAZC26PJRAX775JVKE Secret key: Confirm secret key: DNS integration route53 added. After adding the DNS integration, go back to CertCentral and link the integration to the load balancer where you want to automate a DV certificate.
Create a DNS integration with a customized DNS script
Before you begin
Before you start, create a DNS script for the operating system you want to automate the DV certificate installation. You can create a script or modify one of the sample scripts to define your script.
Important
DigiCert recommends placing the scripts in a default location, such as the sensor’s installation directory. For example: sensorinstalldir/localscripts/script-to-upload.bat
Windows DNS scripts
For Windows, you need two scripts to prove your control over the domains: DNS .bat script and embedded PowerShell postscript (.ps1, .py, .ps, or any other format).
Create embedded DNS PowerShell postscript
Open Notepad or any other text editing tool.
Define the login credentials, DNS challenge, and exit codes.
Save the file with .ps1, .py, .ps, or any other extension of your choice. Make sure to note the location.
Create DNS script
Open Notepad or any other text editing tool.
Define the PowerShell postscript file location path, argument to pass the DNS challenge, and exit codes.
Save the file with the .bat extension. Make sure to note the location.
Linux DNS script
For Linux, you need a DNS .sh script to prove control over the domains.
Create a DNS script
Open Notepad or any other text editing tool.
Define the login credentials, DNS challenge, and exit codes.
Save the file with the .sh extension. Make sure to note the location.
Create a customized DNS integration
Log in to the sensor host.
Go to the sensor CLI directory.
cd install_dir/cli
Where install_dir is the installation directory for the sensor.
Run the
adddnsintegrationcommand.Windows:
adddnsintegration.bat -type customLinux:
./adddnsintegration.sh -type custom
When you enter the command, a series of prompts appear. Provide the information and press Enter.
Example: ./adddnsintegration.sh -type custom
[root@c7-sowjanya-124 cli]# ./adddnsintegration.sh -type custom Sensor CLI. Copyright 2023, DigiCert Inc. Add a DNS integration to automate DV certificates. Enter alias:CustomeDNS Script file path:/tmp/test.sh DNS integration custom added. After adding the DNS integration, go back to CertCentral and link the integration to the load balancer where you want to automate a DV certificate.
Exit codes
Every program you start terminates with an exit code and reports it to the operating system. An exit code, or sometimes known as a return code, is the code returned to a parent process by an executable.
Exit code | Description |
|---|---|
0 | Successful execution of the script. |
1 | Failed to execute the script for any reason. |
Sample scripts
AWS - DNS PowerShell postscript (.ps1)
#ensure AWS PStools are installed incl
#https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up-windows.html
#Install-Module -Name AWS.Tools.Installer
#Install-AWSToolsModule AWS.Tools.Route53
#Set-AWSCredential -AccessKey <accesskey> -SecretKey <secretkey> -StoreAs TestDNSProfile
Import-Module AWSPowerShell
Function Set-R53Record {
# Entry parameters
Param (
[Parameter(Mandatory=$True)] [String]$Profile,
[Parameter(Mandatory=$True)][String]$Domain,
[Parameter(Mandatory=$True)][String]$Type,
[Parameter(Mandatory=$True)][String]$Name,
[Parameter(Mandatory=$True)][String]$Value,
[Int]$TTL = 300,
[String]$Comment
)
$DomainDot = $Domain + "."
# Create two objects for R53 update
$Change = New-Object Amazon.Route53.Model.Change
$Change.Action = "UPSERT"
# CREATE: Creates a resource record set that has the specified values.
# DELETE: Deletes an existing resource record set that has the specified values.
# UPSERT: If a resource record set doesn't already exist, AWS creates it. If it does, Route 53 updates it with values in the request.
$Change.ResourceRecordSet = New-Object Amazon.Route53.Model.ResourceRecordSet
$Change.ResourceRecordSet.Name = "$Name.$Domain"
$Change.ResourceRecordSet.Type = $Type
$Change.ResourceRecordSet.TTL = $TTL
#$Change.ResourceRecordSet.ResourceRecords.Add(@{Value=$Value})
$Change.ResourceRecordSet.ResourceRecords.Add(@{Value=if ($Type -eq "TXT") {"""$Value"""} else {$Value}})
# Get hosted zone
$HostedZone = Get-R53HostedZones -ProfileName $Profile| Where-Object { $DomainDot.EndsWith($_.Name) }
Write-Output "Found HostedZone:$HostedZone"
# Set final parameters and execute
$Parameters = @{
HostedZoneId = $HostedZone.Id
ChangeBatch_Change = $Change # Object
ChangeBatch_Comment = $Comment # "Edited A record"
}
return Edit-R53ResourceRecordSet -ProfileName $Profile @Parameters
}
if($args.Length -ne 1){
Write-Output "Args not found"
exit -1;
}
$fileInput = Get-Content $args[0]
if ($fileInput.Length -lt 3){
Write-Output "File not found"
exit -1;
}
$tempDomains = $fileInput[0].Split(",")
$challenge = $fileInput[2]
$domains = @()
foreach ($d in $tempDomains)
{
if ("$d" -ne "null")
{
Write-Output $d
$domains = $domains += $d
}
}
foreach ($domain in $domains)
{
Set-R53Record -Profile DNSProfileName -Domain $domain -Type "TXT" -Name "_dnsauth" -Value $challenge -TTL 86400 -Comment "DNS challenge for $domain"DNS .bat script
echo "Invoking DNS script"
pushd %~dp0
powershell.exe -File {DNSPostscriptPath} %*
echo "Exit Code : %errorlevel%"
set returnCode=%errorlevel%
popd
EXIT /B %returnCode%Note
%* determines the DNS challenge. It retrieves its values from the postscript.
AWS - DNS .sh script
#!/usr/bin/bash
set_R53_Record(){
Profile=$1
Domain=$2
Type=$3
Name=$4
Value=$5
TTL=$6
Comment=$7
DomainDot="$Domain."
echo "Profile:$Profile Domain:$Domain"
HOSTEDZONEID=$(/usr/local/bin/aws route53 list-hosted-zones --profile $Profile | jq '.HostedZones | .[] | select(.Name|inside('\"$DomainDot\"')) | .Id' | tr -d '"')
cat > change-batch.json << EOL
{"Comment":"$Comment","Changes":[{"Action":"UPSERT","ResourceRecordSet":{"Name":"$Name.$Domain","Type":"$Type","TTL":$TTL,"ResourceRecords":[{"Value":"\"$Value\""}]}}]}
EOL
/usr/local/bin/aws route53 change-resource-record-sets --hosted-zone-id $HOSTEDZONEID --profile $Profile --change-batch file://change-batch.json
}
if [ "$#" -ne 1 ]; then
echo "Args not found"
exit -1;
fi
IFS=$'\n' read -d '' -r -a lines < $1
if [ ${#lines[@]} != 3 ]; then
echo "File not found"
exit -1;
fi
challenge=${lines[2]}
IFS=',' read -ra domains <<< "${lines[0]}"
for domain in "${domains[@]}"; do
set_R53_Record default $domain "TXT" "_dnsauth" $challenge 86400 "DNS challenge for $domain"
doneDNS integration CLI commands
Window and Linux commands for adding and configuring DNS integrations or providers to sensors for DV certificate automation on load balancers.
Command | Syntax | Description |
|---|---|---|
Windows: |
| Add a DNS integration to automate DV certificates. |
Linux: |
| |
Windows: | - | View the complete list of supported DNS providers. |
Linux: | ||
Windows: |
| View the list of DNS integrations configured with the sensor. |
Linux: |
| |
Windows: |
| Update the DNS integration. |
Linux: |
| |
Windows: |
| Delete the DNS integration from the sensor. |
Linux: |
|