Skip to main content

Create a DNS integration to automate DV certificates on load balancers

Before DigiCert can issue a DV certificate, you must demonstrate control over the domains included in the certificate request.

For automating DV certificate installation, use DNS integration to prove your control over the domains in your DV certificate request. For this DCV method, you must create a DNS integration before submitting the request.

Your DNS integration allows the DigiCert automation services to use your credentials to place the DNS challenge on the DNS server and complete the validation check. The DNS challenge is generated automatically as part of the automation process. Once the domain validation is completed, the automation will succeed and install the DV certificate.

You can create a DNS integration using a supported DNS provider or a customized DNS script.

Example: DNS challenge

example.com,example1.com,example2.com
dns-txt-token
342893284294sfjdkfjshfCOPY 

Before you begin

View automation-supported DNS providers

  1. Log in to the sensor host.

  2. Go to sensor CLI directory.

    cd install_dir/cli

    Where install_dir is the installation directory for the sensor.

  3. Run the listsupporteddns command.

    • Windows: listsupporteddns.bat

    • Linux: ./listsupporteddns.sh

Current list of automation-supported DNS providers:

Table 1. DNS providers

Amazon Route 53

Azure

Cloudflare

CloudXNS

Digital Ocean

DNS Trust Manager (DNS Made Easy)

DreamHost

GoogleDNS

Go Daddy

NS1

OVH

RFC2136

Sakura Cloud


Create a DNS integration with a DNS provider

  1. Log in to the sensor host.

  2. Go to the sensor CLI directory.

    cd install_dir/cli

    Where install_dir is the installation directory for the sensor.

  3. Run the adddnsintegration command.

    • Windowsadddnsintegration.bat -type <dns_provider_name>

    • Linux./adddnsintegration.sh -type <dns_provider_name>

  4. When you enter the command, a series of prompts appear for each provider. Provide the information and press Enter.

Example: adddnsintegration.bat -type route53

C:\Program Files\DigiCert\DigiCert sensor\cli>adddnsintegration.bat -type route53

Sensor CLI. Copyright 2023, DigiCert Inc.

Add a DNS integration to automate DV certificates. 

Enter alias:Route53Valid
Access key id:AKIAZC26PJRAX775JVKE
Secret key:
Confirm secret key:

DNS integration route53 added.
After adding the DNS integration, go back to CertCentral and link the integration to the load balancer where you want to automate a DV certificate.

Create a DNS integration with a customized DNS script

Before you begin

Before you start, create a DNS script for the operating system you want to automate the DV certificate installation. You can create a script or modify one of the sample scripts to define your script.

Important

DigiCert recommends placing the scripts in a default location, such as the sensor’s installation directory. For example: sensorinstalldir/localscripts/script-to-upload.bat

Windows DNS scripts

For Windows, you need two scripts to prove your control over the domains: DNS .bat script and embedded PowerShell postscript (.ps1.py.ps, or any other format).

Create embedded DNS PowerShell postscript

  1. Open Notepad or any other text editing tool.

  2. Define the login credentials, DNS challenge, and exit codes.

  3. Save the file with .ps1.py.ps, or any other extension of your choice. Make sure to note the location.

Create DNS script

  1. Open Notepad or any other text editing tool.

  2. Define the PowerShell postscript file location path, argument to pass the DNS challenge, and exit codes.

  3. Save the file with the .bat extension. Make sure to note the location.

Linux DNS script

For Linux, you need a DNS .sh script to prove control over the domains.

Create a DNS script

  1. Open Notepad or any other text editing tool.

  2. Define the login credentials, DNS challenge, and exit codes.

  3. Save the file with the .sh extension. Make sure to note the location.

Create a customized DNS integration

  1. Log in to the sensor host.

  2. Go to the sensor CLI directory.

    cd install_dir/cli

    Where install_dir is the installation directory for the sensor.

  3. Run the adddnsintegration command.

    • Windowsadddnsintegration.bat -type custom

    • Linux./adddnsintegration.sh -type custom

  4. When you enter the command, a series of prompts appear. Provide the information and press Enter.

Example: ./adddnsintegration.sh -type custom

[root@c7-sowjanya-124 cli]# ./adddnsintegration.sh -type custom

Sensor CLI.  Copyright 2023, DigiCert Inc.
Add a DNS integration to automate DV certificates.

Enter alias:CustomeDNS
Script file path:/tmp/test.sh

DNS integration custom added.
After adding the DNS integration, go back to CertCentral and link the integration to the load balancer where you want to automate a DV certificate.

Exit codes

Every program you start terminates with an exit code and reports it to the operating system. An exit code, or sometimes known as a return code, is the code returned to a parent process by an executable.

Table 2. Exit codes

Exit code

Description

0

Successful execution of the script.

1

Failed to execute the script for any reason.


Sample scripts

AWS - DNS PowerShell postscript (.ps1)

#ensure AWS PStools are installed incl
#https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up-windows.html
#Install-Module -Name AWS.Tools.Installer
#Install-AWSToolsModule AWS.Tools.Route53
#Set-AWSCredential -AccessKey <accesskey> -SecretKey <secretkey> -StoreAs TestDNSProfile

Import-Module AWSPowerShell
Function Set-R53Record {
 
    # Entry parameters
    Param (
		[Parameter(Mandatory=$True)] [String]$Profile,
        [Parameter(Mandatory=$True)][String]$Domain,
        [Parameter(Mandatory=$True)][String]$Type,
        [Parameter(Mandatory=$True)][String]$Name,
        [Parameter(Mandatory=$True)][String]$Value,
        [Int]$TTL = 300,
        [String]$Comment
    )
 
    $DomainDot = $Domain + "."
 
    # Create two objects for R53 update
    $Change = New-Object Amazon.Route53.Model.Change
    $Change.Action = "UPSERT"
    # CREATE: Creates a resource record set that has the specified values.
    # DELETE: Deletes an existing resource record set that has the specified values.
    # UPSERT: If a resource record set doesn't already exist, AWS creates it. If it does, Route 53 updates it with values in the request.
    $Change.ResourceRecordSet = New-Object Amazon.Route53.Model.ResourceRecordSet
    $Change.ResourceRecordSet.Name = "$Name.$Domain"
    $Change.ResourceRecordSet.Type = $Type
    $Change.ResourceRecordSet.TTL = $TTL
    # For TXT-based DNS challenges, value must be in quotes
    $challengeValue = if ($Type -eq "TXT") {"""$Value"""} else {$Value}
    $Change.ResourceRecordSet.ResourceRecords.Add(@{Value=$challengeValue})
 
    # Get hosted zone
    $HostedZone = Get-R53HostedZones -ProfileName $Profile| Where-Object { $DomainDot.EndsWith($_.Name) }
    Write-Output "Found HostedZone:$HostedZone"
    # Set final parameters and execute
    $Parameters = @{
        HostedZoneId = $HostedZone.Id
        ChangeBatch_Change = $Change # Object
        ChangeBatch_Comment = $Comment # "Edited A record"
    }
   return Edit-R53ResourceRecordSet -ProfileName $Profile @Parameters
}

if($args.Length -ne 1){
    Write-Output "Args not found"
    exit -1;
}

$fileInput = Get-Content $args[0]
if ($fileInput.Length -lt 3){
    Write-Output "File not found"
   exit -1;
}
$tempDomains = $fileInput[0].Split(",")
$challenge = $fileInput[2]
$domains = @()
foreach ($d in $tempDomains)
    {
        if ("$d" -ne "null")
        {
            Write-Output $d
            $domains = $domains += $d
        }
    }

foreach ($domain in $domains)
{     
    Set-R53Record -Profile DNSProfileName -Domain $domain -Type "TXT" -Name "_dnsauth" -Value $challenge -TTL 86400 -Comment "DNS challenge for $domain"
}

DNS .bat script

echo "Invoking DNS script"
pushd %~dp0
powershell.exe -File {DNSPostscriptPath} %*
echo "Exit Code : %errorlevel%"
set returnCode=%errorlevel%
popd
EXIT /B %returnCode%

Note

%* determines the DNS challenge. It retrieves its values from the postscript.

AWS - DNS .sh script

#!/usr/bin/bash

set_R53_Record(){
    Profile=$1
    Domain=$2
    Type=$3
    Name=$4
    Value=$5
    TTL=$6
    Comment=$7
    DomainDot="$Domain."
    echo "Profile:$Profile Domain:$Domain"
    HOSTEDZONEID=$(/usr/local/bin/aws route53 list-hosted-zones --profile $Profile | jq '.HostedZones | .[] | select(.Name|inside('\"$DomainDot\"')) | .Id' | tr -d '"')
    cat > change-batch.json << EOL
    {"Comment":"$Comment","Changes":[{"Action":"UPSERT","ResourceRecordSet":{"Name":"$Name.$Domain","Type":"$Type","TTL":$TTL,"ResourceRecords":[{"Value":"\"$Value\""}]}}]}
EOL
    /usr/local/bin/aws route53 change-resource-record-sets --hosted-zone-id $HOSTEDZONEID --profile $Profile --change-batch file://change-batch.json
}


if [ "$#" -ne 1 ]; then
    echo "Args not found"
    exit -1;
fi

 IFS=$'\n' read -d '' -r -a lines < $1

if [ ${#lines[@]} != 3 ]; then
    echo "File not found"
    exit -1;
fi

challenge=${lines[2]}

IFS=',' read -ra domains <<< "${lines[0]}"
for domain in "${domains[@]}"; do
    set_R53_Record default $domain "TXT" "_dnsauth" $challenge 86400 "DNS challenge for $domain"
done

DNS integration CLI commands

Window and Linux commands for adding and configuring DNS integrations or providers to sensors for DV certificate automation on load balancers.

Table 3. DNS integration commands

Command

Syntax

Description

Windowsadddnsintegration.bat

adddnsintegration.bat -type {dns_provider_name}

Add a DNS integration to automate DV certificates.

Linuxadddnsintegration.sh

./adddnsintegration.sh -type {dns_provider_name}

Windowslistsupporteddns.bat

-

View the complete list of supported DNS providers.

Linuxlistsupporteddns.sh

Windowslistdnsintegration.bat

listdnsintegration.bat -type {dns_provider_name}

View the list of DNS integrations configured with the sensor.

Linuxlistdnsintegration.sh

./listdnsintegration.sh -type {dns_provider_name}

Windowsupdatednsintegration.bat

updatednsintegration.bat - alias {alias_name}

Update the DNS integration.

Linuxupdatednsintegration.sh

./updatednsintegration.sh - alias {alias_name}

Windowsdeletednsintegration.bat

deletednsintegration.bat - alias {alias_name}

Delete the DNS integration from the sensor.

Linuxdeletednsintegration.sh

./deletednsintegration.sh - alias {alias_name}