Create a DNS integration to automate DV certificates on load balancers

Before DigiCert can issue a DV certificate, you must demonstrate control over the domains included in the certificate request.

For automating DV certificate installation, use DNS integration to prove your control over the domains in your DV certificate request. For this DCV method, you must create a DNS integration before submitting the request.

Your DNS integration allows the DigiCert automation services to use your credentials to place the DNS challenge on the DNS server and complete the validation check. The DNS challenge is generated automatically as part of the automation process. Once the domain validation is completed, the automation will succeed and install the DV certificate.

You can create a DNS integration using a supported DNS provider or a customized DNS script.

Example: DNS challenge

generic
example.com,example1.com,example2.com
dns-txt-token
342893284294sfjdkfjshf

Before you begin

View automation supported DNS providers

  1. Log in to the sensor host.

  2. Go to sensor CLI directory.

    cd install_dir/cli

    Where install_dir is the installation directory for the sensor.

  3. Run the listsupporteddns command.

    • Windows: listsupporteddns.bat
    • Linux: ./listsupporteddns.sh

Here is the complete list of automation supported DNS providers.

DNS providers
Amazon Route 53
Azure
Cloudflare
CloudXNS
DreamHost
Digital Ocean
GoogleDNS
Go Daddy
NS1
OVH
RFC2136
Sakura Cloud

Create a DNS integration with a DNS provider

  1. Log in to the sensor host.

  2. Go to the sensor CLI directory.

    cd install_dir/cli

    Where install_dir is the installation directory for the sensor.

  3. Run the adddnsintegration command.

    • Windows: adddnsintegration.bat -type <dns_provider_name>
    • Linux: ./adddnsintegration.sh -type <dns_provider_name>
  4. When you enter the command, a series of prompts appear for each provider. Provide the information and press Enter.

Example: adddnsintegration.bat -type route53

bash
C:\Program Files\DigiCert\DigiCert sensor\cli>adddnsintegration.bat -type route53

Sensor CLI. Copyright 2022, DigiCert Inc.

Add a DNS integration to automate DV certificates. 

Enter alias:Route53Valid
Access key id:AKIAZC26PJRAX775JVKE
Secret key:
Confirm secret key:

DNS integration route53 added.
After adding the DNS integration, go back to CertCentral and link the integration to the load balancer where you want to automate a DV certificate.

Create a DNS integration with a customized DNS script

Before you begin

Before you start, create a DNS script for the operating system you want to automate the DV certificate installation. You can create a script or modify one of the sample scripts to define your script.

DigiCert recommends placing the scripts in a default location, such as the sensor’s installation directory. For example: sensorinstalldir/localscripts/script-to-upload.bat

Windows DNS scripts

For Windows, you need two scripts to prove your control over the domains: DNS .bat script and embedded PowerShell postscript (.ps1, .py, .ps, or any other format).

Create embedded DNS PowerShell postscript

  1. Open Notepad or any other text editing tool.
  2. Define the login credentials, DNS challenge, and exit codes.
  3. Save the file with .ps1, .py, .ps, or any other extension of your choice. Make sure to note the location.

Create DNS script

  1. Open Notepad or any other text editing tool.
  2. Define the PowerShell postscript file location path, argument to pass the DNS challenge, and exit codes.
  3. Save the file with the .bat extension. Make sure to note the location.

Linux DNS script

For Linux, you need a DNS .sh script to prove control over the domains.

Create a DNS script

  1. Open Notepad or any other text editing tool.
  2. Define the login credentials, DNS challenge, and exit codes.
  3. Save the file with the .sh extension. Make sure to note the location.

Create a customized DNS integration

  1. Log in to the sensor host.

  2. Go to the sensor CLI directory.

    cd install_dir/cli

    Where install_dir is the installation directory for the sensor.

  3. Run the adddnsintegration command.

    • Windows: adddnsintegration.bat -type custom
    • Linux: ./adddnsintegration.sh -type custom
  4. When you enter the command, a series of prompts appear. Provide the information and press Enter.

Example: ./adddnsintegration.sh -type custom

generic
[root@c7-sowjanya-124 cli]# ./adddnsintegration.sh -type custom

Sensor CLI.  Copyright 2022, DigiCert Inc.
Add a DNS integration to automate DV certificates.

Enter alias:CustomeDNS
Script file path:/tmp/test.sh

DNS integration custom added.
After adding the DNS integration, go back to CertCentral and link the integration to the load balancer where you want to automate a DV certificate.

Exit codes

Every program you start terminates with an exit code and reports it to the operating system. An exit code, or sometimes known as a return code, is the code returned to a parent process by an executable.

Exit code Description
0 Successful execution of the script.
1 Failed to execute the script for any reason.

Sample scripts

AWS - DNS PowerShell postscript (.ps1)

generic
#ensure AWS PStools are installed incl
#https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up-windows.html
#Install-Module -Name AWS.Tools.Installer
#Install-AWSToolsModule AWS.Tools.Route53
#Set-AWSCredential -AccessKey <accesskey> -SecretKey <secretkey> -StoreAs TestDNSProfile

Import-Module AWSPowerShell
Function Set-R53Record {
 
    # Entry parameters
    Param (
		[Parameter(Mandatory=$True)] [String]$Profile,
        [Parameter(Mandatory=$True)][String]$Domain,
        [Parameter(Mandatory=$True)][String]$Type,
        [Parameter(Mandatory=$True)][String]$Name,
        [Parameter(Mandatory=$True)][String]$Value,
        [Int]$TTL = 300,
        [String]$Comment
    )
 
    $DomainDot = $Domain + "."
 
    # Create two objects for R53 update
    $Change = New-Object Amazon.Route53.Model.Change
    $Change.Action = "UPSERT"
        # CREATE: Creates a resource record set that has the specified values.
        # DELETE: Deletes an existing resource record set that has the specified values.
        # UPSERT: If a resource record set doesn't already exist, AWS creates it. If it does, Route 53 updates it with values in the request.
    $Change.ResourceRecordSet = New-Object Amazon.Route53.Model.ResourceRecordSet
    $Change.ResourceRecordSet.Name = "$Name.$Domain"
    $Change.ResourceRecordSet.Type = $Type
    $Change.ResourceRecordSet.TTL = $TTL
    #$Change.ResourceRecordSet.ResourceRecords.Add(@{Value=$Value})
    $Change.ResourceRecordSet.ResourceRecords.Add(@{Value=if ($Type -eq "TXT") {"""$Value"""} else {$Value}})
 
    # Get hosted zone
    $HostedZone = Get-R53HostedZones -ProfileName $Profile| Where-Object { $DomainDot.EndsWith($_.Name) }
    Write-Output "Found HostedZone:$HostedZone"
    # Set final parameters and execute
    $Parameters = @{
        HostedZoneId = $HostedZone.Id
        ChangeBatch_Change = $Change # Object
        ChangeBatch_Comment = $Comment # "Edited A record"
    }
   return Edit-R53ResourceRecordSet -ProfileName $Profile @Parameters
}

if($args.Length -ne 1){
    Write-Output "Args not found"
    exit -1;
}

$fileInput = Get-Content $args[0]
if ($fileInput.Length -lt 3){
    Write-Output "File not found"
   exit -1;
}
$tempDomains = $fileInput[0].Split(",")
$challenge = $fileInput[2]
$domains = @()
foreach ($d in $tempDomains)
    {
        if ("$d" -ne "null")
        {
            Write-Output $d
            $domains = $domains += $d
        }
    }

foreach ($domain in $domains)
{     
    Set-R53Record -Profile DNSProfileName -Domain $domain -Type "TXT" -Name "_dnsauth" -Value $challenge -TTL 86400 -Comment "DNS challenge for $domain"

DNS .bat script

generic
echo "Invoking DNS script"
pushd %~dp0
powershell.exe -File {DNSPostscriptPath} %*
echo "Exit Code : %errorlevel%"
set returnCode=%errorlevel%
popd
EXIT /B %returnCode%

%* determines the DNS challenge. It retrieves its values from the postscript.

AWS - DNS .sh script

generic
#!/usr/bin/bash

set_R53_Record(){
    Profile=$1
    Domain=$2
    Type=$3
    Name=$4
    Value=$5
    TTL=$6
    Comment=$7
    DomainDot="$Domain."
    echo "Profile:$Profile Domain:$Domain"
    HOSTEDZONEID=$(/usr/local/bin/aws route53 list-hosted-zones --profile $Profile | jq '.HostedZones | .[] | select(.Name|inside('\"$DomainDot\"')) | .Id' | tr -d '"')
    cat > change-batch.json << EOL
    {"Comment":"$Comment","Changes":[{"Action":"UPSERT","ResourceRecordSet":{"Name":"$Name.$Domain","Type":"$Type","TTL":$TTL,"ResourceRecords":[{"Value":"\"$Value\""}]}}]}
EOL
    /usr/local/bin/aws route53 change-resource-record-sets --hosted-zone-id $HOSTEDZONEID --profile $Profile --change-batch file://change-batch.json
}


if [ "$#" -ne 1 ]; then
    echo "Args not found"
    exit -1;
fi

 IFS=$'\n' read -d '' -r -a lines < $1

if [ ${#lines[@]} != 3 ]; then
    echo "File not found"
    exit -1;
fi

challenge=${lines[2]}

IFS=',' read -ra domains <<< "${lines[0]}"
for domain in "${domains[@]}"; do
    set_R53_Record default $domain "TXT" "_dnsauth" $challenge 86400 "DNS challenge for $domain"
done