Domino V12 Let’s Enrypt DNS-01 Challenges delegating a sub-domain to Digital Ocean
Daniel Nashed 24 January 2021 16:45:43
Domino V12 Beta 1 supports DNS-01 challenge validation for Let's Encrypt and other ACME providers.
The beta ships with two providers available in DXL file ready to import (the DXL file can be found in the Beta form).
The beta forum contains a DXL file with 1. Cloudflare Inc and 2. Hetzner GmbH (a German provider) API as reference implementations.
I took the configuration as a reference and implemented a Digital Ocean configuration.
This option turns out a free solution which is very convenient for testing.
Delegate a sub domain via NS records
For my tests I delegated a sub-domain of an existing domain at another provider to Digital Ocean.
To delegate a sub-domain I just created Name Server (NS) records pointing to Digital Ocean.
NS digitalocean.domino-lab.net ns1.digitalocean.com.
NS digitalocean.domino-lab.net ns2.digitalocean.com.
NS digitalocean.domino-lab.net ns3.digitalocean.com.
In the next step I just added the sub-domain digitalocean.domino-lab.net to my Digital Ocean account.
Having this in place, I can now use the Digital Ocean DNS API to write DNS TXT records to validate DNS-01 challenges for Let's Encrypt/ACME.
The DNS sub-domain delegation ensures the DNS servers at Digital Ocean are responsible for DNS requests for the sub-domain.
CertMgr DNS Provider Configuration
I have created a new configuration using the HTTP Request with @Formulas listed below.
Now I can define a registered domain digitalocean.domino-lab.net leveraging my configuration.
The DNS Provider Configuration is pretty straightforward. You just need to configure a ADD and a DELETE operation in this case.
The authorization token you generate at the Digital Ocean account is the only parameter you have to set, beside the registered domain.
Having this configuration in place, you can immediately start registering certificates using any type of ACME provider.
TLS Credentials
| Main | |
| Status: | Issued |
| Hostnames: | www.digitalocean.domino-lab.net |
| Domino Server Names: | pluto/NotesLab |
| Status: | Valid |
| Certificate Expiration: | Sat 24.04.2021 17:41:26 |
| Certificate Renew Date: | Thu 25.03.2021 16:41:26 |
| Certificate Provider: | ACME |
| ACME Account: | LetsEncryptStaging |
| Certificate Authority: | |
| Key Type: | ECDSA |
| Curve Name: | NIST P-384 |
Tips:
While developing a new provider configuration, there are 3 options, which are helpful.
1. The "Test Formula" action helps you to simulate the results
2. The "Insert Field" action allows to insert any of the standard fields without looking them up or typing them
3. The DNS Provider Trace option shows all input data and output results to help figuring out the right parameters.
For example in this case the "retJSON_Add.domain_record.id" field contains the DNS record ID returned by the ADD operation.
This field is used in the DELETE operation to identify the created DNS TXT record.
Here is my working Digital Ocean configuration at a glance showing both documents (config and account for my sub-domain).
-- Daniel
DNS Provider Account
| Registered Domain: | digitalocean.domino-lab.net |
| Account Name: | domino-lab.net @ DigitalOcean |
| Status: | Enabled |
| DNS Provider Configuration: | DigitalOcean |
| Configuration Values | |
| DNS Zone: | |
| Username: | |
| email Address: | |
| Password: | |
| Authorization Key: | |
| Authorization Token: | 77931d012b385ed4def25412981d33a33be65a553d373c65a61196e5c170xxx *) |
*) No this is not my real token.
-------------------
DNS Provider Configuration
| Operations | |
| Type: | HTTP Request |
| Status Formula: | @if (retJSON_Add.domain_record.id != ""; 200; 400) |
| Request URL: | https://api.digitalocean.com/v2/domains |
| DnsProviderDelay | 42 |
| HTTP Request Tracing: | Enabled |
| HTTP Add Request | |
| Request Type: | POST |
| URL Formula: | cfg_URL + "/" + param_RegisteredDomain +"/records" |
| Header Formula: | ( "Content-Type: application/json" ) : ("Authorization: Bearer " + cfg_AuthToken ) |
| Post Data Formula: | '{"type":"TXT","name":"' + param_DnsTxtName+ '.","data":"' + param_DnsTxtValue + '","ttl":30}' |
| HTTP Delete Request | |
| Request Type: | DELETE |
| URL Formula: | ID_TXT:@Text(retJSON_Add.domain_record.id); @if (ID_TXT= ""; ""; cfg_URL + "/" + param_RegisteredDomain + "/records/" + ID_TXT) |
| Header Formula: | ( "Content-Type: application/json" ) : ("Authorization: Bearer " + cfg_AuthToken ) |
| Post Data Formula: | |
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}