Skip to content

Concepts

This document aims to describe a generic way of obtaining X.509 server certificates from an ACME-enabled certification authority using the DNS-01 challenge. While there are a few certification authorities that offer ACME, this guide will only focus on Let’s Encrypt.

ACME Challenges

The most common ACME Challenge Types are the HTTP-01 Challenge and the DNS-01 Challenge.

HTTP-01 Challenge

This method is suitable if you run a publicy available webserver, and you don’t want to obtain wildcard certificates. Your acme client requests a challenge string and places it in a file at a well-known location in the webroot. The CA requests this file and issues the certificate for this server if the challenge was correct. You can find a longer description on the Let’s Encrypt website.

This of course means that this method does not work for servers that are not reachable from the internet.

Info

You do not need acme4netvs to perform HTTP-01 challenges.

DNS-01 Challenge

For this type of challenge, the challenge string is published to the internet through a DNS TXT Resource Record. This method has two advantages over the HTTP-01 challenge:

  • You can request certificates including a wildcard domain (*.example.com) which is valid for all subdomains
  • The system does not need to be reachable from the internet, only the DNS server(s) has/have to be reachable

In order to deploy the challenge string to DNS, we provide the acme4netvs plugin documented on this page.

Note

Your system does not have to be reachable from the internet itself (no incoming connections necessary), but must be able to contact www-net.scc.kit.edu and the CA server on the internet (outgoing communication must be possible). If your system is not allowed to contact servers in the broader internet, you need a service system that requests the certificate for it and deploys the resulting certificate correctly.

Info

You do need acme4netvs to perform DNS-01 challenges for domain names that are managed with DNSVS.

Here is a simplified diagram of how DNS-01 challenges work with acme4netvs: