GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
LFACME-KERBEROS(7) FreeBSD Miscellaneous Information Manual LFACME-KERBEROS(7)

lfacme-kerberosvalidate an ACME challenge via GSS-TSIG DNS updates

In domains.conf(5):

domain challenge=kerberos

The lfacme-kerberos challenge hook will respond to an ACME domain validation using a DNS-based “dns-01” authorization with GSS-TSIG Dynamic DNS updates. To use this challenge hook, configure one or more domains with “challenge=kerberos” in domains.conf(5).

The “dns-01” challenge expects the authorization token to be created as a TXT record at the DNS name “_acme-challenge.domain”. When lfacme-kerberos responds to the challenge, it will use nsupdate(1) with the -g flag to create this token. The DNS update will be sent to the zone's master server, as determined by the MNAME field in the SOA record.

Before sending the update, lfacme-kerberos will retrieve a Kerberos ticket using kinit(1) for the principal configured by LFACME_KERBEROS_PRINCIPAL in acme.conf(5).

The lfacme-kerberos challenge hook supports the following configuration options in acme.conf(5):

LFACME_KERBEROS_PRINCIPAL
The Kerberos principal to authenticate as when sending the DNS update. The default value is “host/$(hostname)”, which assumes a default realm has been configured in /etc/krb5.conf. Explicitly configuring the principal is recommended, but not required.
LFACME_KERBEROS_KEYTAB
The keytab used to issue the Kerberos ticket. This must contain a key for the principal configured by LFACME_KERBEROS_PRINCIPAL. The default value is /etc/krb5.keytab.
LFACME_KERBEROS_KINIT
Path to the kinit(1) program. If not specified, $PATH will be searched.
LFACME_DNS_DIG
Path to the dig(1) program. If not specified, $PATH will be searched.
LFACME_DNS_NSUPDATE
Path to the nsupdate(1) program. If not specified, $PATH will be searched.

For lfacme-kerberos to work, the DNS server must be configured to accept Kerberos-authenticated Dynamic DNS updates. Using ISC BIND, this can be achieved using a zone update-policy. For example, to allow any host in the “EXAMPLE.ORG” Kerberos realm to issue certificates for its own hostname (and subdomains thereof):

update-policy {
	grant EXAMPLE.ORG krb5-selfsub . TXT;
};

Or to allow a specific host to issue certificates for a different DNS label:

update-policy {
	grant "host/server.example.org@EXAMPLE.ORG"
		name _acme-challenge.www.example.org. TXT;
};

Suitable configuration for other DNS servers (e.g., the Microsoft Windows DNS server) is left as an exercise for the reader.

acme.conf(5), domains.conf(5), kinit(1), lfacme-renew(8), nsupdate(1)

June 4, 2025 FreeBSD 14.3-RELEASE
Search for    or go to Top of page |  Section 7 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.