Mailinglist Archive: opensuse (389 mails)

< Previous Next >
Re: [opensuse] Why are nsupdate changes not persistent? SOLVED
Per Jessen you scalawag!!! ;-) I found the solution to my LetsEncrypt
issue and why the DNS-O1 challenge wasn't working for me. Turns out I
found it in a thread from way back in 2006 that you had participated in!
- https://lists.isc.org/pipermail/bind-users/2006-January/061063.html

Talk about another poorly documented feature of bind, with no examples
to help a poor soul out! But using  the key itself, as a way to control
matches for a view, is the solution. This way one is able to force bind
to only allow certbot challenges for LetsEncrypt certificates to use a
particular (external) view and not other inappropriate local or internal
views! So in both of my localhost_resolver and my internal views I used
the following statements -

view "localhost_resolver"
{
match-clients { ! key letsencrypt.; localhost; };
match-destinations { ! key letsencrypt.; localhost; };
...

and

view "internal" { // What the home network will see
match-clients { ! key letsencrypt.; localnets; localhost; };
match-destinations { ! key letsencrypt.; localnets; localhost; };
...

Works like a charm! Many many thanks again for your help, from a long
long time ago, though I don't think you realized how helpful you already
were or knew that distance future bodies would be indebted to your
trailblazing efforts...

    Marc..

On 03/16/2019 12:18 PM, Per Jessen wrote:
Marc Chamberlin wrote:

Hi Per -  Well you hit the nail on the head, many thanks for your
help!
Marc, my pleasure! Two pairs of eyes will always beat one pair :-)

Moving the zone files over to /var/lib/named solved the
persistence problem. I guess that wasn't clear to me but now that I
think about it, makes sense since named is running in a chrooted jail
and it cannot follow links out of there. (I actually had to create 3
new "master" directories, one for each view, but that wasn't a big
hurdle..) 
I also have two views, but I keep all the zone files in one place.

This didn't solve my troubles I am having with LetsEncrypt
certificates but at least I know this persistence issue isn't getting
in my way...
I'm using http-01 which works very well, but I have been contemplaing
trying out dns-01 too.




--
*Computers: the final frontier. These are the voyages of the user Marc.
His mission: to explore strange new hardware. To seek out new software
and new applications.
To boldly go where no Marc has gone before!
*

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups