LEGO

  • Canonical Telco
Channel Revision Published Runs on
4/beta 15 08 Oct 2024
Ubuntu 22.04
4/edge 35 Yesterday
Ubuntu 22.04
4/edge 34 Yesterday
Ubuntu 22.04
juju deploy lego --channel 4/beta
Show information

Platform:

Ubuntu
22.04

Solving the DNS-01 Challenge

To get a certificate using the httpreq plugin and the DNS-01 challenge from a Certificate Authority that implements the ACME server, we need the following:

  • The Lego Client
  • TLS Certificates Requirer requiring a certificate for a domain name.
  • DNS Agent with an HTTP API
  • DNS Server (Bind as an example)
  • Certificate Authority implementing the ACME protocol (ACME Server)

The diagram below shows how the certificate is acquired by a requirer for their domain name:

  1. The certificate requirer creates a CSR and sets the common name to the domain name that is requiring the certificate, and a request is initiated using the Lego client and the CSR.
  2. The Lego client sends the request to the ACME Server.
  3. The ACME Server will reply with a payload with the content that must be used by the user to create a TXT DNS record to prove their ownership of the domain.
  4. The Lego client makes a request towards the DNS agent to create a TXT DNS record.
  5. The DNS agent will create the TXT record.
  6. The DNS agent confirms the creation of the record through the status code.
  7. The ACME Client tells the ACME Server that the record is in place for the DSN-01 challenge.
  8. The ACME Server will validate the creation of the record.
  9. If the validation of the TXT record was successful, the server will issue the certificate towards the client.
  10. The client delivers the certificate to the requirer.

Help improve this document in the forum (guidelines). Last updated 8 months ago.