1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
.\" This source code is released into the public domain.
.Dd June 4, 2025
.Dt LFACME-KERBEROS 7
.Os
.Sh NAME
.Nm lfacme-kerberos
.Nd validate an ACME challenge via GSS-TSIG DNS updates
.Sh SYNOPSIS
In
.Xr domains.conf 5 :
.Bd -ragged -offset indent
.Ar domain
challenge=kerberos
.Ed
.Sh DESCRIPTION
The
.Nm
challenge hook will respond to an ACME domain validation using a DNS-based
.Dq dns-01
authorization with GSS-TSIG Dynamic DNS updates.
To use this challenge hook, configure one or more domains with
.Dq challenge=kerberos
in
.Xr domains.conf 5 .
.Pp
The
.Dq dns-01
challenge expects the authorization token to be created as a TXT record at the
DNS name
.Dq _acme-challenge. Ns Ar domain .
When
.Nm
responds to the challenge, it will use
.Xr nsupdate 1
with the
.Fl g
flag to create this token.
The DNS update will be sent to the zone's master server, as determined by the
MNAME field in the SOA record.
.Pp
Before sending the update,
.Nm
will retrieve a Kerberos ticket using
.Xr kinit 1
for the principal configured by
.Ar ACME_KERBEROS_PRINCIPAL
in
.Xr acme.conf 5 .
.Sh CONFIGURATION
The
.Nm
challenge hook supports the following configuration options in
.Xr acme.conf 5 :
.Bl -tag -width indent
.It Va ACME_KERBEROS_PRINCIPAL
The Kerberos principal to authenticate as when sending the DNS update.
The default value is
.Dq host/$(hostname) ,
which assumes a default realm has been configured in
.Pa /etc/krb5.conf .
Explicitly configuring the principal is recommended, but not required.
.It Va ACME_KERBEROS_KEYTAB
The keytab used to issue the Kerberos ticket.
This must contain a key for the principal configured by
.Va ACME_KERBEROS_PRINCIPAL .
The default value is
.Pa /etc/krb5.keytab .
.It Va ACME_KERBEROS_KINIT
Path to the
.Xr kinit 1
program.
If not specified,
.Ev $PATH
will be searched.
.It Va ACME_DNS_DIG
Path to the
.Xr dig 1
program.
If not specified,
.Ev $PATH
will be searched.
.It Va ACME_DNS_NSUPDATE
Path to the
.Xr nsupdate 1
program.
If not specified,
.Ev $PATH
will be searched.
.El
.Sh DNS SERVER CONFIGURATION
For
.Nm
to work, the DNS server must be configured to accept Kerberos-authenticated
Dynamic DNS updates.
Using ISC BIND, this can be achieved using a zone update-policy.
For example, to allow any host in the
.Dq EXAMPLE.ORG
Kerberos realm to issue certificates for its own hostname
(and subdomains thereof):
.Bd -literal -offset indent
update-policy {
grant EXAMPLE.ORG krb5-selfsub . TXT;
};
.Ed
.Pp
Or to allow a specific host to issue certificates for a different DNS label:
.Bd -literal -offset indent
update-policy {
grant "host/server.example.org@EXAMPLE.ORG"
name _acme-challenge.www.example.org. TXT;
};
.Ed
.Pp
Suitable configuration for other DNS servers (e.g., the Microsoft Windows
DNS server) is left as an exercise for the reader.
.Sh SEE ALSO
.Xr acme.conf 5 ,
.Xr domains.conf 5 ,
.Xr kinit 1 ,
.Xr lfacme-renew 8 ,
.Xr nsupdate 1
|
