Deploy hook for certbot to install certificate into bind9 for DoT and DoH support.
The hook:
- Copies the full chain and private key to a directory readable by bind9, including setting ownership and permissions.
- Creates a
tls certbot-tls { ... };
configuration block pointing to the certificates. - Ensures there are IPv4 and IPv6 listeners for DNS, DNS over TLS (DoT), and DNS over HTTPS (DoH).
Configuring DoT and DoH to use the
tls certbot-tls
settings. - Reloads bind9 to pick up the configuration changes / new certificate.
Copy bind9-deploy-hook.sh
to the bind9 server, e.g. into /usr/local/sbin/
.
Ensure HTTP (80/tcp) is allowed through the firewall from the ACME server for the challenge to work.
To use the deploy hook for the initial issuance, and all subsequent auto-renewals, request the initial certificate as follows:
certbot certonly --standalone --domain ns1.domain.tld \
--deploy-hook /usr/local/sbin/bind9-deploy-hook.sh
All being well the output will look something like:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for ns1.domain.tld
Hook 'deploy-hook' ran with output:
bind9 certbot deploy hook v1.0.0
Installing certificate file
Installing private key file
Adding certbot TLS config block to /etc/bind/named.conf.options
Configuring IPv4 and IPv6 DNS (53/udp & 53/tcp), DoT (853/tcp), and DoH (443/tcp) listeners in /etc/bind/named.conf.options
Reloading bind9
Done
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ns1.domain.tld/fullchain.pem
Key is saved at: /etc/letsencrypt/live/ns1.domain.tld/privkey.pem
This certificate expires on 2024-09-27.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your named.conf.options will now have these lines in (plus any existing config):
tls certbot-tls {
cert-file "/etc/bind/bind.crt";
key-file "/etc/bind/bind.key";
};
options {
listen-on { any; };
listen-on-v6 { any; };
listen-on port 443 tls certbot-tls http default { any; };
listen-on-v6 port 443 tls certbot-tls http default { any; };
listen-on port 853 tls certbot-tls { any; };
listen-on-v6 port 853 tls certbot-tls { any; };
};
The hook has been written on Ubuntu, some variables may need to be tweaked for other OSes.
BIND_CONF
needs to point to the appropriate bind9 configuration file fortls
andoptions
settings, on Ubuntu this is/etc/bind/named.conf.options
.BIND_USER
andBIND_GROUP
need to reference the user and group bind9 runs as, on Ubuntu this isbind
for both, others are known to usenamed
.CERT_TARGET
andPRIVATE_KEY_TARGET
need to point to file paths the user bind9 run as can read.
Currently the hook does not configure these settings in the certbot-tls
config block:
dhparam-file
cipher-suites
ciphers
prefer-server-ciphers
session-tickets
Refer to the bind9 documentation and Mozilla Security/Server Side TLS guidance to configure them manually if desired.