This is a PowerShell script that can be used as manual auth and cleanup hook, and executes the necessary dnscmd commands on a Windows DNS server to enable dns-01 authentication.

• Custom root CA (e.g. step-ca)
• Windows server acting as DNS
• Active PowerShell Remoting over SSH
  • OpenSSH server
  • SSH key for an administrator login

Save certbot-dns-windows.ps1 to /etc/letsencrypt and change the following variables:

• $zone: The name of the forward lookup zone
• $dnsServerHostName: The fully qualified Windows DNS server we're logging in to
• $userName: The name of the administrator user used for a login

Important: Make the certbot-dns-windows.ps1 script executable with: chmod 755 /etc/letsencrypt/certbot-dns-windows.ps1.

The REQUESTS_CA_BUNDLE is required for a successful TLS connection to your custom ACME CA server.

You should change the following values:

• REQUESTS_CA_BUNDLE: Path to the root CA file to be able to connect to your custom ACME CA server
• --email: The ACME CA account
• --installer: To be changed when you don't use NGINX
• -d: The domain to get the certificate for
• --cert-name: The (internal) name of the certificate to be issued
• --server: The URL to your custom ACME CA server (e.g. step-ca)

#!/bin/bash

sudo \
  REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/your-custom-root-ca.crt \
  certbot --agree-tos --email "[email protected]" \
    run \
      --installer nginx                  \
      --authenticator manual             \
      --manual-auth-hook "/etc/letsencrypt/certbot-dns-windows.ps1" \
      --manual-cleanup-hook "/etc/letsencrypt/certbot-dns-windows.ps1 --remove" \
      -d \*.your.intern.domain.com       \
      --cert-name wildcard-cert-name     \
      --preferred-challenges dns         \
      --server https://your-internal-acme-ca-like-step-ca/acme/acme/directory \
      --force-renewal

Symptom: The challenge simply doesn't work and you see lots of messages in the step-ca log like There was a problem with a DNS query during identifier validation

Explanation: The DNS record lookup uses systemd-resolved which caches DNS requests. Thus, the ACME CA (like step-ca) never sees the newly created TXT records.

Solution: Ensure that the ACME CA queries the Windows DNS server directly.

In case you use step-ca, just add the --resolver 127.0.0.53:53 argument when starting the step-ca server. Don't forget to replace 127.0.0.53 with the correct IP of your DNS server!

The CMD of the smallstep/step-ca docker image can be overriden, with - for example - the following values:

version: "3.8"
services:
  step-ca:
    image: smallstep/step-ca:latest
    restart: always
    command: ["/usr/local/bin/step-ca", "--resolver", "127.0.0.53:53", "--password-file", "/home/step/secrets/password", "/home/step/config/ca.json"]
    network_mode: "host"
    volumes:
      - step:/home/step

volumes:
  step: