Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
LFACME-KERBEROS(7)	Miscellaneous Information Manual    LFACME-KERBEROS(7)

NAME
       lfacme-kerberos -- validate an ACME challenge via GSS-TSIG DNS updates

SYNOPSIS
       In domains.conf(5):

	     domain challenge=kerberos

DESCRIPTION
       The lfacme-kerberos challenge hook will respond to an ACME domain vali-
       dation  using  a	DNS-based "dns-01" authorization with GSS-TSIG Dynamic
       DNS updates.  To	use this challenge hook, configure one or more domains
       with "challenge=kerberos" in domains.conf(5).

       The "dns-01" challenge expects the authorization	token to be created as
       a  TXT  record  at  the	DNS   name   "_acme-challenge.domain".	  When
       lfacme-kerberos responds	to the challenge, it will use nsupdate(1) with
       the  -g	flag to	create this token.  The	DNS update will	be sent	to the
       zone's master server, as	determined by  the  MNAME  field  in  the  SOA
       record.

       Before  sending	the  update,  lfacme-kerberos will retrieve a Kerberos
       ticket	using	kinit(1)   for	  the	 principal    configured    by
       LFACME_KERBEROS_PRINCIPAL in acme.conf(5).

CONFIGURATION
       The lfacme-kerberos challenge hook supports the following configuration
       options in acme.conf(5):

       LFACME_KERBEROS_PRINCIPAL
	       The  Kerberos principal to authenticate as when sending the DNS
	       update.	The default value is "host/$(hostname)", which assumes
	       a default realm has been	configured in /etc/krb5.conf.  Explic-
	       itly configuring	the principal  is  recommended,	 but  not  re-
	       quired.

       LFACME_KERBEROS_KEYTAB
	       The  keytab  used to issue the Kerberos ticket.	This must con-
	       tain    a    key	   for	  the	 principal    configured    by
	       LFACME_KERBEROS_PRINCIPAL.      The     default	   value    is
	       /etc/krb5.keytab.

       LFACME_KERBEROS_KINIT
	       Path to the kinit(1) program.  If not specified,	$PATH will  be
	       searched.

       LFACME_DNS_DIG
	       Path  to	 the  dig(1) program.  If not specified, $PATH will be
	       searched.

       LFACME_DNS_NSUPDATE
	       Path to the nsupdate(1) program.	 If not	specified, $PATH  will
	       be searched.

DNS SERVER CONFIGURATION
       For  lfacme-kerberos  to	work, the DNS server must be configured	to ac-
       cept Kerberos-authenticated Dynamic DNS updates.	 Using ISC BIND,  this
       can  be achieved	using a	zone update-policy.  For example, to allow any
       host in the "EXAMPLE.ORG" Kerberos realm	to issue certificates for  its
       own hostname (and subdomains thereof):

	     update-policy {
		     grant EXAMPLE.ORG krb5-selfsub . TXT;
	     };

       Or  to  allow a specific	host to	issue certificates for a different DNS
       label:

	     update-policy {
		     grant "host/server.example.org@EXAMPLE.ORG"
			     name _acme-challenge.www.example.org. TXT;
	     };

       Suitable	configuration for other	DNS servers (e.g., the Microsoft  Win-
       dows DNS	server)	is left	as an exercise for the reader.

SEE ALSO
       acme.conf(5), domains.conf(5), kinit(1),	lfacme-renew(8), nsupdate(1)

FreeBSD	ports 15.0		 June 4, 2025		    LFACME-KERBEROS(7)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=lfacme-kerberos&sektion=7&manpath=FreeBSD+Ports+15.0>

home | help