Creating txt records with the API?

I am running 2 Piholes on Raspberry Pi's and they are working flawlessly.

TL;DR I want to create .txt records with the API for certbot to update my TLS certs

I recently set up another Raspberry Pi as a homelab CA running step-ca:

This is fantastic too. I have TLS running for my Piholes now, and they renew their certificates every 16 hours via cron. I can't complain. (I am using passive revocation, which is why the certificate lifetime is so short)

One thing I would like to do is to have TLS running on many of my other systems in my homelab. Right now, to update the certificate, I need to use the https-01 challenge, which usually means turning off the web service to host certbot standalone on port 80, then restarting the web service. This is not a problem for the pihole, as the web service is non-critical, so the cron job just stops lighttpd, renews the certificate, and starts it again. This results in a 30 second outage in the interface every 16 hours.

I would like to start using the dns-01 challenge for certbot (or any other ACME client that I use) and to do this, I would need to update the .txt records on the piholes. This means that I would be running regular jobs to update the .txt records on the piholes at all hours of the day.

I believe that using the API makes the most sense to do this as the certbot job will run in cronjobs on the clients - though I am open to other suggestions.

My thought process for my clients (not the piholes) is:

Renew certificate with cron schedule and dns-01 (because of passive revocation).
Push dns-01 with API? Can I push tp my piholes with certbot directly?
Run some other stuff for the cert (service dependent, HUP service to read cert, chmod if needed etc.)

I'm going to assume you are referring to Challenge Types - Let's Encrypt.

It won't help you if your Pi-hole would hold those TXT records - for that DNS challenge to work, the TXT record has to be available through a public DNS request, i.e. the DNS server authoritative for the domain you want to certify has to be configured accordingly.

Thing is, I am not using Letsencrypt. I am hosting my own CA on a private network. My local CA only needs to reach out to it's DNS systems - which in this case, are my Piholes.

It is fundamentally the same thing as using letsencrypt, but it just isn't public in this case.

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

That won't show anything as I have not yet created the .txt records.

My question is, how would I create the .txt records locally in an automated fashion so that I can start using the dns-01 challenge.

If you are creating the certs just for your private network, then there would be no need to go through a challenge process.

If your certs were public and your Pi-hole would be publically accessible, then you would operate Pi-hole as a public resolver, which would pose a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack.

The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver, and we won't provide support in that case.

There is a need to go through a challenge process when you are using passive revocation, which I am. This is all local to my homelab, none of the processes I am discussing here pass out to the open internet. The domain I am using in this case is "home.lan"

You can see how short lived my certificates are here (and they work great!):

Screen Shot 2022-07-04 at 12.57.12 PM1726×1060 174 KB

Part of the reason I am doing this, is to gain better experience with TLS automation for eventual use at my job, part is just to improve my own skillset (because its fun), and finally, I expect most things to move towards the passive revocation model in the future as it is more secure.

I already have this fully functional using the http-01 challenge, but that requires taking down the local webpage on a regular basis in some cases, which is suboptimal. Therefore, I would like to use dns-01, which would allow me to just HUP the cert for the webpages. (Some of services can do the http-01 challenge without restarting, some cannot.) I am sure I could spin up yet another set of DNS systems that I can work with the API that sit in front of the internet, and then the Piholes talk to that, but it seems like one heck of a kludge for something that the Pihole supports natively (txt records).

While I am using the ACME protocol, I am basically running the same thing as letsencrypt - but it is entirely local-only. Thus, the Piholes just need to be able to regularly create .txt records in an automated fashion. I am sure I could use ssh, scp, or Ansible for that portion of the automation, but I would much rather be able to perform this with a self contained cron job and API call if that is possible.
(And yes, I know hosting the local API creds is less secure than the http-01 method; this is all about a learning opportunity for myself and the homelab.)

So, the ideal process would be:

Run certbot with the dns challenge and capture the output:

Please deploy a DNS TXT record under the name
_acme-challenge.mycoolurl.home.lan with the following value:

997HIDwjDk27fnv20042doiDF24cvbbw2834fdwvbraw

Once this is deployed,
Press ENTER to continue

Take that URL and Key value, and insert it into the .txt records on the Piholes - then finish the challenge.

The component I need help with is updating the .txt records on the Pihole (preferably) through an API, though I may just use an Ansible push depending on various things.

There is no API operation that would allow you to create or update TXT records.

Ok, then I will use Ansible or some other back end automation, thanks!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.