To use this bundle, you will need to set up dynamic DNS, for instance as I explained in https://haavard.name/2016/03/15/setting-up-key-based-dynamic-dns-updates-with-cfengine/.
I’m using a file repository in $(def.dir_files) where you will need to download letsencrypt.sh in $(def.dir\_files)/usr/local/bin. You also need to setup config.sh in $(def.dir\_files)/etc/letsencrypt.sh/config.sh. Use the default config.sh and modify as you see fit, the important settings is
CHALLENGETYPE="dns-01" BASEDIR=/etc/letsencrypt.sh HOOK=/etc/letsencrypt.sh/hook-dns.sh Then install this hook script for updating dns when needed to verify ownership
In order to set up key based dynamic DNS updates, you need to generate a public/private key pair using dnssec-keygen and add the public key as a key record on the name you want to be able to update using the key pair. In addition, you need in the zone config in bind to allow updates using cryptographic verification:
zone "example.com" { type master; file "/etc/bind/zones/db.example.com"; update-policy { grant local-ddns zonesub any; grant * selfsub * A AAAA TXT SSHFP; }; }; If you use selfsub, the matching key record will also be allowed to update subrecords which is very useful for using DNS verification in letsencrypt for instance.