today I started playing around with a VPS and AdGuard Home DNS on it. Quite nice everything so far, but I want to protect a bit more than standard config.
So I wanted to make it only available for trusted clients via the new Client ID feature.
Therefore I need to install it with a “wildcard cert”. Actually I don’t really know how to do it together with desec.io to get a wildcard cert running. Maybe you can help me here?
You are not providing enough information here and the subject seems to be off-topic.
deSEC e.V. is a DNS provider. It does not issue certificates. So your question as posted is out-of-scope for this forum.
Depending on your certificate authority there might be a connection as in some cases, e.g. Let’s Encrypt, a DNS-based challenge is used to authenticate wildcard certificate requests. But without knowing which certificate authority you are planning to use, there is no way to tell. Some certificate authorities issue a wildcard certificate using other authentication methods.
In very general terms, if your certificate authority is using a DNS-based authentication method then you will want to use the deSEC API to set the appropriate records when the challenge is issued. You may want to read TLS Certificates with Let’s Encrypt for more info on that.
Feel free to ask DNS and deSEC related questions if and when you get to that point.
Thanks for your feedback. And sorry, that I’m a newbie in this kind of section.
In the evening I found out the same, like you said.
Overall I want to use acme.sh to get a LE cert for that kind of scenario.
I found this part:
But don’t really know how to integrate it into my system?
First part is clear (how to get and secure API within deSEC Web-GUI as it’s straightforward - thanks for that)
but what about the export DEDYN_TOKEN="<token>" part > do I just have to put it into my VPS terminal as a command?
followed by ./acme.sh --issue --dns dns_desec -d foobar.dedyn.io -d *.foobar.dedyn.io (of course with my own domains, subdomains and so on…?
Or how is that meant?
And again sorry, that I’m not a pro here. I try to learn and as far as I understand this part needs some support of the DNS hosted (which is deSEC).
And if I’m wrong, maybe I can get a little help too over here.
Ok, that answers the open questions from your original post.
These questions are about shell scripting, not about deSEC or DNS. If you are not familiar with shell scripting then you should probably read up on that subject, before doing things that might have security implications. But that is totally out-of-scope for this forum.
That said, first you set the environment variable then you call the script that uses the variable. Yes you could do this on the command line in a terminal session. But ultimately you will want to automate this into something like a cron job or similar (depending on the OS on your server). That way your certificate can be renewed automatically.
I don’t know / have never used acme.sh. It may be one way to do what you want. The wiki section you cited seems pretty straight-forward. If you need help for using it you should probably find their support channels.
You still have not really asked any question specific to deSEC, which is fine. But don’t expect help on other subjects here.