I own a Brother printer and was curious how the upload worked. Apparently, it is just screenscraping the CSRF token[0], and submitting the cert upload form[1] in the printer's admin web interface. It needs the printer's admin credentials for the upload to work.
You should have used the `--deploy-hook` on certbot. I use this to copy the cert to Synology NAS and trigger a reload of the cert on the NAS.
BTW: The easiest way to run certbot in a container is to mount a renew script (some shell script as simple as `certbot renew`) to /etc/periodic/daily/renew, then change the container's entrypoint to `crond -d6 -f`.
I read a lot about people running things like Caddy which will automatically retrieve Lets Encrypt certificates. And I think it makes sense for publicly accessible web sites since you can use an HTTP challenge with Let's Encrypt.
For internal-use certificates, you'll have to make use of a DNS challenge with Let's Encrypt. I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone. I see that the author creates exactly that kind of token and has permanently accessible to his script. For a home lab where he's the only person accessing his hardware, that's less of a concern. But what about at a company where multiple people may have access to a system?
Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?
> I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone.
Depending on your DNS provider, it may be possible to narrow the permissions to allow only updates of a particular record. Route53 as an example:
You can also point the hostname that you wish to issues certs for to another (sub-)domain completely via a CNAME, and allow updates only for that other (sub-)domain:
I used to have a separate Cloudflare account with a separate DNS Zone for my internal services. Because CF PATs were free-for-all. They've improved this since, so now you can create a token scoped to a single Zone. If you really care about, you can move a subdomain to a separate zone with a child NS record, but I haven't tried it with cloudflare. If you are using something like AWS, you can create an IAM role that can only update a single DNS record.
Moving subdomains to separate zones can make sense for a small set of subdomains and all your certificates would be for names under those subdomains. It gets unwieldy if you have to create a separate zone for each certificate because the certificates don't share a subdomain. But this can be a solution in some circumstances. Thanks.
Oh... that's fantastic! It specifically addresses my concerns about needing DNS credentials accessible to scripts.
The article says it is for those who
> prefer to keep DNS updates and sensitive credentials out of their issuance path.
> Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?
I'd look for a custom DNS challenge provider plugin which delegates the task of creating DNS records to another machine which holds the actual token.
Ah, that's a clever mechanism. That way the secondary machine could not only keep the token secure, but also validate which DNS records to create.
There is a way to delegate the DNS challenges, but you can also create a dummy Caddysite for HTTP challenge (e.g., firewall.internal.example.com resolves externally to an IP that Caddy will respond to and get the certificate, and then said certificate is copied internally to whatever needs it).
In Q2 this year, so very soon, there will be the DNS PERSIST method, which is non rotating.
That looks like a great solution. I'll probably make use of that as soon as it's available.
[deleted]
did a similar thing for reolink cameras and mikrotik devices. since i run a small k8s cluster i made it a k8s controller that picks up the certs. works really nicely
you could probably get away with just running nginx with certbot on the front end of that domain name and then have it proxy back to a script that talks to the brother printer on the back end of it to do printing, although I'm not sure why you'd want to print via the public internet
why bother with tls, stick it on a separate vlan, lock down all the traffic
Some of this might have been "because I want to see if I can". Another reason is "It bothers me to keep seeing this browser tell me my connection is insecure".
As for putting it on a separate VLAN and securing traffic with firewall rules, that may be as much or more trouble than setting up the automated certificate renewal. At least with the automated certificates there may not be any further maintenance required. With firewall rules, you'll need to open up the firewall each time you want a new device to access the printer.
Because that only protects you from a small subset of possible threats that end-to-end encryption protects you from like DNS hijacking and any MITM-type scenario.
Sticking it on a VLAN only controls access, not data secrecy.
I own a Brother printer and was curious how the upload worked. Apparently, it is just screenscraping the CSRF token[0], and submitting the cert upload form[1] in the printer's admin web interface. It needs the printer's admin credentials for the upload to work.
[0]: https://github.com/gregtwallace/brother-cert/blob/main/pkg/p...
[1]: https://github.com/gregtwallace/brother-cert/blob/main/pkg/p...
You should have used the `--deploy-hook` on certbot. I use this to copy the cert to Synology NAS and trigger a reload of the cert on the NAS.
BTW: The easiest way to run certbot in a container is to mount a renew script (some shell script as simple as `certbot renew`) to /etc/periodic/daily/renew, then change the container's entrypoint to `crond -d6 -f`.
I read a lot about people running things like Caddy which will automatically retrieve Lets Encrypt certificates. And I think it makes sense for publicly accessible web sites since you can use an HTTP challenge with Let's Encrypt.
For internal-use certificates, you'll have to make use of a DNS challenge with Let's Encrypt. I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone. I see that the author creates exactly that kind of token and has permanently accessible to his script. For a home lab where he's the only person accessing his hardware, that's less of a concern. But what about at a company where multiple people may have access to a system?
Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?
> I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone.
Depending on your DNS provider, it may be possible to narrow the permissions to allow only updates of a particular record. Route53 as an example:
* https://github.com/acmesh-official/acme.sh/wiki/How-to-use-A...BIND 9 example:
* https://dan.langille.org/2020/12/19/creating-a-very-specific...
You can also point the hostname that you wish to issues certs for to another (sub-)domain completely via a CNAME, and allow updates only for that other (sub-)domain:
* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...
* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...
I used to have a separate Cloudflare account with a separate DNS Zone for my internal services. Because CF PATs were free-for-all. They've improved this since, so now you can create a token scoped to a single Zone. If you really care about, you can move a subdomain to a separate zone with a child NS record, but I haven't tried it with cloudflare. If you are using something like AWS, you can create an IAM role that can only update a single DNS record.
Moving subdomains to separate zones can make sense for a small set of subdomains and all your certificates would be for names under those subdomains. It gets unwieldy if you have to create a separate zone for each certificate because the certificates don't share a subdomain. But this can be a solution in some circumstances. Thanks.
I see that AWS permissions can be set to limit the risk of compromised credentials. That's a good idea. I see that the lego project has an example of this in their documentation: https://go-acme.github.io/lego/dns/route53/index.html#least-...
DNS-PERSIST-01 is coming soon https://letsencrypt.org/2026/02/18/dns-persist-01
Oh... that's fantastic! It specifically addresses my concerns about needing DNS credentials accessible to scripts.
The article says it is for those who
> prefer to keep DNS updates and sensitive credentials out of their issuance path.
> Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?
I'd look for a custom DNS challenge provider plugin which delegates the task of creating DNS records to another machine which holds the actual token.
Ah, that's a clever mechanism. That way the secondary machine could not only keep the token secure, but also validate which DNS records to create.
There is a way to delegate the DNS challenges, but you can also create a dummy Caddysite for HTTP challenge (e.g., firewall.internal.example.com resolves externally to an IP that Caddy will respond to and get the certificate, and then said certificate is copied internally to whatever needs it).
In Q2 this year, so very soon, there will be the DNS PERSIST method, which is non rotating.
That looks like a great solution. I'll probably make use of that as soon as it's available.
did a similar thing for reolink cameras and mikrotik devices. since i run a small k8s cluster i made it a k8s controller that picks up the certs. works really nicely
you could probably get away with just running nginx with certbot on the front end of that domain name and then have it proxy back to a script that talks to the brother printer on the back end of it to do printing, although I'm not sure why you'd want to print via the public internet
why bother with tls, stick it on a separate vlan, lock down all the traffic
Some of this might have been "because I want to see if I can". Another reason is "It bothers me to keep seeing this browser tell me my connection is insecure".
As for putting it on a separate VLAN and securing traffic with firewall rules, that may be as much or more trouble than setting up the automated certificate renewal. At least with the automated certificates there may not be any further maintenance required. With firewall rules, you'll need to open up the firewall each time you want a new device to access the printer.
Because that only protects you from a small subset of possible threats that end-to-end encryption protects you from like DNS hijacking and any MITM-type scenario.
Sticking it on a VLAN only controls access, not data secrecy.