Security

Adding DNS providers

Overview

Adding and renewing wildcard SSL certificates relies on Cloud 66 having API access to your DNS provider. To set up a DNS provider, follow the instructions below.

If your provider is not listed, consider using RFC 2136 if your provider supports the protocol.

Instructions per DNS provider

Each DNS provider has specific credentials that need to be created and then added to your Cloud 66 account. Find your provider below for more details.

Cloudflare

Cloudflare requires an API token in order to grant access to DNS management. You can generate them using their web interface:

  1. Log into your Cloudflare account
  2. Navigate to My Profile → API tokens
  3. Create a token with permissions over the required DNS zones (you can use the template they provide)
  4. Make sure you set the DNS permissions to Edit
  5. Copy the token and store it somewhere safe (it will never be shown again)

You can now add Cloudflare to your Cloud 66 account using these credentials (see above).

DigitalOcean

DigitalOcean requires an API token in order to grant access to DNS management. You can generate them using their web interface:

  1. Log into your DigitalOcean account
  2. Navigate to Applications & API
  3. Click Generate New Token
  4. Ensure the token has both read and write permissions
  5. Copy the token and keep it somewhere safe

You can now add DigitalOcean to your Cloud 66 account using these credentials (see above).

DNSimple

DNSimple requires an API token in order to grant access to DNS management. You can generate them using their web interface:

  1. Log into your DNSimple account
  2. Navigate to the account access token page
  3. Generate a new token
  4. Copy the token and keep it somewhere safe

You can now add DNSimple to your Cloud 66 account using these credentials (see above).

DnsMadeEasy

DnsMadeEasy requires an API key and Secret Key in order to grant access to DNS management. You can generate them using their web interface:

  1. Log into your DnsMadeEasy account
  2. Navigate to Config → Account Information
  3. Follow instructions on the page to generate API credentials
  4. Copy these keys and keep them somewhere safe

You can now add DnsMadeEasy to your Cloud 66 account using these credentials (see above).

Gehirn

Gehirn requires an API token and API secret in order to grant access to DNS management. You can generate them using their web interface:

  1. Log into your Gehirn account
  2. Create an API key pair (consult the documentation if you need help)
  3. Copy the credentials and keep them, somewhere safe

You can now add Gehirn to your Cloud 66 account using these credentials (see above).

Google

Google Cloud DNS requires a JSON formatted API key in file format. You can generate a key file using their web interface.

  1. Create a Service Account on your Google account
  2. Ensure this account has the minimum permissions required for DNS management (see below)
  3. Create an API key under your service account and download it in JSON format.

You can now add Google Cloud DNS to your Cloud 66 account by uploading the JSON file (see above).

Minimum required permissions for Google account:

  • dns.changes.create
  • dns.changes.get
  • dns.changes.list
  • dns.managedZones.get
  • dns.managedZones.list
  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

Linode

Linode requires an API key in order to grant access to DNS management. You can generate one using their web interface.

  1. Log into your Linode account
  2. Navigate to the API tokens interface
  3. Create an API key
  4. Copy the key and keep it somewhere safe

You can now add Linode to your Cloud 66 account using this key (see above).

luaDNS

LuaDNS requires an API key and an associated email address in order to grant access to DNS management. You can generate the key and associate it with an email using their web interface.

  1. Log into your luaDNS account
  2. Navigate to the account settings interface
  3. Create an API key associated with an appropriate email address
  4. Copy the API key and keep it somewhere safe

You can now add luaDNS to your Cloud 66 account using these credentials (see above).

NS1

NS1 requires an API key in order to grant access to DNS management. You can generate one using their web interface.

  1. Log into your NS1 account
  2. Navigate to account settings
  3. Create an API key with DNS management privileges
  4. Copy the API key and keep it somewhere safe

You can now add NS1 to your Cloud 66 account using this API key (see above).

OVH

OVH requires four credentials to grant DNS management access:

  • An Application Key
  • An Application Secret
  • A Consumer Key
  • An endpoint

You can obtain these credentials from the following links, depending on which OVH region you use:

Note that the endpoint values here are the ones used in the credentials above.

The API credentials must grant permissions to the following API endpoints:

  • GET /domain/zone/*
  • PUT /domain/zone/*
  • POST /domain/zone/*
  • DELETE /domain/zone/*

The configuration above allows access to all domains in the OVH account. If you’d prefer to restrict access to a single domain, use the following format:

  • GET /domain/zone/
  • GET /domain/zone/<REQUIRED_DOMAIN>/*
  • PUT /domain/zone/<REQUIRED_DOMAIN>/*
  • POST /domain/zone/<REQUIRED_DOMAIN>/*
  • DELETE /domain/zone/<REQUIRED_DOMAIN>/*

Once you have created the credentials, copy them and keep them somewhere safe.

You can now add OVH to your Cloud 66 account using these credentials (see above).

RFC2136

RFC 2136 is intended for use with DNS providers not otherwise supported by Cloud 66. Your provider needs to support RFC 2136, and ideally needs a good help document to walk you through the set up.

In order to add your RFC 2136 DNS to Cloud 66 you need to create an .ini file containing the credentials required by your provider. A typical file would look similar to this:

# Target DNS server (IPv4 or IPv6 address, not a hostname)
dns_rfc2136_server = 192.0.2.1
# Target DNS port
dns_rfc2136_port = 53
# TSIG key name
dns_rfc2136_name = keyname.
# TSIG key secret
dns_rfc2136_secret = 4q4wM/2I180UXoMyN4INVhJNi8V9BCV+jMw2mXgZw/CSuxUT8C7NKKFs AmKd7ak51vWKgSl12ib86oQRPkpDjg==
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512

Your own provider may give the keys different names or require a different set of keys. Please be sure to follow their instructions carefully.

Once you have all the credentials, you can add RFC2136 to your Cloud 66 account by uploading your .ini file (see above).

Route53

Amazon Route 53 requires an API Access Key and a Secret Access Key for an AWS account with (at least) the following permissions:

  • route53:ListHostedZones
  • route53:GetChange
  • route53:ChangeResourceRecordSets

You can assign permissions to the account using an IAM policy like the example below. You would need to replace the Hosted Zone ID for the example policy to work properly.

{
    "Version": "2012-10-17",
    "Id": "certbot-dns-route53 sample policy",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"
            ]
        }
    ]
}

To generate access keys for an account using your preferred method (web console or CLI) by following this guide.

You can now add Route53 to your Cloud 66 account using these credentials (see above).

SakuraCloud

SakuraCloud requires an API Token and API Secret which can be obtained from their web interface:

  1. Log into your SakuraCloud account
  2. Navigate to the API key interface
  3. Create a key with the required DNS permissions
  4. Copy the API key and API secret and keep them somewhere safe

You can now add SakuraCloud to your Cloud 66 account using these credentials (see above).

Previous
Troubleshooting SSL certificates