Installing a Let's Encrypt TLS certificate on a Brother printer with Certbot
240 points - last Friday at 1:49 PM
Sourcemdhowle
last Friday at 3:51 PM
DNS-PERSIST-01 is coming soon https://letsencrypt.org/2026/02/18/dns-persist-01
cromka
last Friday at 6:41 PM
Oh wow, this will make self-hosting so much easier! I have so far issued probably about 30 different API keys for my subdomain zones for services I host, which you then have to configure with ACME/Certbot. This reduces it to a simple DNS record change!
justin_oaks
last Friday at 4:13 PM
Oh... that's fantastic! It specifically addresses my concerns about needing DNS credentials accessible to scripts.
The article says it is for those who
> prefer to keep DNS updates and sensitive credentials out of their issuance path.
yegle
last Friday at 4:19 PM
You should have used the `--deploy-hook` on certbot. I use this to copy the cert to Synology NAS and trigger a reload of the cert on the NAS.
BTW: The easiest way to run certbot in a container is to mount a renew script (some shell script as simple as `certbot renew`) to /etc/periodic/daily/renew, then change the container's entrypoint to `crond -d6 -f`.
gerdesj
yesterday at 1:47 AM
I've spent quite some time on this stuff.
acme.sh is my recommendation for Linux and anything else that runs a BASH or similar (pfSense has a glorious integration for it) and Simple ACME for Windows. Both support dynamic DNS with CNAME. Certbot doesn't support CNAME for DNS-01 or at least didn't. I was always a fan of Certbot when all I had was http style challenges available.
Setup a DNS server with a zone called (say) challenges.example.co.uk. You will need to own example.co.uk and add NS glue records for the sub zone. You'll need to sort out dynamic DNS too for that zone.
Now you can create a CNAME record like:
_acme-challenge.mywebserver.mywebdomain.co.uk. CNAME _acme-challenge.challenges.example.co.uk
Now you configure your acme.sh or simple acme to put its challenge into challenges.example.co.uk - it will create a TXT record and things should work out.
It is a lot easier, if you can, to run your own public DNS or subscribe to a DNS service that does everything for you.
sigio
last Friday at 7:31 PM
This got me to finally put effort into upgrading the firmware on my brother printer, which was still running stock firmware. There was only a password-entry, and that didn't let me access anything. After running Brothers updater in a VM, and sharing the usb-device, I managed to upgrade the printer.
However, still no login, and now I need to get it reconnected to my wifi, ugh.
Try entering a long wifi-password via the 1-line lcd and 2 buttons on the printer, what a nightmare. (No way to configure via usb). Oh well, I still have a couple of days before I need to print a bunch of documents, so there goes the weekend ;)
gucci-on-fleek
last Friday at 11:05 PM
> Try entering a long wifi-password via the 1-line lcd and 2 buttons on the printer, what a nightmare.
I used the WPS button method [0] to set up my Brother printers and it worked perfectly for me. Definitely much more pleasant than trying to key in a long password.
[0]: https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
My router doesn’t have a WPS button, so I also had to use the two button interface. Not fun having to cycle through some 50 plus ASCII characters for the WiFi password. I’m pretty sure you can emulate the button press in openwrt with some package though. It was faster to just enter the password than to figure all that out.
justin_oaks
last Friday at 3:42 PM
I read a lot about people running things like Caddy which will automatically retrieve Lets Encrypt certificates. And I think it makes sense for publicly accessible web sites since you can use an HTTP challenge with Let's Encrypt.
For internal-use certificates, you'll have to make use of a DNS challenge with Let's Encrypt. I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone. I see that the author creates exactly that kind of token and has permanently accessible to his script. For a home lab where he's the only person accessing his hardware, that's less of a concern. But what about at a company where multiple people may have access to a system?
Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?
throw0101a
last Friday at 4:17 PM
> I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone.
Depending on your DNS provider, it may be possible to narrow the permissions to allow only updates of a particular record. Route53 as an example:
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/<ZONE-ID>",
"Condition": {
"ForAllValues:StringEquals": {
"route53:ChangeResourceRecordSetsNormalizedRecordNames": "_acme-challenge.<SUB>.<DOMAIN>.<TLD>"
}
}
}
*
https://github.com/acmesh-official/acme.sh/wiki/How-to-use-A...BIND 9 example:
* https://dan.langille.org/2020/12/19/creating-a-very-specific...
You can also point the hostname that you wish to issues certs for to another (sub-)domain completely via a CNAME, and allow updates only for that other (sub-)domain:
* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...
* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...
justin_oaks
last Friday at 4:42 PM
Yes, I see that AWS Route53 can limit credential scope. That kind of thing helps a lot.
I've never heard of that CNAME approach for changing the validation domain. That looks like a viable solution since it requires a one-time setup on the main domain and ongoing access to the second (validation) domain.
throw0101a
last Friday at 5:13 PM
> That looks like a viable solution since it requires a one-time setup on the main domain and ongoing access to the second (validation) domain.
At my last job we deployed a special sub-domain for that purpose (dnsauth.example.com) and manually created CNAMEs on our main (sub-)domains to point to it.
We then deployed a single (no-HA) externally exposed BIND server with a bunch of scripts that folks could connect to (we had deploy hooks scripts for users/developrs). Nowadays there even purpose-build DNS servers for this purpose:
* https://github.com/acme-dns/acme-dns
radiowave
last Friday at 7:25 PM
My experience has been that CertBot doesn't play well with CNAME delegation, but it's probably very situational, like depending upon which DNS hosting provider plugin you're using.
My solution was to give up on CertBot and use dehydrated instead. This did require me to come up with a script to make the necessary API call to the DNS hosting, which dehydrated will then run as necessary.
captn3m0
last Friday at 3:57 PM
I used to have a separate Cloudflare account with a separate DNS Zone for my internal services. Because CF PATs were free-for-all. They've improved this since, so now you can create a token scoped to a single Zone. If you really care about, you can move a subdomain to a separate zone with a child NS record, but I haven't tried it with cloudflare. If you are using something like AWS, you can create an IAM role that can only update a single DNS record.
justin_oaks
last Friday at 4:35 PM
Moving subdomains to separate zones can make sense for a small set of subdomains and all your certificates would be for names under those subdomains. It gets unwieldy if you have to create a separate zone for each certificate because the certificates don't share a subdomain. But this can be a solution in some circumstances. Thanks.
I see that AWS permissions can be set to limit the risk of compromised credentials. That's a good idea. I see that the lego project has an example of this in their documentation: https://go-acme.github.io/lego/dns/route53/index.html#least-...
fleahunter
last Friday at 4:49 PM
[dead]
bombcar
last Friday at 3:50 PM
There is a way to delegate the DNS challenges, but you can also create a dummy Caddysite for HTTP challenge (e.g., firewall.internal.example.com resolves externally to an IP that Caddy will respond to and get the certificate, and then said certificate is copied internally to whatever needs it).
dns_snek
last Friday at 4:00 PM
> Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?
I'd look for a custom DNS challenge provider plugin which delegates the task of creating DNS records to another machine which holds the actual token.
throw0101a
last Friday at 5:25 PM
There's at least one ACME client that has this as an explicit feature:
> Get certificates for remote servers - The tokens used to provide validation of domain ownership, and the certificates themselves can be automatically copied to remote servers (via ssh, sftp or ftp for tokens). The script doesn't need to run on the server itself. This can be useful if you don't have access to run such scripts on the server itself, e.g. if it's a shared server.
* https://github.com/srvrco/getssl
It's written in Bash, so dependencies aren't too heavy.
justin_oaks
last Friday at 4:16 PM
Ah, that's a clever mechanism. That way the secondary machine could not only keep the token secure, but also validate which DNS records to create.
cindyllm
last Friday at 5:34 PM
[dead]
kro
last Friday at 3:52 PM
In Q2 this year, so very soon, there will be the DNS PERSIST method, which is non rotating.
justin_oaks
last Friday at 4:17 PM
That looks like a great solution. I'll probably make use of that as soon as it's available.
sigio
last Friday at 7:33 PM
My solution, put a cname record in your zone, to a subdomain, have that subdomain be served by a seperate DNS server (for example desec.io)
If something gets the credentials for desec.io, they can only use them to do stuff with the single txt record.
intsunny
last Friday at 4:55 PM
Even before I clicked on the article, I had a strong feeling this person was using CloudFlare DNS and the related API. (They are.)
Given the immense popularity of Cloudflare DNS + API + ACME DNS-01 challenge, why are not other DNS providers stepping into this foray?
xyzzy_plugh
last Friday at 5:02 PM
Perhaps I'm missing something but what's special about Cloudflare here?
You can use a boatload of providers for automated DNS-01.
buckle8017
last Friday at 5:19 PM
There's a relatively short list supported by certbot out of the box.
varispeed
last Friday at 6:31 PM
I have not used Cloudflare for ages, but remember the Cloudflare API key couldn't be restricted to just one domain, so if someone could get hold of the key, they could have gotten access to all your domains. So that made me not use them. Has anything changed?
fragmede
last Friday at 6:36 PM
Yes, API keys can now be linked to zones or domains.
yawniek
last Friday at 4:07 PM
did a similar thing for reolink cameras and mikrotik devices. since i run a small k8s cluster i made it a k8s controller that picks up the certs. works really nicely
Natfan
yesterday at 6:08 PM
the current persistUntil implementation gives me cause for concern -- re: the 2038 problem
will these integers be backed by int32 or int64? or possibly use unsigned i32s?
sgt
last Friday at 6:33 PM
For some reason I read "Brothel Printer". Would have been funny.
cromka
last Friday at 6:38 PM
Let's Enpimp!
This is the kind of absurd-but-useful thing I love about self-hosting. Next step: mTLS between the printer and the NAS.
bob1029
last Friday at 6:13 PM
ACME+LE is definitely the future.
I've built some custom AspNetCore middleware that completely owns the entire thing. I tried win-acme and other clients but they aren't in the same room of convenience. All I need to provide is the desired hostname to the middleware and ensure traffic destined for that FQDN winds up at the server. HTTP-01 is used to verify, so I don't have to screw with anything other than an A record. If the hostname is null, it issues an IP address certificate instead using Amazon's public IP lookup service to derive the appropriate SAN. Certs are automatically refreshed when they are within 48 hours of expiration, and the actual swap is a X509Certificate2 reference being updated. It's about as trivial as it gets.
None of the libraries/CLI tools I attempted support anything like this experience. This is what originally put me off to the ecosystem and the idea of short lived certificates. The automation can't just be "sufficient". It needs to be "fucking incredible". $12.95/yr is not that expensive to me if the alternative is getting sucked into hours and hours of someone else's idea of a good time.
lousken
last Friday at 3:35 PM
why bother with tls, stick it on a separate vlan, lock down all the traffic
justin_oaks
last Friday at 3:46 PM
Some of this might have been "because I want to see if I can". Another reason is "It bothers me to keep seeing this browser tell me my connection is insecure".
As for putting it on a separate VLAN and securing traffic with firewall rules, that may be as much or more trouble than setting up the automated certificate renewal. At least with the automated certificates there may not be any further maintenance required. With firewall rules, you'll need to open up the firewall each time you want a new device to access the printer.
lousken
last Friday at 5:38 PM
Sure but how long will that last? It says in the article that RSA2048 is required, however 3072 should be the minimum these days, I am not sure how long will letsencrypt even allow creating 2048bit certs.
whalesalad
yesterday at 5:08 AM
This is only for the web UI, no? The actual print comms are not over https. This is a management tool only that I’d imagine you access once or twice per year?
dns_snek
last Friday at 3:47 PM
Because that only protects you from a small subset of possible threats that end-to-end encryption protects you from like DNS hijacking and any MITM-type scenario.
Sticking it on a VLAN only controls access, not data secrecy.
VladVladikoff
last Friday at 4:52 PM
Broadcasting internal IPs on public DNS records is also a suboptimal approach that leaks information to the public. Local devices should be routed over layer 2.
iso1631
last Friday at 5:57 PM
DNS challenge doesn't broadcast internal IPs. Certificate transparency does show up hostnames or wildcards though.
hrmtst93837
last Friday at 5:04 PM
A VLAN buys you time, not trust. Give a printer its own seprate segment and six months later you've got ad hoc firewall exceptions for scans, updates, vendor support, and some test VM nobody remmebered to remove. TLS is boring, and that's the point: it fails closed, while network policy drifts until the weird exception becomes the default.
lousken
last Friday at 5:47 PM
tls is not boring at all, especially with devices that are always 10 years behind in terms of security, it's not like you can enforce any kind of reasonable ciphersuites even in modern printers
also 9/10 printing protocols are insecure anyway
scans - sure, mailserver needs to be allowed
vendor support - same mailserver
vm - at least a reason to kill it
also why would i ever allow auto updates, it's better not to without understanding what garbage manufacturer released this time
whalesalad
yesterday at 5:07 AM
This is a monumental amount of work for no gain at all. The self signed cert doesn’t mean the comms to the printer UI are insecure. It’s still https. Better yet that’s going through WireGuard encryption. If god forbid this printer was actually on the public internet this would make sense.
jijji
last Friday at 4:35 PM
you could probably get away with just running nginx with certbot on the front end of that domain name and then have it proxy back to a script that talks to the brother printer on the back end of it to do printing, although I'm not sure why you'd want to print via the public internet
akerl_
last Friday at 9:22 PM
Who’s putting their printer on the public internet?
The #marchintosh folks have been! Got a few more days to send some fun messages to someone's ImageWriter over an AppleTalk bridge!
orthogonalinfo
yesterday at 6:51 AM
[dead]