9. Create tsig key files in the ~/leutmdns/tsig/ folder.

[e2xx]

Mind explaining with an example what are we supposed to name the files and what to put inside?

[kyse]

File name format:

K_acme-challenge.mydomainname.com.+157+1.private

For using DynDNS, you only one file for each domain you have registered, ie kyse.org and kyse.net. Thre is no need to setup a file for each subdomain unless you have something setup with your DNS provider where you're paying or a separate service for that subdomain DNS and you end up with a separate HMAC key to control it. This is only related to communicating with you DNS provider.

Inside the file:

key "keyName" {
        algorithm hmac-md5;
        secret "keyHMAC";
};

For these, again if using DynDNS, you can find these details once logged in at the DynDNSS TSIG https://account.dyn.com/profile/tsig.html page.

By the way, I'll probably end up hitting this up again after the 27th of Feb to upgrade and ensure it works with latest dehydrated, an also to ensure or add support for the new wildcard features they're releasing with their new API version.

[e2xx]

Im not using dyndns.. just a BIND9 dns server i own.

astaro:/root/leutmdns/tsig # vi K_acme-challenge.fbarrio.trilogica.com.ar.+157+1.private
key "keyName" {
        algorithm hmac-md5;
        secret "keyHMAC";
};

this is my setup, no idea what HMAC means.. but im geting this error that may not be related to this:

astaro:/root/leutmdns/tsig # ../dehydrated -c    
# INFO: Using main config file /root/leutmdns/config
Processing fbarrio.trilogica.com.ar
 + Signing domains...
 + Generating private key...
 + Generating signing request...
Error Loading extension section v3_ca
1077868168:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:v3_utl.c:364:
1077868168:error:22097069:X509 V3 routines:DO_EXT_NCONF:invalid extension string:v3_conf.c:140:name=subjectAltName,section=
1077868168:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=

[kyse]

That looks like it's trying to use the wrong openssl config. I ran into an issue similar for a bit till I could get dehydrated to update their distribution to include a missing config file location. Either that or your openssl installation doesn't like the x509 v3 settings I am shipping with the openssl.cnf file.

[e2xx]

I gave up trying to fix it, and went with a more unsecured approach.. allowing the BIND server to allow-update from the IP of the sophos.. also commented all that :/
Also found aproblem with domains like
domain.com www.domain.com mail.domain.com
each time it tries the challenge, fails as the nsupdate $zone is the subdomain.domain instead of just domain..

[kyse]

Not sure I follow that last bit. You're saying the $zone variable contains "mail.domain" instead of just "domain"? Is your tsig zone setup where you have auth with the key for mail.domain.com and another for domain.com? I might have to expand it to support something like that, for me with dyndns my testing just included having domain.com as the target zone. Thus any line in domains.txt would query against one of the tsig files for that particular zone.

FYI, looks like the wildcard cert got pushed back with no prod date available now. I will spend some time this weekend working towards the staging api endpoints to check if it's in a working state with this library.

[e2xx]

this has nothing to do with the tsig.. im not even using that part, commented it all since i skiped the tsig and went straight using alllow-update from the ip of the sophos.. this you cant do with dyndns as you don't control the bind server.. so dont worry about it..
The other part is the challenge.. to work against a standard DNS (bind, or ms dns) server, you gota format the nsupdate query like this..
to challenge domain.com
zone domain.com
update add _acme-challenge.domain.com. 10 IN TXT "challengekey"
to challenge mail.domain.com
zone domain.com
update add _acme-challenge.mail.domain.com. 10 IN TXT "challengekey"

you are not doing this.. you are using mail.domain.com as the zone and this fails on most(if not all) DNS server.
Unless someone made a zone out of a subdomain.. its posible, but highly unlikely.. and in this came you would just have to forma domains.txt like
domain1.com mail.domain1.com smtp.domain1.com
subdomain.domain1.com mail.subdomain.domain1.com
subdomain.domain2.com mail.subdomain.domain2.com

[kyse]

Actually, I was following these instructions (https://dyn.com/updater/tsig/) regarding nsupdate syntax.

I'll try and spend some time with the syntax you provided to see if I can incorporate it to support what you're working with. Might be a min, I want to focus on upgrading to support wildcard support and the AMCE v2 endpoint.