-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create certificates for multiple hosts without adding a CNAME record for each? #126
Comments
Thanks for your kind words! The nature of the records is static, so they need to be created only once, so kind of fire & forget approach to the issue as they will be reused with the created pair of credentials on every automated renewal. Something to point up though; to steer people towards secure configuration practices, acme-dns only allows two simultaneous TXT record per generated subdomain (for the purpose of getting wildcard and the main domain to the same certificate: Back to the original question: could you help me understand the situation better? I would like to know why you'd prefer removing the CNAME records from the main zone outside of the challenge validation. I know there are multiple possible reasons for that though, just don't know what you are facing currently! |
First off - this is all more or less artificial as I'm not running this in production but rather in my homelab. But still I'm trying to see if I can make this work. It's mostly that I would prefer not to have to create separate CNAME records when hosts are brought up / taken down rather quickly. Yes, normally this would be fire and forget, but with containers as I'm using this is rather frequent. Does that clarify things? |
Here's my idea for a solution so far:
Then I can specifiy a server listening to the Any other ideas are welcome! |
Another idea: if I could supply the username when registering (instead of being dynamic) I could easily create a DNS record like:
That would probably be the most clean / dynamic (and also easiest to keep track of created domains / certificates. Would there be something that prevents usernames from being dynamic (security concerns or otherwise?) |
I'm confused. Are you saying you want to automate the registration of new hostnames, but without allowing a service to get certificates for a hostname that a different service already registered, and with some other arbitrary restrictions on what hostnames are allowed to be created? |
@Ajedi32 I'm sorry, it might be a bit convoluted, but I'll try to clarify:
The only 'problem' is that I still have to manually add a My idea is now is to use Caddy with |
Ah. Yeah, that seems like it would work. That way you can program the server to enforce any restrictions you want for hostname creation. |
I'm trying to understand what goes on when a certificate is being issues by LE. I've tried researching, but I can't yet fully wrap my head around what's going on. So here's my understanding so far: Suppose we have an
Would it work if between step 2 and 3 I let acme-dns dynamically create the CNAME? That way I would only have my DNS provider credentials stored at one single location. |
I've created this simple Go server to create / destroy the required CNAME records (which can be called by just a simple POST request with the corresponding JSON: https://github.com/mdbraber/update-cname-server |
Well, sort of. It check's if
Yes, but at that point I don't see why you wouldn't just have it create the TXT record directly. No need for acme-dns when you have a way to fulfill the challenge yourself. |
It seems like you might be better off writing an acme-dns alternative instead of using ACME-DNS. You basically just want some kind of DNS API proxy that fulfills requests to set TXT records on your upstream DNS (just like ACME clients do) but with restrictions so clients can't just update whatever records they want. That can be done without needing a whole separate DNS server, so I think it's better implemented as a separate project rather than an add-on to ACME-DNS. I've actually kinda been wanting something like that for a while now; a centralized server that can fulfill ACME challenges for other devices on the network, provided they meet certain authorization conditions. ACME-DNS sorta fulfills that use-case, but only for one "authorization condition": manual approval (by setting a CNAME record) for a specific acme-dns account to authorize certs for a specific domain. |
@Ajedi32 you're right. My setup works, but it's indeed not needed to use acme-dns for this. Therefore I've quickly written acme-proxy . This might be an alternative for those people who do have access to their DNS providers' API, but would like to centralize requests. It integrates with lego and can basically proxy all the providers. To use it now, use my current fork of lego that integrates acme-proxy as a provider. I've created a PR with lego to gather suggestions for a better implementation: go-acme/lego#708. It works great at this moment: Running the proxy:
Requesting a certificate:
|
You might wat to take a look at our changes mentioned in #158, where you can use "readable" CNAMEs and a single set of credentials to manage multiple TXT records. |
Thanks @wdoekes looks interesting. For anyone interested in a different solution to the same problem, check out https://github.com/mdbraber/acmeproxy for an updated version of acmeproxy that's basically relaying requests from other hosts inside a network (having credential stored in a single location) and can use username/password or IP based authentication. |
First off, thanks for building acme-dns - it's just what I was looking for! I'm trying to do the following: I want to generate certificates for the servers foo.example.org, bar.example.org etc. This works fine. However I have to manually add the following in my providers DNS config:
As the hosts (
foo
,bar
etc.) are being created rather dynamic I would prefer to prevent creating them by hand if possible (also I would prefer to keep the names of the hosts out of my providers DNS. Wildcards obviously won't work and I don't want to generate a wildcard certificate on each hosts as that seems more of a workaround than a real solution.The only solution so far that I could think of would be to use my providers API to somehow dynamically create the
_acme-challenge.foo
record. I would have need to have the client (e.g. lego) to do this before requesting the _acme-challenge record. But unfortunately this implies a 'race' condition because to do that I would put my API keys on each host (which is exactly what I'm trying to prevent with acme-dns).Would there be any (other) ideas to do this smarter / more dynamic?
The text was updated successfully, but these errors were encountered: