Dns01Precondition

[piotrkurylak]

Hi,

Thanks for your contribution.

I would like to ask about DNS precondition check. Does Acmebot require constant access to the DNS zone? or is it only required for initial DNS challenge? I have an requirement from customer who does not want to keep constant access between Azure Function to their DNS zone.

[JohnLBevan]

Yes, it'll need long term access.

The ACME process means that the certificate authority (LetsEncrypt) needs to verify that you own the domain.
To do this, you create a TXT record called _acme-challenge (e.g. _acme-challenge.example.com if you were getting a cert for example.com) with a value that the CA gives you, then it fetches that record from DNS and if it matches, that's proven that you own that domain.

The certificate only lasts for 90 days though (shorter lifetime = better security), so should be renewed before expiry. When the CA issues the renewed certificate it'll again need this challenge to be satisfied (proving you still own that domain - as the domain could have been sold on in the intervening time).

This same question is handled in LetsEncrypt's own forum: https://community.letsencrypt.org/t/will-renewal-always-require-new-dns-acme-challenge-txt/

Note: Strictly speaking, "constant" access isn't required and the TXT record doesn't need to be constantly present - access is only required when a certificate is being created or renewed to ,manage the TXT record, and the TXT record created using that access is only present until the challenge is successful after which it's deleted - so in theory you could grant access 1 day a month and do all your renewals in one go then / something like that... But that's a lot more effort for a worse solution, so you don't want to go down that path.

[JohnLBevan]

Ps. If the customer doesn't allow access to their DNS zone a workaround can be to use CNAMES - i.e. they point their acme challenge record to a TXT record in a zone that you own, and you then update the value of your record as needed.

Customer's DNS
| Zone: example.com
| Record: _acme-challenge.example.com
| Type: CName
| Value: _acme-challenge.example.com.example.org

Your DNS
| Zone: example.org
| Record: _acme-challenge.example.com.example.org
| Type: TXT
| Value: [as provided by LetsEncrypt / the Acme CA]

That will work for the ACME process, but today AcmeBot isn't able to manage the record for you as it expects to manage _acme-challenge.example.com.

There is a request to add support for this approach though: subscribe to this issue to stay updated: #159

[piotrkurylak]

Great answer. Really appreciate that. Workaround with CNAME records might be worth to implement, I will wait for the functionality and in the meantime we will probably figure out another solution.

Thanks!