Comments (3)
Certificate issuance and subdomain registration are already separate. When and how you perform those steps depends on the ACME client. Is there a particular ACME client you're using?
On the first run, LEGO's acme-dns provider will call /register
to get a subdomain and will save the credentials to a file (see ACME_DNS_STORAGE_PATH
). Then it prompts you to manually set the CNAME. You could instead call /register
yourself (using curl, for example), set up the CNAME, and create that file manually. This causes LEGO to skip the registration process, since you're providing an existing subdomain, and issue a certificate right away. I'm doing this in one of my projects to pre-register subdomains.
acme-dns doesn't need any changes to support this, although your ACME client may. I may be able to point you in the right direction.
having the subdomain be defined manually by human intervention is just asking for trouble
What would those trouble be?
Presumably name collisions and ownership issues. If you're picking a subdomain name without checking if it's already been assigned then someone else may already own it. If you set up the CNAME then someone else can issue certificates for your domain. Even if you try to use an unguessable UUID, an attacker can look at your DNS records to see the dangling CNAME, then try to register the subdomain before you can.
The only way to do this safely is to register the subdomain with acme-dns before you set the CNAME. This way you know that no one else has credentials for the subdomain. Since you need to call /register
first, you may as well let acme-dns pick the subdomain name for you. Then it's just a matter of configuring your ACME client.
from acme-dns.
depending on where you host your DNS zone , you can already do that with some tooling
when you request an acme-dns record , that record will be echoed out ... which you can then parse and further use in your tooling with API calls to your DNS hosting provider and Let's Encrypt or other acme CA
i think having the subdomain be defined manually by human intervention is just asking for trouble
from acme-dns.
depending on where you host your DNS zone , you can already do that with some tooling
when you request an acme-dns record , that record will be echoed out ... which you can then parse and further use in your tooling with API calls to your DNS hosting provider and Let's Encrypt or other acme CA
The point of ACME-DNS is to be able to automate renewal of TLS certificates with DNS-01 challenges securely: without storing a high-privilege API token on the server that needs the TLS certificates (see article from EFF: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation).
If the DNS hosting provider is already providing a API token with restricted-permission (update of a given TXT record only), then I do not need ACME-DNS.
If the DNS hosting provider is providing me with a high-privilege API token, then I am back with the problem that ACME-DNS was trying to solve initially.
So I do not understand how the solution you propose brings any value.
i think having the subdomain be defined manually by human intervention is just asking for trouble
What would those trouble be?
from acme-dns.
Related Issues (20)
- ACME-DNS-API not pulling a certificate for itself HOT 9
- Build fails with go 1.15
- /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found HOT 4
- auth.acme-dns.io has become unavailable HOT 1
- README adduser command wrong
- acme-dns only saves a single TXT record, not 2
- Configuration questions HOT 1
- error message every 10 minutes about managing the server certificate HOT 8
- CAA issues when higher level domain has a CAA HOT 2
- Add `server_url` to JSON storage file
- nxdomain responses include huge timeouts HOT 2
- Is it possible to add support for Dynamic DNS subdomains
- Add support for PROXY protocol
- Please accept the PR for making registration endpoint configurable HOT 3
- Not able to generate cert for itself, no TXT record created
- Issue with Certificate Renewal from Let's Encrypt
- Build failed, error in sqlite3 dependency
- Is this project still active? HOT 4
- Acme-Dns Server Failing
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-dns.