Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support DNS challenge for LE / ACME #110

Open
umputun opened this issue Sep 8, 2021 · 6 comments · May be fixed by #202
Open

Support DNS challenge for LE / ACME #110

umputun opened this issue Sep 8, 2021 · 6 comments · May be fixed by #202
Labels
help wanted Extra attention is needed

Comments

@umputun
Copy link
Owner

umputun commented Sep 8, 2021

it will be very nice to add such support. My first reaction was adding lego library but looks like it can be added to with golang.org/x/crypto/acme, see https://community.letsencrypt.org/t/golang-example-using-dns-verification/81696
@umputun umputun added the help wanted Extra attention is needed label Sep 8, 2021
@nbys
Copy link
Contributor

nbys commented Nov 16, 2021

I'd like to take this one. Could you please provide more details on how this should work from user perspective?

I don't have any experience with letsencrypt, it would be perfect hands-on for me.

@umputun
Copy link
Owner Author

umputun commented Nov 16, 2021

I'm not sure myself. Probably we will need to support a bunch of DNS providers similarly to lego. And looks like providers may have different params. You can check how lego does it.

@nbys
Copy link
Contributor

nbys commented Nov 17, 2021
edited
Loading

We could use golang.org/x/crypto/acme for initiating DNS challenges. The library doesn't have a stable version yet and is still under development. But probably we could use it in the future.

Second, we need to add a TXT record derived from the received token to the DNS provider. There is no functionality in the standard library for this task. I took a look at the list of providers supported by lego. If we could use the lego library it would make the task much easier. But you don't want to bring lego dependency to the project, correct?

@umputun
Copy link
Owner Author

umputun commented Nov 17, 2021

But you don't want to bring lego dependency to the project, correct?

the list of lego's dependencies is huge, for real. I would prefer any other solution instead of adding all of this

@nbys nbys mentioned this issue Dec 12, 2021
Draft
@ezotrank
Copy link

What if move the logic of creating txt records to a separate service, and reproxy will use it? This separate service implements API on its own or uses lego DNS providers.

I've played with that a few months ago, maybe my sketches can help or maybe not acme-dns-challenge, acme-dns-api-presenter

@nbys
Copy link
Contributor

nbys commented Dec 29, 2021

@ezotrank thank you for your suggestions and gists. From my pov, It still would be nice to have this functionality inside of reproxy. If we are going to use some external services, why do not just use lego?

In this PR I want to implement the logic to schedule certificate renewal and creation of txt records for a couple of the most popular DNS providers.

This was referenced Sep 7, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
3 participants
@ezotrank @umputun @nbys