reproxy icon indicating copy to clipboard operation
reproxy copied to clipboard

Published 20 hours ago verified publisher icon umputun

Support DNS challenge for LE / ACME

Open umputun opened this issue 3 years ago • 6 comments

it will be very nice to add such support. My first reaction was adding lego library but looks like it can be added to with golang.org/x/crypto/acme, see https://community.letsencrypt.org/t/golang-example-using-dns-verification/81696

umputun avatar Sep 08 '21 19:09 umputun

I'd like to take this one. Could you please provide more details on how this should work from user perspective?

I don't have any experience with letsencrypt, it would be perfect hands-on for me.

nbys avatar Nov 16 '21 19:11 nbys

I'm not sure myself. Probably we will need to support a bunch of DNS providers similarly to lego. And looks like providers may have different params. You can check how lego does it.

umputun avatar Nov 16 '21 19:11 umputun

We could use golang.org/x/crypto/acme for initiating DNS challenges. The library doesn't have a stable version yet and is still under development. But probably we could use it in the future.

Second, we need to add a TXT record derived from the received token to the DNS provider. There is no functionality in the standard library for this task. I took a look at the list of providers supported by lego. If we could use the lego library it would make the task much easier. But you don't want to bring lego dependency to the project, correct?

nbys avatar Nov 17 '21 20:11 nbys

But you don't want to bring lego dependency to the project, correct?

the list of lego's dependencies is huge, for real. I would prefer any other solution instead of adding all of this

umputun avatar Nov 17 '21 20:11 umputun

What if move the logic of creating txt records to a separate service, and reproxy will use it? This separate service implements API on its own or uses lego DNS providers.

I've played with that a few months ago, maybe my sketches can help or maybe not acme-dns-challenge, acme-dns-api-presenter

ezotrank avatar Dec 18 '21 07:12 ezotrank

@ezotrank thank you for your suggestions and gists. From my pov, It still would be nice to have this functionality inside of reproxy. If we are going to use some external services, why do not just use lego?

In this PR I want to implement the logic to schedule certificate renewal and creation of txt records for a couple of the most popular DNS providers.

nbys avatar Dec 29 '21 19:12 nbys