On 04/05/2023 18:21, Tom Barrett via Pdns-users wrote:
I'm looking for a solution for running an SSL proxy with PowerDNS. This is a service that will auto-generate SSL certs (such as letsencrypt) for each zone.
I think you might be confusing several concepts here, most of which are nothing to do with PowerDNS.
Firstly, a TLS certificate is not issued for an entire zone, only individual hostnames in that zone (e.g. "example.com" or "www.example.com"). As a special case, you can get a wildcard certificate for "*.example.com" (but it only matches one subdomain deep)
Secondly, a "proxy" generally means something that passes through user traffic. What sort of "proxy" are you looking for? There are HTTP reverse proxies (Apache, Nginx, Traefik...): these decrypt the traffic at the proxy, and only work with HTTP, but mean all your keys and certs are centralised on the proxy. There are also layer 4 TCP proxies which can forward the entire TCP session by sniffing the TLS SNI header (I use sniproxy, but I think haproxy can do this too) - in this case the traffic remains encrypted end-to-end, but each endpoint host needs its own key and cert.
Thirdly, the issuance of certificates is mostly unrelated to your choice of proxy. You might find some proxies have specific helpers available for issuing certificates (e.g. I think there's an Apache module which can request letsencrypt certs, and kubernetes has cert-manager). But often you would deploy a separate tool to do this: either standalone tools like certbot, dehydrated, acme.sh; or a centralised tool for certificate issuance like certgrinder. The tool creates the private key and certificate, and these are then read in by your webserver or proxy.
Fourthly, the issuance of certificates does not need to involve DNS. The only place where DNS might come into play is if you are using the DNS01 challenge to prove your ownership of a domain (as opposed to the more common HTTP01 challenge). You'll need to use the DNS01 challenge in two cases: (1) your hosts do not accept incoming HTTP connections on port 80 from the Internet; or (2) you want to issue a wildcard certificate.
The DNS01 challenge requires dynamic additional and removal of TXT records from the zone. This is the only point where PowerDNS might get involved: your certificate issuance tool will need to be able to add/remove those records, e.g. using RFC2136 dynamic DNS updates, or using the PDNS API. If you prefer not to expose your important zones to dynamic updates, you can set up a separate zone for the TXT records, and statically point CNAMEs at it. If you delegate that zone to a separate DNS server running acme-dns <https://github.com/joohoi/acme-dns> then you can leave dynamic updates in PowerDNS completely disabled.
However this is all quite complicated to get your head around at first, so for any server which is reachable from the public Internet and doesn't need a wildcard cert, the HTTP01 challenge is likely to be much easier to set up.
A proxy which accepts inbound connections from the public Internet will be able to get Letsencrypt certs using HTTP01 just fine. Setting this up is nothing to do with PowerDNS at all, and therefore I think it would be more appropriate to continue your query at the Letsencrypt Community forum <https://community.letsencrypt.org/>
I hope this gives you a few pointers anyway. Regards, Brian. _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
