Re: DNS-01 challenge in acme-client
On 19:27 Fri 02 Mar, Stuart Henderson wrote: > On 2018-03-01, Consus wrote: > > Let's Encrypt is going to support wildcard certificates soon enough, but > > only through DNS-01 challenge, but acme-client(1) does not support it. > > Have you guys considered implemeting DNS challenges? Maybe someone is > > already working on the implementation? If not are patches welcome? > > Kristaps' original version of acme-client supports this, though you do > need a script as well. That's the most simple way do it, so I'm not surprised. > It won't help for letsencrypt wildcard certificates yet because they > require a new version of the ACME protocol. Yes, but I think acme-client(1) should support ACME v2 anyway, because it's not clear for how long Let's Encrypt will keep the legacy API endpoints available. > (I'm not a fan of wildcard certs anyway though, they mostly just > encourage people to reuse certs and keys in places where they aren't > necessary). True, but wildcards come in handy in situations where you have a bunch of generated and short-living (often per http-session) DNS records with a common domain.
Re: DNS-01 challenge in acme-client
On 2018-03-01, Consus wrote: > Let's Encrypt is going to support wildcard certificates soon enough, but > only through DNS-01 challenge, but acme-client(1) does not support it. > Have you guys considered implemeting DNS challenges? Maybe someone is > already working on the implementation? If not are patches welcome? Kristaps' original version of acme-client supports this, though you do need a script as well. It won't help for letsencrypt wildcard certificates yet because they require a new version of the ACME protocol. (I'm not a fan of wildcard certs anyway though, they mostly just encourage people to reuse certs and keys in places where they aren't necessary).
Re: DNS-01 challenge in acme-client
On 15:46 Fri 02 Mar, Consus wrote: > On 11:45 Fri 02 Mar, Etienne wrote: > > Well, really, what you're asking for is having acme-client offload the > > complicated stuff (set the TXT records, then check for verification) to a > > script, which to me looks pretty much the same as writing a script to do > > everything. > > I'm not. Writing TXT entries can be done the same way acme-client(1) > handles TLS challenges now. HTTP of course, not TLS. Sorry.
Re: DNS-01 challenge in acme-client
On 11:45 Fri 02 Mar, Etienne wrote: > Well, really, what you're asking for is having acme-client offload the > complicated stuff (set the TXT records, then check for verification) to a > script, which to me looks pretty much the same as writing a script to do > everything. I'm not. Writing TXT entries can be done the same way acme-client(1) handles TLS challenges now. > I believe you'll see limited advantage in having acme-client do > any work here, compared to having your script issue the CSR, send it to > Letsencrypt, receive the TXT records, and do the rest of the complicated > stuff mentioned above. I'm not suggesting that we should put ALL this in a script. Ideally your script should be like this: #!/bin/sh doas _acmedns nsd-control reload That's all. DNS challenge is only different from a TLS challenge in one simple bit -- you need to reload your DNS server configuration before answering to the ACME server. > I think acme-client's value is where the certificate for a server, the > server, and the verification challenge/process all take place on the same > machine. But the DNS service is likely to be handled by another (or rather, > many other) machine(s). You can generate your certs in one place and then distribute them to your frontends.
Re: DNS-01 challenge in acme-client
On 01/03/18 14:39, Consus wrote: It is more complicated than creating a file in a folder. With a little luck it's not. Both NSD and BIND allow you to include files in zone configuration like this: [...] The only problem here is #3, but it's possible to create e.g. another pledged process that can only execute /etc/acme-client/dns-challenge.sh and you can put all your complicated stuff there. Well, really, what you're asking for is having acme-client offload the complicated stuff (set the TXT records, then check for verification) to a script, which to me looks pretty much the same as writing a script to do everything. I believe you'll see limited advantage in having acme-client do any work here, compared to having your script issue the CSR, send it to Letsencrypt, receive the TXT records, and do the rest of the complicated stuff mentioned above. I think acme-client's value is where the certificate for a server, the server, and the verification challenge/process all take place on the same machine. But the DNS service is likely to be handled by another (or rather, many other) machine(s). Cheers, -- Étienne
Re: DNS-01 challenge in acme-client
On 15:20 Thu 01 Mar, Solène Rapenne wrote: > It is not easy to implement because this requires access to your > DNS server (like nsd or bind) or your registrar admin API which would > require adding plugins for each API. Well... that's why it's called DNS challenge, right? > It is more complicated than creating a file in a folder. With a little luck it's not. Both NSD and BIND allow you to include files in zone configuration like this: /path/to/your/zones/zone.foo.bar /path/to/your/zones/zone.foo.bar.acme.inc So the whole process possibly boils down to this: 1. Receive a challenge 2. Write TXT record to a file 3. Politely ask your DNS daemon to reload the zone 4. Reply to the ACME server 5. Grab your certificates The only problem here is #3, but it's possible to create e.g. another pledged process that can only execute /etc/acme-client/dns-challenge.sh and you can put all your complicated stuff there.
Re: DNS-01 challenge in acme-client
Le 2018-03-01 10:45, Consus a écrit : Hi, Let's Encrypt is going to support wildcard certificates soon enough, but only through DNS-01 challenge, but acme-client(1) does not support it. Have you guys considered implemeting DNS challenges? Maybe someone is already working on the implementation? If not are patches welcome? Hello, I'm not a developer of acme-client but I'm using dns challenge since some time. It is not easy to implement because this requires access to your DNS server (like nsd or bind) or your registrar admin API which would require adding plugins for each API. It is more complicated than creating a file in a folder. I use https://dehydrated.de/ with a shell script as hook for dns challenge.