Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for delegating DNS-01 challenge to a different domain #588

Closed
1 task done
cuu508 opened this issue May 23, 2023 · 1 comment
Closed
1 task done

Add support for delegating DNS-01 challenge to a different domain #588

cuu508 opened this issue May 23, 2023 · 1 comment
Assignees
@foxcpp
Labels
good first issue Easy to do, good for newcomers. new feature New feature.

Comments

@cuu508
Copy link
Contributor

cuu508 commented May 23, 2023

Use case

DNS-01 challenge requires storing DNS API key in maddy.conf. DNS providers do not typically offer API keys that can be restricted to setting and removing _acme_challenge TXT records and nothing else. Storing an API key that controls DNS for the whole domain in maddy.conf is not great for security.

One workaround is to delegate DNS-01 challenges to a separate domain using a CNAME record: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation (see the "Use a "Throwaway" Validation Domain" section)

Your idea for a solution

DNS01Solver in the certmagic package has a OverrideDomain field:

// Override the domain to set the TXT record on. This is
// to delegate the challenge to a different domain. Note
// that the solver doesn't follow CNAME/NS record.
OverrideDomain string

Allow it to be specified in maddy.conf, and pass it to DNS01Solver. Configuration mockup:

tls {
    loader acme {
        hostname example.com
        email [email protected]
        agreed
        challenge dns-01
        override_domain example-acme-challenge.com
        dns cloudflare {
            api_token "..."
        }
    }
}
  • I'm willing to help with the implementation – I'm a Go newbie and an absolute maddy newbie, but I can try :-)
@cuu508 cuu508 added the new feature New feature. label May 23, 2023
@foxcpp foxcpp added the good first issue Easy to do, good for newcomers. label May 29, 2023
@foxcpp foxcpp self-assigned this May 29, 2023
foxcpp added a commit that referenced this issue May 29, 2023
@foxcpp
tls/acme: Add support for DNS-01 domain delegation
de756c8 
See #588.
@cuu508
Copy link
Contributor Author

cuu508 commented Aug 8, 2023

I've been using override_domain option for a couple months now and it works great. Thanks @foxcpp !

@cuu508 cuu508 closed this as completed Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@foxcpp foxcpp

Labels
good first issue Easy to do, good for newcomers. new feature New feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cuu508 @foxcpp