Handle Let's Encrypt DNS challenges with this program with embedded DNS functionality for the challenge.
It's possible to delegate the subdomain _acme-challenge and handle LE (Let's Encrypt) DNS-challenges with one specific DNS-server (this utility/program, instead of waiting for "delegation" to many DNS servers before the challenge could be fulfilled). This also makes it possible to have most of the (other) DNS-functionality "outsourced" anywhere.
The plan with this program is to be able manage all your domain certs in one place with this program and LE's upcoming wildcard certs is only going to work with the DNS-challenge (with API 2.0 in end of February).
Usage of ./goacmedns:
-D DEBUG (bool)
Short for DEBUG (bool)
-DEBUG
Debug & "Staging" mode
-d domain
Short for: domain
-domain string
(*) Domain to request the certificate for
-e email
Short for: email
-email string
Email address used for the ACME-registration
-k keysize
Short for: keysize (default 2048)
-keysize int
Keysize of requested certificate (default 2048)
-l listen
Short for: listen (default "127.0.0.1:53053")
-listen string
Listen address for embedded DNS-server (default "127.0.0.1:53053")
-p path
Short for: path
-path string
Working directory path (default ".")
-t timeout
Short for: timeout (default 90)
-timeout int
Timeout in seconds for DNS requests (from LE) (default 60)
-v verbose (bool)
Short for verbose (bool)
-verbose
Verbose mode (some extra output)
The domain (-d) is the only mandatory parameter.
If email parameter id omitted, it's going to be hostmaster@domain.xx (ie with the domain parameters two rightmost parts)
- Port to listen on (default 53, makes it possible to run without root if a firewall redirects it from something >1024)
- TinyDNS
Create an entry like &_acme-challenge.domain.com::dnsserver.somedomain.com:600 in your config. Where domain.comis the domain to create cert for, dnsserver.somedomain.com is FQDN for the host running goacmedns and 600 is the TTL for this record.
-
BIND
-
Other DNS's and "providers"
Redirect port 53 on incoming interface to for example 53053 on localhost, and you could run goacmedns as an ordinary user.
Call goacmedns from a script which you put in a crontab job.
./goacmedns -d somedomain.com
./goacmedns -d somedomain.com -D
./goacmedns -d somedomain.com -v
./goacmedns -d somedomain.com -l 127.0.0.1:53053
./goacmedns -d somedomain.com -p /etc/ssl/private
Comment the examples above (and maybe some more)
Implement LE 2.0 API and Wildcard certs when it's released
Clean up the "code"
Some testing (and maybe some go tests...)
Get some (more) feedback...
Check out keysize possibilitys
Firewall config examples (for iptables, pf, ipf ...)
DNS delegation examples for more than TinyDNS
Should maybe "staging" have it's own parameter (staging & S or s)?
Test if CAA records speeds up the "process"
Eventually add dependencies with dep (just now, it's only golang.org/x/crypto/acme and github.com/miekg/dns)
If listen's IP not defined (like ":53053") the DNS service does not send answers from localhost
Alex @x1ddos, for his snippet
Peter Hellberg @PeterHellberg, for the "pro tip" of creating an embedded DNS server in GO (with a DNS library in Go by @miekg)
Miek Gieben @miekg, for the DNS library in Go
