-
-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for DNS01 challenges #89
Add support for DNS01 challenges #89
Conversation
Thank you for the contribution, I am a little bit busy at the moment so I apologize in advance for not being able to give this pull request that much of time right now. This is an interesting addition to the feature set of this image, and I think that if we are to support DNS challenges we should include it in the current Debian and Alpine images, so we can probably begin by adding this change directly to them. There is also some strange indentation, so please make sure that it is consistent across the entire file. I have not worked with this type of challenge before, so I would like to do some more research about how we best implement this in a sustainable way in case we want to add more DNS providers. |
I hesitated at first, I didn't know if you wanted to keep the images as small as possible (hence avoiding to add the extra package there). I'm all for adding it in the main package.
Oops, you're right. I've done that from a fresh installed server before updating my vim config, and it tried putting tabs everywhere even though the indentation clearly wasn't. I'll fix that up.
I don't know many of the plugins for DNS01 challenges. I know that Cloudflare is one, and that you can also connect to your local bind for it to refresh your local DNS server automatically. That latter one might be more complicated to implement with containers. That being said, we could support any plugins by using "dns-cloudflare" (the plugin name) in the cert name, for instance (+ the parameter for default plugin to use could be that too). I'll make those changes and update the PR! |
76215ca
to
de0dfb3
Compare
Ok, updated with a more generic approach. From the certbot documentation, we can find the different authenticators using DNS-01:
The question for you @JonasAlfredsson - do we want to add support for all of those ? |
de0dfb3
to
e6227ba
Compare
Last commit adds support for all DNS01 providers listed above, except for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a really good change, I like it and thank you for taking the time to make it.
However, there are some places where some small changes can really improve the flow and readability of the code :)
There is only one concern that I have, and it is described in the very long comment.
As I have said earlier, I have not worked with DNS challenges before, so is there any benefit of doing it in case you are not interested in a wildcard certificate?
e6227ba
to
5bd1a1a
Compare
5bd1a1a
to
f2e893e
Compare
@JonasAlfredsson any other changes needed for this to be mergeable ? :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is starting to look really good.
We should expand the documentation to reflect all of these new features, but that can be done in the future.
Just take a look at the last final touches, and then I think this will be possible to merge :)
The docker images are building correctly, and the code looks like it would be backwards compatible without users doing anything which means that we should probably be able to get away with just a bump to the minor version number. |
Added documentation, and addressed your last comments! As per your question, I'm currently already using my PR-ed container for my server, until we can merge this and get the new version ready so I can revert to using yours ;) - It works well!
|
540c68e
to
ebdbf60
Compare
This makes sure that we read the full pattern as a word, that can be either at the beginning, middle or end of the compared string, and that there won't be any conflict (e.g. dns-cloudflarey would have matched with previous pattern, and won't match with this one)
ebdbf60
to
037a3f3
Compare
04b4fef
to
2d9cdb8
Compare
As another note: I reverted back to use the Alternatively, I could be lowercasing when we're calling the I updated my test containers with this, and things are working on my own nginx container :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Once again excellent work!
Very nice to hear that you are able to get it to work on your end :)
The only concern I have now is the changed regex, I think it should at least be consistent with how the RSA/ECC matching works.
I don't really have more comments here and now, so unless you want to add something extra I don't see why this couldn't be merged :) |
I'm fine with that, too!! 🎉 |
This is now merged, and will be built for the |
Just wanted to say thanks, both of you! This was just what I needed; worked like a charm, wildcard cert too 👍 |
Oh my, that was a fast adoption of a new feature. Really nice to hear :) |
I'm setting up some docker containers on my NAS and needed DNS validation since they'll be mostly internal; my thinking was I'd use a single wildcard cert as they'll all be subdomains. (Your timing here was impeccable btw; when I found the repo looking for a simple container with nginx+letsencrypt, your comment this was ready to be merged was just a few hours ago!) Looking at the code, though, it doesn't seem there's a way to have sites share a cert. Not a huge deal since with the way your script automatically parses out sites' domain names, I frankly didn't even need a wildcard (I'm also using it for the Unraid web ui with a small script to copy the cert from the container, but in retrospect I could have just explicitly added its domain). That said it might be a nice improvement, e.g. aggregate cert name→domains before calling |
Alright, glad to hear that this was such a nice coincidence :) But yes, I have also been thinking about how to best handle sharing of a single wildcard certificate over multiple configs/sites. The more difficult part is how to define you want this to be a wildcard certificate. Perhaps we can add something like this:
where we then pick up the wildcard comment and make this request become This discussion should probably continue in the two new issues I have created: |
Created another Dockerfile, pretty much a copy of the normal one, but with dns-cloudflare support so the DNS01 challenge type can be used, and support for wildcard certificates is also possible.