Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support several DNS providers at once #2104

Closed
1 task done
toxic0berliner opened this issue Feb 8, 2024 · 3 comments
Closed
1 task done

support several DNS providers at once #2104

toxic0berliner opened this issue Feb 8, 2024 · 3 comments

Comments

@toxic0berliner
Copy link

toxic0berliner commented Feb 8, 2024

Welcome

  • Yes, I've searched similar issues on GitHub and didn't find any.

How do you use lego?

Through Traefik

Detailed Description

The idea here is to allow to get a single cert valid for example.com and other.com where each domain has it's own registrar.

Say example.com was registered at cloudflare, one needs to use the proper DNS API to set the ACME magic TXT record.
Say other.com was registered at porkbun because it was way cheaper at the time, so again, use of the porkbun API.

With traefik today, probably because lego doesn't support it, one need to create 2 routers and specify 2 certresolvers one for each DNS API and you end up having 2 certificates one for each name.

Now wouldn't it be cool if you could have lego make a single ACME order for CN a.example.com and SAN b.other.com, then solve each DNS challenge with the appropriate DNS API, and finally get the cert from letsencrypt?

Traefik will then need some enhancement to make this link when it's setting up Lego so that cloudflare-dns is good for example.com and prokbun-dns is good for other.com.
In fact Lego must first be modified to actually be able to indicate for which domain(s) a DNS solver is good for.

But I see nothing preventing this to exist.

One caveat though: I believe letsencrypt will deny requests that contain more than 1 wildcard, Lego shouldn't prevent it since other ACME servers could gladly accept this, but the users will need to be careful not wanting too much. With traefik that's made easy to not use wildcards anyway.

With this feature one could set it's default router rule to be "containername.example.com OR container name.other.com", both at the same time, and if some domain remains hardcoded in the application the browser won't even have to open a new TLS session with the same traefik just to be served another certificate just because the dns-challenge step was different for both fqdn...

Didn't find anything similar in the previous issues, pardon me if I missed something.

@ldez ldez added the duplicate label Feb 9, 2024
@ldez
Copy link
Member

ldez commented Feb 9, 2024

Hello,

The topic has been already discussed several times: #1342, #1232, #605, #331, #1736, and traefik/traefik#5472

But I see nothing preventing this to exist.

The env vars are not really configurable in the way you're thinking: some providers are more complex to handle configuration than env vars inside lego.

This is not trivial, and for now, I don't have a solution (I already spend a lot of time on this)

Duplicate of #1342

@ldez ldez closed this as completed Feb 9, 2024
@ldez
Copy link
Member

ldez commented Feb 9, 2024

Just a note:

A solution can be to use CNAME: you add CNAMEs redirecting to only one domain, and you will only need one account.

If you have example.org (account foo) and example.com (account bar) you can create a CNAME on example.org called _acme-challenge.example.org pointing to challenge.example.com.
So you need only one account (foo) to handle the challenge for all the accounts/providers.

https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname

@toxic0berliner
Copy link
Author

Wow, sorry, 7 issues on the same yes, my bad. At least I'm the 5th to overlook that it had already been requested 🤣

I haven't looked at all providers so I can understand that some might need more than env vars, but I also see that env vars are enough for many, and they don't overlap between providers.
But reading the other issues it also appears to me the simple solution I had in mind won't work for those wanting to use 2 different accounts on the same DNS provider...

Anyhow, I still believe many people want this, and in my case the CName is not practical sadly so I 'm left with repeating my routers twice to change their certresolver... Hope these other issues find a solution 😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants