-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support several DNS providers at once #2104
Comments
Hello, The topic has been already discussed several times: #1342, #1232, #605, #331, #1736, and traefik/traefik#5472
The env vars are not really configurable in the way you're thinking: some providers are more complex to handle configuration than env vars inside lego. This is not trivial, and for now, I don't have a solution (I already spend a lot of time on this) Duplicate of #1342 |
Just a note: A solution can be to use CNAME: you add CNAMEs redirecting to only one domain, and you will only need one account. If you have |
Wow, sorry, 7 issues on the same yes, my bad. At least I'm the 5th to overlook that it had already been requested 🤣 I haven't looked at all providers so I can understand that some might need more than env vars, but I also see that env vars are enough for many, and they don't overlap between providers. Anyhow, I still believe many people want this, and in my case the CName is not practical sadly so I 'm left with repeating my routers twice to change their certresolver... Hope these other issues find a solution 😁 |
Welcome
How do you use lego?
Through Traefik
Detailed Description
The idea here is to allow to get a single cert valid for example.com and other.com where each domain has it's own registrar.
Say example.com was registered at cloudflare, one needs to use the proper DNS API to set the ACME magic TXT record.
Say other.com was registered at porkbun because it was way cheaper at the time, so again, use of the porkbun API.
With traefik today, probably because lego doesn't support it, one need to create 2 routers and specify 2 certresolvers one for each DNS API and you end up having 2 certificates one for each name.
Now wouldn't it be cool if you could have lego make a single ACME order for CN a.example.com and SAN b.other.com, then solve each DNS challenge with the appropriate DNS API, and finally get the cert from letsencrypt?
Traefik will then need some enhancement to make this link when it's setting up Lego so that cloudflare-dns is good for example.com and prokbun-dns is good for other.com.
In fact Lego must first be modified to actually be able to indicate for which domain(s) a DNS solver is good for.
But I see nothing preventing this to exist.
One caveat though: I believe letsencrypt will deny requests that contain more than 1 wildcard, Lego shouldn't prevent it since other ACME servers could gladly accept this, but the users will need to be careful not wanting too much. With traefik that's made easy to not use wildcards anyway.
With this feature one could set it's default router rule to be "containername.example.com OR container name.other.com", both at the same time, and if some domain remains hardcoded in the application the browser won't even have to open a new TLS session with the same traefik just to be served another certificate just because the dns-challenge step was different for both fqdn...
Didn't find anything similar in the previous issues, pardon me if I missed something.
The text was updated successfully, but these errors were encountered: