-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Register endpoint with configurable subdomain #338
Comments
depending on where you host your DNS zone , you can already do that with some tooling i think having the subdomain be defined manually by human intervention is just asking for trouble |
The point of ACME-DNS is to be able to automate renewal of TLS certificates with DNS-01 challenges securely: without storing a high-privilege API token on the server that needs the TLS certificates (see article from EFF: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation). If the DNS hosting provider is already providing a API token with restricted-permission (update of a given TXT record only), then I do not need ACME-DNS. If the DNS hosting provider is providing me with a high-privilege API token, then I am back with the problem that ACME-DNS was trying to solve initially. So I do not understand how the solution you propose brings any value.
What would those trouble be? |
Certificate issuance and subdomain registration are already separate. When and how you perform those steps depends on the ACME client. Is there a particular ACME client you're using? On the first run, LEGO's acme-dns provider will call acme-dns doesn't need any changes to support this, although your ACME client may. I may be able to point you in the right direction.
Presumably name collisions and ownership issues. If you're picking a subdomain name without checking if it's already been assigned then someone else may already own it. If you set up the CNAME then someone else can issue certificates for your domain. Even if you try to use an unguessable UUID, an attacker can look at your DNS records to see the dangling CNAME, then try to register the subdomain before you can. The only way to do this safely is to register the subdomain with acme-dns before you set the CNAME. This way you know that no one else has credentials for the subdomain. Since you need to call |
I am interested in using
acme-dns
but I am wondering something. What are reasons foracme-dns
to choose the subdomain itself?I see an opportunity to automate things even more if I could choose the subdomain myself, in advance.
The text was updated successfully, but these errors were encountered: