README: Add Lego to supported clients

[cpu]

The Lego ACME client/library supports ACME-DNS as of go-acme/lego@04e2d74 🎉

[coveralls]

Coverage remained the same at 92.244% when pulling 247a38c on cpu:cpu-add-lego-client into 52e977c on joohoi:master.

[joohoi]

That's awesome news! Thanks for writing the Lego acme-dns provider!

For this PR: I would prefer alphabetical order for the client entries, could you make that change?

[cpu]

That's awesome news! Thanks for writing the Lego acme-dns provider!

@joohoi NP! For what its worth I switched all of my personal infrastructure over to using Lego + ACME-DNS the other day. Worked great :-) Its nice to be using ACME v2 and wildcard certificates for my own servers finally. Thanks again for the excellent project.

For this PR: I would prefer alphabetical order for the client entries, could you make that change?

Sure thing, fixed in 247a38c

[joohoi]

Sounds good! I wonder if Lego gives dns providers access to the account details. I have been sketching out a plan to suggest users to add CAA record including ACME CAA extensions, namely the accounturi in order to make it safe to use third party acme-dns instance.

I'm planning to host a public instance at some point when the ACME CAA extensions are turned on in Let's Encrypt production.

[cpu]

I wonder if Lego gives dns providers access to the account details. I have been sketching out a plan to suggest users to add CAA record including ACME CAA extensions, namely the accounturi in order to make it safe to use third party acme-dns instance.

The Lego acme.ChallengeProvider interface is quite minimal and doesn't pass anything to the provider except the domain in question, the challenge token, and a key authorization string:
https://github.com/xenolf/lego/blob/04e2d74406d42a3727e7a132c1a39735ac527f51/acme/provider.go#L5-L12

Its probably doable but I think maybe handling it at the challenge provider level vs as part of the broader client challenge solving process might be a mismatch.

[joohoi]

Thanks for the info! It's exactly the same thing with Certbot hooks. It might be easier to just document around it and tell users where to find the account information then.

[Ajedi32]

I wonder if Lego gives dns providers access to the account details. I have been sketching out a plan to suggest users to add CAA record including ACME CAA extensions, namely the accounturi in order to make it safe to use third party acme-dns instance.

FWIW, this is a really cool idea.

But why would the provider need access to the account details? Doesn't registering a new domain with acme-dns require manually adding CNAME records to the host CA anyway? That's the step where the CAA record would be added, right? If you're serving the CAA records with acme-dns that doesn't really make it safe to use a third-party instance since a malicious acme-dns server could just alter the CAA record whenever it wants to misbehave.

[joohoi]

The idea is to instruct the user to add the correct CAA record to their main zone, as that's where it should be requested from (read: non-acme-dns). To print it out for the user with the CNAME records to add would be great for the UX, but looks like it would involve hopping through quite a few hoops.

[Ajedi32]

Ah, yeah I see. Yes, it would certainly be nice if the CLI could tell you exactly what CAA record to add.