New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The Domain Sharing Plan #60
Comments
|
Option 1 is a slam dunk IMHO. Works with letsencrypt and all clients and servers today, with the only downside being one extra DNS record on a custom domain and that if the owner of that domain wants to use dns-01 on their apex themselves they have to remember to restore the CNAME when they are done. |
|
I'm so looking forward to this! I have a user name that relies on my domain (so worldof AT geese) to "make sense". |
|
Continuing our discussion from the Snikket Project Chat, you said you want to do wildcard certificate generation via joohoi/acme-dns. I would like to start work on this. Do you have an architectural design in mind? I'm thinking that |
|
Yes, I think this should be built into snikket-cert-manager. I think it could be enabled by an environment variable, such as The CNAME thing is a little awkward. Here's how I expected it would work:
The primary difficulty I see is, in step 5, the targets of the CNAME records. Out of the box, acme-dns expects you to use randomly-generated domains (because it is often used for scalable mass hosting). However it should be technically possible to seed the acme-dns database with some static records instead of the UUIDs it uses by default. However this may only be possible in unreleased versions of acme-dns as it would require joohoi/acme-dns#243 which has been merged but not yet released. Of course at this point it may be worth a sanity-check: is it still worth using acme-dns vs. a different generic small authoritative DNS server we can integrate with certbot? I haven't researched alternatives, so I can't say at this point. |
|
- `_acme-challenge.example.com CNAME cert.snikket.example.com`
This is the only cnam you need and from it you can get a wildcard.
The primary difficulty I see is, in step 5, the targets of the CNAME
records. Out of the box, acme-dns expects you to use randomly-generated
domains (because it is often used for scalable mass hosting). However it
should be technically possible to seed the acme-
I have a simple setup with uacme and a small shell script hook that always
expects a single hostname as the cnam target I could share. My script uses
cliudflare API to update the DNS but easy to change to whatever other
provider.
|
|
Good point about the wildcard, of course that makes sense. As for the scripts, yes - the problem is the "whatever other provider". The reason for running a small authoritative DNS server ourselves is because it allows us to be provider-independent. If people prefer a provider-specific setup, they can always set up certbot externally to Snikket and mount in the certificates. We just want something that works for as many as people as possible with minimal configuration. |
|
Something like this could maybe also be used: https://github.com/octodns/octodns |
|
I have been playing around with acme-dns, and noticed one thing that might be worth documenting for those who, like me, use Cloudflare as a DNS server.
When I attempted to do the above two steps, I got an error saying, "Non-NS records with that host already exist. (Code: 81055)." I even tried to switch the order around, but that resulted in, "NS records with that host already exist. (Code: 81056)." Another user has reported this issue at joohoi/acme-dns#258, with the conclusion being that Cloudflare does not support glue records (at least not on the free plan); so this approach is not possible. I tried setting up the glue record at my registrar, but that didn't work either. The workaround, as documented in the issue, is to replace the first two steps with:
|
|
Chiming in to say I would love for this to be a feature so I could use my domain for both purposes without a subdomain for Snikket. |
I have tried it when doing DNS for https://github.com/deltachat/chatmail, see deltachat/chatmail#44 Creating both A/AAAA and NS record on the same domain does not work, NS record "delegates" A/AAAA record to this server as well. So if you want to use NS record and run your own DNS server, you need a separate domain for DNS server, e.g. ns.example.org has A record and runs NSD, while snikket.example.org is delegated to it. The best option I found for using a single domain (say snikket.example.org) is to create a subdomain ns.snikket.example.org, run DNS there, delegate chat.snikket.example.org to it and then individually delegate all snikket.example.org records one-by-one to chat.snikket.example.org via CNAME. We do not use this solution in the end as it is quite ugly and print DNS records instead to stdout or file so admin can decide how they want to set them up, e.g. by copying to DNS server or uploading via Hetzner or Cloudflare API. Running anything else on the same domain is not supported. |
People would like to use Snikket with JIDs
@example.comwhile also having an existing website onexample.com. This is currently tricky, particularly when Snikket is running on a different machine.Things that need to happen:
_acme-challengerecordThe text was updated successfully, but these errors were encountered: