Is DNS challenge possible with freedns.afraid.org?

Linguini9394 · October 31, 2024, 3:05pm

1. The problem I’m having:

I want to have my certificates to my internal services renew without having to open ports. My DNS provider is freedns.afraid dot org which is on the easily integrate list but not in the caddy modules list.

This freedns.afraid.org docker image could automate getting the certificates but the certificates need to be in caddy.

I’m a caddy noob so sorry if this is obvious. This tutorial explains it for cloudflare which is on the caddy modules list.

2. Workaround:

Manually open/forward ports host by host roughly every 80 days and restart caddy then close the ports after certificate renewal is done for another 80 days.

Bruce5051 · October 31, 2024, 3:18pm

Hi @Linguini9394,

That shows only acme.sh and Posh-ACME as the only ACME Clients.

Also while being a helpful list, sometimes a taking it with a grain of salt can be prudent.

Edit:
The suggested Workaround only works for non-wildcard certificates,
as wildcard certificates can only be issued via DNS-01 challenge (well at least for Let’s Encrypt).

Linguini9394 · October 31, 2024, 4:22pm

The docker-certbot-freedns mentioned in the OP provides certbot support through a --manual-auth-hook script. Does certbot support for freedns help?

Good point, I’m not using any wildcard certificates which are not free on freedns.

Bruce5051 · October 31, 2024, 5:24pm

Good question, probably best asked on GitHub - TRPB/docker-certbot-freedns: A docker image for DNS certbot renewals for freedns.afraid.org their support channels.

Also there is that grain of salt I mentioned.

Linguini9394 · November 1, 2024, 4:32am

It seems freedns has limitations according to Posh-ACME.

Any suggestions for free DNS providers known to work well with caddy’s letsencrypt DNS challenge certificate renewals?

Bruce5051 · November 1, 2024, 3:49pm

Kindly wait for more knowledgeable Caddy community volunteers to assist.

Bruce5051 · November 2, 2024, 3:14am

Hi @Linguini9394,

Here is a free DNS provider
https://desec.io/

kailalacresha · November 2, 2024, 5:11am

Community admin will tell about it.

Linguini9394 · November 2, 2024, 8:29pm

I’ve migrated one host which uses acme.sh from freedns to duckdns and DNS challenge certificate renewal with no open ports works.

I have two other hosts using caddy in a docker container that I’ll try to migrate next to duckdns or deSEC as both are on the caddy modules list. Caddy in docker is a black box to me that just works so it will take some learning…

Linguini9394 · November 6, 2024, 9:30pm

In conclusion I gave up on freedns (doesn’t do free dns callenge) and duckdns (unreliable free dns callenge) and bought a cheap 1.111B Class domain and manage it with free cloudflare.

This caddy-cloudflare docker image allowed me to migrate my two html challenge caddy hosts to dns challenge.

To get it to work I had to add a Caddyfile where the vanilla caddy docker image was working in html challenge without me adding one.

{$DOMAIN} {
        # Proxy everything to Rocket
        reverse_proxy myappcontainer:80
        tls {
                dns cloudflare {$CLOUDFLARE_API_TOKEN}
        }
}

Time to enjoy automatic certificate renewals with no open ports in my homelab.