New acme-dns libdns plugin

JnAlu · March 22, 2022, 7:09am

Or acme-dns!

francislavoie · March 22, 2022, 7:20am

There’s currently no acme-dns plugin for Caddy, though. At least not that I know of.

gcss · March 25, 2022, 1:46am

Would really appreciate your feedback on the hot off the press libdns provider and Caddy plugin:

Please let me know if you need anything to try it out. There’s a tutorial planned on how to protect from bad actors/unauthorized clients trying to use acmedns by using a caddy instance as a reverse proxy for API calls to acmedns

francislavoie · March 25, 2022, 1:53am

I split off these comments about acme-dns from the other thread, it got off-topic. The original thread had nothing to do with acme-dns at all.

@gcss looks good, at a quick glance! I don’t run acmedns (and I don’t have a reason to right now) so I can’t try it out.

Have you tried it with v2.5.0-beta.1? I think this will pair very nicely with the new DNS challenge delegation feature (See #4071 and dns_challenge_override_domain), although an additional fix is necessary which should land in the next beta to fix this feature (bug in certmagic).

francislavoie · March 25, 2022, 2:04am

Actually, @gcss I find the config in the caddy-dns module kinda awkward. Having a separate config file is unusual, it’s typically preferred to keep the config inside the actual Caddy config instead of a separate file.

I think it would be okay to do both, i.e. allow a config file, but also allow direct config.

Also, I think the caddy-dns's README should link to the libdns module somewhere.

gcss · March 25, 2022, 2:07am

Agreed.

Yes. I can setup a docker-compose file for you that sets up all the services needed to give it a try. You will need to provide the domain name

Thank You for creating this dedicated thread and looking into this plugin!

vbsd · March 25, 2022, 9:53am

I’m working on this with @gcss.

I’m thinking, perhaps we should allow three options.

How it is now: config_file_path directive pointing to a file. Makes most sense for people who want to use acme-dns-client.

tls acmedns {
    config_file_path /etc/acmedns/clientstorage.json
}

The same configuration but directly embedded into caddy.json or Caddyfile:

tls acmedns {
    config {
        subdomain1.example.com {
            username <username>
            password <password>
            subdomain <subdomain provided by ACME-DNS>
            fulldomain <full domain provided by ACME-DNS>
            server_url <ACME-DNS API URL>
        }
        subdomain2.example.com {
            [...]
        }
    }
}

With this configuration, libdns/acmedns provider selects which account to use based on zone info and record name. Essentially the same as using a config file.

A more minimal configuration that only uses one ACME-DNS account:

tls acmedns {
    username <username>
    password <password>
    subdomain <subdomain provided by ACME-DNS>
    server_url <ACME-DNS API URL>
}

In this case, libdns/acmedns will use ACME-DNS /update endpoint with given credentials to update TXT values. It will disregard zone and record name.

Does this sound reasonable? Also, what would you think of a 4th option: to allow the config file config_file_path config.json to be either the way it is now, or be a simple configuration with one ACME-DNS account similar to option 3?

gcss · March 25, 2022, 2:04pm

@vbsd Thank You for building this! Hat tip to @matt for closing the PR in what seemed like a matter of minutes.

We are really excited to release this to the community - our belief is that this will reduce the attack vector of having to create DNS provider specific tokens to just get certificates. Plus, there are DNS providers out there that don’t have any integrations and this will help address that completely or atleast bridge the gap until a DNS provider specific is created.

The next steps seems to be making this really easy to use and well documented so that anyone with Caddy experience can use it!

@francislavoie Interested in reading your feedback

@matt I was thinking we could do an expert-caddy for this? I am more than happy to write up a draft. Everyone should be reading the expert-caddy anyways

matt · March 25, 2022, 4:26pm

Yes, thank you for contributing this module. I hope it will even solve a question raised earlier this week: Central certificate management instance · Issue #4653 · caddyserver/caddy · GitHub – without me having to make complicated changes to Caddy / CertMagic.

Definitely agree it should be documented better. While I reserve writing Expert Caddy articles to myself, I’d be more than happy to see a community wiki on the subject! Anyone can contribute and everyone can benefit from those.

francislavoie · March 25, 2022, 7:25pm

All of those options sound fine. I don’t know if they all need to be there though. Do what you think makes sense to start, and it can be expanded upon later if anyone asks for it.

vbsd · March 27, 2022, 3:55pm

I updated github.com/caddy-dns/acmedns to add these options. README.md is also (hopefully) improved.

Hendrik_Visage · April 17, 2022, 10:54pm

Is this planned to be in the release/main stream, or a plugin for Caddy?

Hoping for release/mainstream as it’ll ease private/internal server challenges for me

francislavoie · April 18, 2022, 12:52am

Caddy doesn’t bundle any DNS plugins. You’ll need to use xcaddy to build from source, or download it from the Download Caddy page.

system · April 21, 2022, 7:09am

This topic was automatically closed after 27 days. New replies are no longer allowed.