New DNS provider module

Can I submit a new module? GitHub - zllovesuki/challenger: Hosted ACME challenges via Cloudflare via caddy: dns.providers.challenger

It utilizes Cloudflare to host ACME challenges for other zones via CNAME.

Hey Rachel, cool – thanks for writing a plugin!

Is this the same functionality as dns_challenge_override_domain?

I don’t quite understand the mechanism of dns_challenge_override_domain, the closest issue I can find is Support for DNS challenge delegation · Issue #4071 · caddyserver/caddy · GitHub

Does it create the TXT challenge under a different domain without the _acme-challenge prefix?

1 Like

This might explain it better (it was supported directly in the DuckDNS plugin before we added more generalized support in Caddy itself):

Basically it lets you use a DNS provider you do have API access to while a different DNS provider actually controls the zone you care about issuing ACME certificates for, by delegating the challenge authentication to the one you have API access for, via CNAME.

For example, you have access to DuckDNS and it supports TXT records and has a (decent) API for that. But your actual domain is on Google Domains which doesn’t have an API (sigh :roll_eyes: Google pls) so you can CNAME your “real” domain’s _acme-challenge.mygoogledomain.com to myduck.duckdns.org to make ACME issuers actually read the TXT from DuckDNS instead.

But I have no idea what your goals are here. Is this what you’re trying to solve? I don’t understand what your plugin is trying to do.

1 Like

I see. Yes it does the same thing but with cf dns. Possibly this plug-in is redundant for that purpose?

Yeah, you probably don’t need your plugin, because you can use GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare plugin with dns_challenge_override_domain to do the same thing.

In that case, how would the configuration look like?

Also maybe an idea to make it easier for users to discover these features. I have no idea about the override flag until you mentioned here. Could be a page with common use cases (PM question).

realdomain.com {
	tls {
		dns cloudflare {env.CLOUDFLARE_TOKEN}
		dns_challenge_override_domain cloudflaredomain.com
	}
}

And you need to make sure you set up the CNAME from your _acme-challenge.realdomain.com to cloudflaredomain.com.

Btw, challenge delegation is mentioned in Challenge Types - Let's Encrypt

It’s relatively new, it was merged in March.

But yeah you’re right it could be documented better. I think the best place would be in the How to use DNS provider modules in Caddy 2 wiki I think, which is open for anyone to edit, if you’d like to write it out once you’ve played around with this :+1:

Does the override flag support string replacement? e.g. automatically replace with {domain}.hostedzone.com?

No, because that doesn’t happen at request-time, so that placeholder is not populated.