New DNS provider module

zllovesuki · July 27, 2022, 8:15am

Can I submit a new module? GitHub - zllovesuki/challenger: Hosted ACME challenges via Cloudflare via caddy: dns.providers.challenger

It utilizes Cloudflare to host ACME challenges for other zones via CNAME.

matt · July 27, 2022, 6:56pm

Hey Rachel, cool – thanks for writing a plugin!

Is this the same functionality as dns_challenge_override_domain?

zllovesuki · July 27, 2022, 7:30pm

I don’t quite understand the mechanism of dns_challenge_override_domain, the closest issue I can find is Support for DNS challenge delegation · Issue #4071 · caddyserver/caddy · GitHub

Does it create the TXT challenge under a different domain without the _acme-challenge prefix?

francislavoie · July 27, 2022, 7:55pm

This might explain it better (it was supported directly in the DuckDNS plugin before we added more generalized support in Caddy itself):

Basically it lets you use a DNS provider you do have API access to while a different DNS provider actually controls the zone you care about issuing ACME certificates for, by delegating the challenge authentication to the one you have API access for, via CNAME.

For example, you have access to DuckDNS and it supports TXT records and has a (decent) API for that. But your actual domain is on Google Domains which doesn’t have an API (sigh Google pls) so you can CNAME your “real” domain’s _acme-challenge.mygoogledomain.com to myduck.duckdns.org to make ACME issuers actually read the TXT from DuckDNS instead.

But I have no idea what your goals are here. Is this what you’re trying to solve? I don’t understand what your plugin is trying to do.

zllovesuki · July 27, 2022, 9:18pm

I see. Yes it does the same thing but with cf dns. Possibly this plug-in is redundant for that purpose?

francislavoie · July 27, 2022, 9:27pm

Yeah, you probably don’t need your plugin, because you can use GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare plugin with dns_challenge_override_domain to do the same thing.

zllovesuki · July 27, 2022, 9:45pm

In that case, how would the configuration look like?

Also maybe an idea to make it easier for users to discover these features. I have no idea about the override flag until you mentioned here. Could be a page with common use cases (PM question).

francislavoie · July 27, 2022, 10:27pm

realdomain.com {
	tls {
		dns cloudflare {env.CLOUDFLARE_TOKEN}
		dns_challenge_override_domain cloudflaredomain.com
	}
}

And you need to make sure you set up the CNAME from your _acme-challenge.realdomain.com to cloudflaredomain.com.

Btw, challenge delegation is mentioned in Challenge Types - Let's Encrypt

It’s relatively new, it was merged in March.

But yeah you’re right it could be documented better. I think the best place would be in the How to use DNS provider modules in Caddy 2 wiki I think, which is open for anyone to edit, if you’d like to write it out once you’ve played around with this

zllovesuki · July 27, 2022, 10:40pm

Does the override flag support string replacement? e.g. automatically replace with {domain}.hostedzone.com?

francislavoie · July 27, 2022, 10:50pm

No, because that doesn’t happen at request-time, so that placeholder is not populated.

system · August 26, 2022, 8:16am

This topic was automatically closed after 29 days. New replies are no longer allowed.