Please confirm that ACME (as client) + GSS-TSIG is not supported? (rfc-2136 isn't enough)

neca · December 31, 2025, 7:53am

Hello,

In a totally closed and internal LAN project, I’m trying to use Canasta (one method to install Mediawiki) which uses Caddy. We already have our own ACME server (“step-ca”) and our DNS is served by Microsoft Active Directory. All this project does not communicate with the outer world.

I was trying to configure the Caddyfile to make Caddy get a certificate from our step-ca server and to use GitHub - caddy-dns/rfc2136 plugin to answer to the DNS challenge.

This rfc2136 plugin does not suit the requirements of MS-AD DNS, which requires a GSS-TSIG authentication (in another context, we are already successfully using a script that does that, by getting a Kerberos token beforehand the ns-update).

It this point, I don’t see how I could answer an internal DNS challenge as long as our DNS is Active Directory.

Before looking for another strategy, I would have your opinion on this situation, please.

Thank you.

timelordx · December 31, 2025, 11:27am

One possible solution - you could run a self-hosted ACME-DNS server in your network. Caddy has a module for such server.

Then, in AD DNS, just delegate _acme-challenge.YOUR-DOMAIN via CNAME to such internal ACME-DNS server.

I get LE wildcard certs for my Caddy by using ACME-DNS SaaS, but you should be able to adjust it for the self-hosted ACME-DNS.

system · January 30, 2026, 7:54am

This topic was automatically closed after 30 days. New replies are no longer allowed.