Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow domain overrides for challenge delegation #1

Merged
merged 1 commit into from
Dec 29, 2020
Merged

Allow domain overrides for challenge delegation #1

merged 1 commit into from
Dec 29, 2020

Conversation

jpeddicord
Copy link
Contributor

@jpeddicord jpeddicord commented Dec 29, 2020
edited
Loading

This enables delegation of a challenge for a domain (e.g.
my.example.com) to a DuckDNS subdomain (example.duckdns.org) as
described on the LetsEncrypt website. This is useful if your
"main" domain has a difficult DNS API or you'd rather just use
DuckDNS'. Example setup:

my.example.com -> CNAME example.duckdns.org
_acme-challenge.my.example.com -> CNAME example.duckdns.org

DNS challenges will be performed on example.duckdns.org, while the
actual certificate will be issued for my.example.com.

From LE:

Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone. It can also be used if your DNS provider is slow to update, and you want to delegate to a quicker-updating server.

I'm writing up an equivalent commit for caddy-dns/duckdns, too. I've gotten this working on my own home network pretty easily, and figured I'd share the change since it's (IMO) super useful and often much easier to delegate the DNS work to DuckDNS instead of messing with most other providers. At least for home networks, where DuckDNS is mostly used.

Without this change, the domain isn't overridden, and Caddy attempts to ask DuckDNS to update DNS entries for the "main" domain (in the example above, that's my.example.com). DuckDNS has no idea what to do with that, and returns an error.

@jpeddicord
Allow domain overrides for challenge delegation
5e8d177 
This enables delegation of a challenge for a domain (e.g.
my.example.com) to a DuckDNS subdomain (example.duckdns.org) as
described on the LetsEncrypt website[1]. This is useful if your
"main" domain has a difficult DNS API or you'd rather just use
DuckDNS'. Example setup:

my.example.com -> CNAME example.duckdns.org
_acme-challenge.my.example.com -> CNAME example.duckdns.org

DNS challenges will be performed on example.duckdns.org, while the
actual certificate will be issued for my.example.com.

[1] https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
@francislavoie
Copy link
Collaborator

Huh, that's really interesting. So basically it would work like this?

foo.example.com {
	tls {
		dns duckdns <token> {
			override_domain my-duckdns-domain.duckdns.org
		}
	}

	...
}

@francislavoie francislavoie added the enhancement New feature or request label Dec 29, 2020
@jpeddicord
Copy link
Contributor Author

Exactly -- my snippet in my config looks just like that.

For your example, foo.example.com would be a CNAME to my-duckdns-domain.duckdns.org. You'd then want another CNAME from _acme-challenge.foo.example.com to my-duckdns-domain.duckdns.org. That's all that's needed to get the correct certs.

@francislavoie
Copy link
Collaborator

Very cool. TIL. Thanks!

Surprised to get a PR only like a week after publishing this repo 😅

@francislavoie francislavoie merged commit cd405ff into libdns:master Dec 29, 2020
@jpeddicord
Copy link
Contributor Author

jpeddicord commented Dec 29, 2020
edited
Loading

Haha yeah the timing is funny. I found out about Caddy in general this week while off on holiday and wanted to try things out. Love some fresh new code. :)

@francislavoie
Copy link
Collaborator

francislavoie commented Dec 29, 2020
edited
Loading

Awesome! Feel free to come hang out on the forums for any discussion/question you might have https://caddy.community

I'll await your followup PR on https://github.com/caddy-dns/duckdns 😁

@jpeddicord jpeddicord mentioned this pull request Dec 29, 2020
Merged
@cameronelliott
Copy link
Contributor

This is a cool PR! I learned something new today! 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@francislavoie francislavoie francislavoie approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jpeddicord @francislavoie @cameronelliott