search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
22.87k stars 2.66k forks source link

Ability to edit Let's Encrypt certificate DNS challenge options #3732

Open esand opened 6 months ago

esand commented 6 months ago

Is your feature request related to a problem? Please describe.

Yes - there is currently no way to update the DNS challenge provider or options. If you change DNS providers, you would need to update the DNS challenge settings (if used). Since you can't do this, you have to add a new certificate entry (and remove the old one) which creates a new /etc/letsencrypt folder. If you have other services tied to the specific npm-* folders created (since you can't customize these paths), you would have to update all your other configurations with the new location as well.

Describe the solution you'd like

I would like an Edit option for Let's Encrypt SSL certificates along with Renew now/Download/Delete. This would open the same window as when you create the certificate, but existing settings would be shown and could be edited.

Describe alternatives you've considered

I have considered editing the credential files that are generated, however docs state that the credential information is stored in NPM's database as well, so this would not properly solve the issue. Creating a new certificate entry is not a viable option if you want to avoid having to update paths in other services that are using the certificate.

Additional context

gratiachristi95 commented 6 months ago

As you know dns as well as ssl certification can be hard things to setup and for good reason. It is a good security practice to delete old certificates and get new ones when you switch dns providers due to the keys. You do not want an old key stored on an old dns providers servers. For that reason the current way the project has it set up is the better security practice and adding the feature you described would make this project less secure.

esand commented 6 months ago

@gratiachristi95 I wasn't aware that any SSL keys were stored by the DNS providers in any way at all. From what I understand, using the DNS challenge feature has certbot temporarily create a DNS record so that it can then validate that it exists on the domain, thus proving you actually own the domain, and then after validating you're the owner, it removes the record and issues the certificate.

I was under the impression that the SSL key is stored and generated on my system since that's private info and used to sign (so you don't want others having access to it).

Also, with the ability to edit the certificate's settings (really just toggling DNS challenge, the provider and any settings that go with it such as an API key typically) wouldn't impact the certificate in any way when you do it - it would only update the recorded information and upon renewal would be used instead of what was previously used for the certificate.

If certbot doesn't allow you to modify the info, I can totally understand - and in that case, I'd be just fine with some way to manually specify the "name" of the certificate (npm-1, -2, etc..) so I can replace a previous certificate in /etc/letsencrypt rather than it using whatever the next internal ID is that was generated from the database.

esand commented 5 months ago

To update this feature request, certbot apparently does support changing challenge options. If you want to change challenger choice, you can use the --preferred-challenges option to specify which you prefer, and then specify the relevant challenge options as well.

If certbot supports it, I don't see why this project couldn't either - and as mentioned, it would be a nice improvement for those of us with certs and then change DNS providers.