Open tlimoncelli opened 2 years ago
IzumiSenaSora
commented
2 years ago Its really a good feature!... We can manage all domain related things like (manage dns + certificate) in one place!... Please for now don't remove it!.... Unless it breaks!
juliusrickert
commented
2 years ago I didn't even know this feature existed. What were the motivations behind including this functionality into DNSControl?
I think this should not be the concern of DNSControl. For me, DNSControl is an application that is intended to be primarily run in CI. Thus, I don't see how issuing certificates would be beneficial. This is a concern of a load balancer or any other public-facing server.
There are other projects that are better at fulfilling this need, e.g., cert-manager.
On that note: I'm also not quite sure whether I like the deep integration with Cloudflare's redirects and workers. But I can see how that's related to DNSControl's goal. Both are redirects/routes in a way.
tlimoncelli
commented
2 years ago Please for now don't remove it!.... Unless it breaks!
Removing it when it breaks sounds like a terrible idea. People would be stranded. We'd rather give people advanced warning so they can remove it on their schedule. (Which is why we're starting the discussion now.)
tlimoncelli
commented
2 years ago I didn't even know this feature existed. What were the motivations behind including this functionality into DNSControl?
The motivation was: Let's Encrypt DNS01 requires the ability to talk to your DNS Provider, and dnscontrol already does that, it seems like a good match.
IzumiSenaSora
commented
2 years ago Please for now don't remove it!.... Unless it breaks!
Removing it when it breaks sounds like a terrible idea. People would be stranded. We'd rather give people advanced warning so they can remove it on their schedule. (Which is why we're starting the discussion now.)
Oh Sorry i'm not giving any idea!... i'm just saying if no one step forward to maintain it!... Then maybe removing it is only option! BTW I'm bad in English
IzumiSenaSora
commented
2 years ago I didn't even know this feature existed. What were the motivations behind including this functionality into DNSControl?
I think this should not be the concern of DNSControl. For me, DNSControl is an application that is intended to be primarily run in CI. Thus, I don't see how issuing certificates would be beneficial. This is a concern of a load balancer or any other public-facing server.
There are other projects that are better at fulfilling this need, e.g., cert-manager.
On that note: I'm also not quite sure whether I like the deep integration with Cloudflare's redirects and workers. But I can see how that's related to DNSControl's goal. Both are redirects/routes in a way.
It's useful! At least in Private ORG's Cause self sign cert need extra step to Add root cert manually in every browser!... But if we just generate lets encrypt cert which every browser/phone supports already!... So accessing private websites via VPN to work remotely this feature needed!... We can generate lets encrypt cert via dns verification instead of certbot like function which need http verification maybe 🤔 but work websites which is private so let's encrypt can't access those site to verify!... So dns verification to generate let's encrypt cert is useful
juliusrickert
commented
2 years ago Cause self sign cert need extra step to Add root cert manually in every browser!
That's not what I was trying to suggest, sorry for causing confusion here. Please do not modify trust stores and use services like Let's Encrypt! I'm fully encouraging using Let's Encrypt and other CAs supporting ACME!
We can generate lets encrypt cert via dns verification instead of certbot like function which need http verification maybe
Certbot supports DNS01 domain verification too. I think DNS01 is supported by all major ACME clients.
So there's really no benefit in using DNSControl.
The other tools are more widely used for this purpose too, so finding help and integrations is a lot easier with them.
tlimoncelli
commented
2 years ago I've decided to deprecate this feature.
I haven't set a specific date but it will most likely be early 2023.
I'd like to thank @captncraig for the original implementation. It's high quality code and one of the first DNS-01 implementations.
smehrens
commented
1 year ago certbot uses python plugins for the dns request.
I think -without having python knowledge- it would be easy to write a plugin for dnscontrol.
I took a look at https://github.com/siilike/certbot-dns-standalone and it seems no magic.
In this case certbot would do all the certificate stuff and dnscontrol would publish and remove the dns records for verification.
just my two cents.
tlimoncelli
commented
1 year ago certbot uses python plugins for the dns request.
I haven't counted lately but last I checked, certbot supported more providers than DNSControl. What would the benefit be of having certbot call dnscontrol?
smehrens
commented
1 year ago It makes it easier to configure certbot, if you already have configured DNSControl.
Less configfiles with dns provider api keys.
Just convience.
I think "DNSControl will achieve world domination" smile and will soon support more provider then certbot. grin
tlimoncelli
commented
1 year ago I hate to be a bummer but... I'm not interested in world domination. I'm interested in doing a few specific tasks well. A tight-coupling between certbot and dnscontrol sounds like a support nightmare.
cafferata
commented
5 months ago This feature is frozen and will be removed in early 2023. docs.dnscontrol.org/commands/get-certs
@tlimoncelli, should we phase out this feature?
tlimoncelli
commented
5 months ago Update: get-certs/ACME support is frozen and will be removed without notice between now and July 2025.
We are considering removing this feature in the future.
Why:
Post your thoughts in the comments.
DECISION:
get-certs/ACME support is frozen and will be removed without notice between now and July 2025.