Support DNS-based challenge for Lets Encrypt

[arthurzenika]

Letsencrypt certificates can be generated using DNS records see https://certbot-dns-rfc2136.readthedocs.io/en/stable/ for further information.

For internal uses of yunohost (intranet) without a internal PKI it would be nice to have this mechanism available for generating certificates. This would require configuring the keys used to talk to the "public DNS server" of the company.

[alexAubin]

Yes indeed ... the complicated part being the interface with the DNS server. Do you know what kind of protocol / API is used in your example ?

[arthurzenika]

I've managed to get something working for an internal yunohost instance, after running our procedure for certbot-dns (we can contribute some doc at some point if the upstream certbot is not enough)

  120 cd /etc/yunohost/certs/y.intra.logilab.fr
  121  rm crt.pem 
  124  ln -s /etc/letsencrypt/live/y.intra.logilab.fr/cert.pem crt.pem 
  126  rm key.pem 
  127  ln -s /etc/letsencrypt/live/y.intra.logilab.fr/privkey.pem key.pem
  128  ln -s /etc/letsencrypt/live/y.intra.logilab.fr/fullchain.pem ca.pem
  129  rm ca.pem 
  130  ln -s /etc/letsencrypt/live/y.intra.logilab.fr/fullchain.pem ca.pem
  131 systemctl restart nginx

Is there a ticket somewhere to change the certificates from the web UI (for this usecase or when an company has their own PKI) ?

[freechelmi]

Hi , I have a similar problem , YNH is behind firewall and not reachable on 80/443

Currently I redirect both every 3 months for renew LE certificate

AFAIU this feature would enable auto LE cert renew ?

[alexAubin]

Yes, it would allow obtaining a LE certificate without exposing port 80

[alexAubin]

Could be ~doable now that 4.3 allows to interact with registrar API (assuming you provided the corresponding API key)

[arthurzenika]

That would be great news for intranet deployments of yunohost. Thanks for thinking of this issue.

[Tagadda]

acme-tiny won't support DNS-01 challenge.

We could change for acme-hooked which is a fork of acme-tiny ("drop-in replacement") and support DNS challenge.

[scharc]

https://github.com/acmesh-official/acme.sh could solve the problems easily. It comes with a lot of dns apis, is scriptable and the deployhook takes care of restarting services. I am using a custom deploy script to push a wildcard cert to at least 20 different machines (intranet stuff mostly) and I do not want these machines to be known on the certstream.

[alexAubin]

So I was looking into "how to get a Lets Encrypt wildcard certificate", hoping to address https://github.com/YunoHost/issues/issues/1634, and realized this requires the DNS-01 challenge ...

Looking further, I found that there's a PR on acme-tiny repo that implements the DNS-01 challenge (sort of - you need to provide a script). The diff is kinda simple and it wouldnt look too difficult to use this version : https://github.com/diafygi/acme-tiny/pull/238

Of course that would also imply (or you could call it "encourage" ;)) that people would add their DNS API key in YunoHost

[bettyvschmartz]

Having read a number of the related issues such as #2089, #1357 and #1634, I agree that the certificate renewal could do with some further enhancements/improvements.

If one uses subdomains then they're affected by the lack of wildcard renewals, but also I wouldn't personally trust exposing something like Yunohost to the public Internet. So if access is only possible locally or over a VPN then HTTP-01 challenges are also problematic. It's possible to simply workaround with a reverse proxy handling TLS but for most users I suspect it would be nice to have this working in Yunohost and the UI.

In summary, the combination of DNS-01 challenges and supporting the --no-check option would permit a few extra common use cases that seem difficult today.

-- bvs

[maklimcz]

In my use case DNS-01 challenge was the only option, as I want to host yunohost server non-publicly, behind VPN. So I've generated certificate using certbot and then linked generated certs to path in /etc/yunohost/certs/ I guess I need to repeat these steps for renewal.

Possibility of doing that from web admin panel would be really helpful.