Neilpang
commented
6 years ago This mode could also be used for a centralized cert machine(or a third party website) to issue certs for many users.
Open Neilpang opened 6 years ago
Neilpang
commented
6 years ago This mode could also be used for a centralized cert machine(or a third party website) to issue certs for many users.
FernandoMiguel
commented
6 years ago this looks brilliant
one of the things i've been waiting for so long, is cloudflare API keys per sub/domain ... sadly now it's for the all account, so even if using this alias trick ,both domains are in the same account, the risk is the same
Neilpang
commented
6 years ago @FernandoMiguel you can create a new cloudlfare account, in which it has only one domain for validation.
LinguineCode
commented
6 years ago +1 yes please
Neilpang
commented
6 years ago Supported in a new branch: https://github.com/Neilpang/acme.sh/tree/alias
export BRANCH=alias
acme.sh --upgradeUsage is here: https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
Neilpang
commented
6 years ago --domain-alias is added:
https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode#6-challenge-alias-or-domain-alias
LinguineCode
commented
6 years ago It's working for me, although I should mention I'm having some intermittent problems with the CNAME->TXT taking longer than 120 seconds to show up (which is acme.sh default sleep time). What's real annoying is sometimes it only takes a few seconds, and sometimes it only takes >120 seconds, so I'm not really sure what to suggest here. Maybe just mention it in the README for now?
LinguineCode
commented
6 years ago I should also mention to others that may not realize (@FernandoMiguel), that with this improvement you still must set $AWS_ environment variables. The difference here is that the access key you set is for the local account only, and we no longer have to request IAM role/policy from the 3rd party account (if they would even give it up).
To illustrate what I mean, see here: https://github.com/seanscottking/acme.sh-with-aws-iam-role/blob/master/entrypoint.sh
FernandoMiguel
commented
6 years ago If your alias domain is on aws route53 and you are using dns_aws api, ofc you would need aws access keys for that account... Nothing changing this
LinguineCode
commented
6 years ago Agreed, I was commenting our conversation from the other day that was outside of this comment thread
It's an idea in an early stage.
As for now, the dns mode is more popular and important in acme v2. And a user's main domain may be too critical/sensitive to give its dns api access to an automatic shell script(say acme.sh). Too many users concern domain security.
Letsencrypt can check the txt record through CNAME record, so, one can give the domain api access to an aliased(proxied) domain to validate the critical main domain.
for example.
The user can set CNAME like bellow first:
Then issue the cert like:
The user can only give the api access to the domain
myDomainForValidationOnly.com, but not give for the main domain.It will be more safe.
I'm not sure for the commandline parameters format for alias yet. just an idea.
It could be like bellow too: