search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
7.58k stars 994 forks source link

Add the ability to use multiple DNS providers in parallel #2028

Closed jmleddy closed 9 months ago

jmleddy commented 9 months ago

This provider simply chains multiple providers together so that if you're using more than one DNS service, it will validate ACME with both. This solves the problem of updating only one provider and having Let's Encrypt or whomever query the other one, leading to a long wait time for verification if it even happens at all.

This type of config is common when DNS is maintained as text files in repos with tools like DNSControl or OctoDNS for High Availability in case one DNS provider goes down.

Tested with the CLI client:

james@Mac ~/src/lego $ dist/lego --email="sre@mongodb.com" --domains="echo-qa.corp.mongodb.com" --dns="gcloud" --dns="route53" run
2023/10/06 10:53:06 [INFO] [echo-qa.corp.mongodb.com] acme: Obtaining bundled SAN certificate
2023/10/06 10:53:07 [INFO] [echo-qa.corp.mongodb.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/271304397976
2023/10/06 10:53:07 [INFO] [echo-qa.corp.mongodb.com] acme: Could not find solver for: tls-alpn-01
2023/10/06 10:53:07 [INFO] [echo-qa.corp.mongodb.com] acme: Could not find solver for: http-01
2023/10/06 10:53:07 [INFO] [echo-qa.corp.mongodb.com] acme: use dns-01 solver
2023/10/06 10:53:07 [INFO] [echo-qa.corp.mongodb.com] acme: Preparing to solve DNS-01
2023/10/06 10:53:07 [INFO] Found CNAME entry for "_acme-challenge.echo-qa.corp.mongodb.com.": "glb.mongodb.com."
2023/10/06 10:53:08 [INFO] Wait for apply change [timeout: 30s, interval: 3s]
2023/10/06 10:53:11 [INFO] Found CNAME entry for "_acme-challenge.echo-qa.corp.mongodb.com.": "glb.mongodb.com."
2023/10/06 10:53:12 [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]
2023/10/06 10:53:46 [INFO] [echo-qa.corp.mongodb.com] acme: Trying to solve DNS-01
2023/10/06 10:53:46 [INFO] Found CNAME entry for "_acme-challenge.echo-qa.corp.mongodb.com.": "glb.mongodb.com."
2023/10/06 10:53:46 [INFO] [echo-qa.corp.mongodb.com] acme: Checking DNS record propagation using [8.8.8.8:53 8.8.4.4:53]
2023/10/06 10:53:48 [INFO] Wait for propagation [timeout: 3m0s, interval: 2s]
2023/10/06 10:53:55 [INFO] [echo-qa.corp.mongodb.com] The server validated our request
2023/10/06 10:53:55 [INFO] [echo-qa.corp.mongodb.com] acme: Cleaning DNS-01 challenge
2023/10/06 10:53:55 [INFO] Found CNAME entry for "_acme-challenge.echo-qa.corp.mongodb.com.": "glb.mongodb.com."
2023/10/06 10:53:56 [INFO] Found CNAME entry for "_acme-challenge.echo-qa.corp.mongodb.com.": "glb.mongodb.com."
2023/10/06 10:53:57 [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]
2023/10/06 10:54:27 [INFO] [echo-qa.corp.mongodb.com] acme: Validations succeeded; requesting certificates
2023/10/06 10:54:28 [INFO] [echo-qa.corp.mongodb.com] Server responded with a certificate.
james@Mac ~/src/lego $

related to #1342

ldez commented 9 months ago

Hello,

as you can see #1342 has been flagged as a question not enhancement.

Your approach will be confusing because users want to use multiple time the same provider and not multiple providers.

The best solution in the 2 cases is to use CNAME or just several calls to the CLI.