search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
8.04k stars 1.03k forks source link

lego allows using subdomain DNS to obtain Let's Encrypt wildcard certificates #2195

Closed aaro-n closed 5 months ago

aaro-n commented 5 months ago

Welcome

How do you use lego?

Docker image

Detailed Description

Problem description

My domain name resolution service uses Huawei Cloud. lego does not support Huawei Cloud DNS now, but I want to use lego to obtain and manage Let's Encrypt certificates. When I was looking for Let's Encrypt documents, I noticed that Let's Encrypt's DNS-01 challenge allows the use of other DNS services. I want to host _acme-challenge to a domain name resolution service provider supported by lego through a subdomain NS. I did not find any description of this when I looked for lego documents and lego's GitHub repository. Maybe my search method is wrong or it is not possible at all.

Solved requirements

  1. lego allows wildcard certificates to be obtained through the _acme-challenge subdomain, and lego does not need to support the DNS resolution service provider's API.
  2. The obtained Let's Encrypt certificate is the same, even if the domain name and DNS resolution service provider are not the same.

Expected method

Huawei Cloud hosts the domain names 1213.xyz and 999.info, Tencent Cloud hosts the domain name 897.com, lego supports Alibaba Cloud's DNS resolution API, so the _acme-challenge subdomain is resolved to Alibaba Cloud via CNAME, and finally lego operates Alibaba Cloud's API to obtain the Let's Encrypt wildcard certificate. The specific steps are as follows:

  1. Huawei Cloud creates the letsencrypt.1213.xy subdomain, Alibaba Cloud adds the domain name letsencrypt.1213.xy, and finally Huawei Cloud hands over the letsencrypt.1213.xy subdomain to Alibaba Cloud via NS.

  2. Huawei Cloud creates CNAME records _acme-challenge.1213.xyz CNAME all.letsencrypt.1213.xy and _acme-challenge.999.info CNAME all.letsencrypt.1213.xy, and Tencent Cloud creates _acme-challenge.897.com CNAME all.letsencrypt.1213.xy

  3. Lego configures Alibaba Cloud's API, and obtains wildcard certificates for 1213.xyz, 999.info, and 897.com by operating the TXT record of all.letsencrypt.1213.xy, and there is only one wildcard certificate.

I don't know if my idea can be realized.

Reference Documents

  1. Let's Encrypt Documentation: Challenge Types
  2. jinhucheung/letscertbot
ldez commented 5 months ago

Hello,

By default, lego already follows CNAME.

You can read the Let's Encrypt articles about that: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname

About Huawei Cloud support, you can follow issue #1543.

aaro-n commented 5 months ago

I did not find this implementation method in the lego document. The lego document has instructions for using the Alibaba Cloud API. The code is as follows:

# Setup using instance RAM role
ALICLOUD_RAM_ROLE=lego \
lego --email you@example.com --dns alidns --domains my.example.org run

# Or, using credentials
ALICLOUD_ACCESS_KEY=abcdefghijklmnopqrstuvwx \
ALICLOUD_SECRET_KEY=your-secret-key \
ALICLOUD_SECURITY_TOKEN=your-sts-token \
lego --email you@example.com --dns alidns --domains my.example.org run

According to my problem description, it should be modified as follows:

# Or, using credentials
ALICLOUD_ACCESS_KEY=abcdefghijklmnopqrstuvwx \
ALICLOUD_SECRET_KEY=your-secret-key \
ALICLOUD_SECURITY_TOKEN=your-sts-token \
lego --email you@example.com --dns alidns --domains 1213.xyz,*.1213.xyz,999.info*.999.info,897.com,*.897.com run

How can I tell lego to add TXT records to all.letsencrypt.1213.xy instead of adding TXT records to the three subdomains _acme-challenge.1213.xyz, _acme-challenge.999.info and _acme-challenge.897.com? Because these three domains are not all hosted to Alibaba Cloud.

ldez commented 5 months ago

Please read this article: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname

There is no specific lego implementation, we just follow ACME RFCs.

ldez commented 5 months ago

You should use a dedicated domain (ex: _acme-challenge.example.com), this domain should be owned by Alibaba Cloud.

1213.xyz, 999.info, 897.com, etc. should be owned by Huawei Cloud.

You should create a CNAME on _acme-challenge.1213.xyz to redirect to _acme-challenge.example.com, this allow to create certificates for 1213.xyz and *.1213.xyz (but not for *.*.1213.xyz because the ACME RFC doesn't allow it)

You should create a CNAME on _acme-challenge.999.info to redirect to _acme-challenge.example.com, this allow to create certificates for 999.info and *.999.info (but not for *.*.999.info because the ACME RFC doesn't allow it)

You should create a CNAME on _acme-challenge.897.com to redirect to _acme-challenge.example.com, this allow to create certificates for 897.com and *.897.com (but not for *.*.897.com because the ACME RFC doesn't allow it)

As explain in the article: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname