Open Harvie opened 4 years ago
jvanasco
commented
4 years ago I would utilize functionality like that too, but you will need to fork this project to provide it.
The explicit design of this project is to isolate every domain with it's own registration and NS record. A login supports 2 entries for the root + wildcard.
bitsofinfo
commented
2 years ago 100% would use this, we are using ingress's to trigger the auto issuance of certs based on whatever hosts is listed in the ingress. Right now this manual registration step gets in the way
jonlundy
commented
7 months ago Hi, just a lead off this question. if i am hosting the same subdomain on two hosts can they share the same api key? as in i have example.com hosted on servers in different regions US, EU, AP and use geoip to direct traffic to each server. do i use the same api key for each one?
jvanasco
commented
7 months ago can they share the same api key?
They have to by design, which I will get into below – but this is an anti-pattern.
The acme-dns system works like this: Your acme-dns credentials are a dedicated uuid and password. The uuid doubles as your "login" and becomes the unique domain that you CNAME the acme-challenge record onto. Assuming your instance operates as the namespace auth.example.com the UUID would become the leftmost subdomain as "{UUID}.auth.example.com".
In your situation, you would first create a credential pairing for example.com, and would then update the DNS for example.com to CNAME onto the uuid from that credential pairing. You would then install the credentials on each machine; if you did not, then you'd need to update the DNS record every time you need a certificate to reflect the CNAME of the account for the server that is making the request - which defeats the purpose of acme-dns.
This is an anti-pattern though. All of your servers should be sharing a single Certificate. Only one region should obtain the certificate, and you should deploy that certificate onto the other regions once it is procured. There are several servers/gateways that will use the cloud to coordinate this; many people prefer using scripting to archive and deploy. A region obtaining their own identical certificates should really be a failsafe, not a primary feature of your design.
Hello, is it possible to register multiple domains under single user? So if i have wildcard certificates with lots of altnames, i can simplify my setup by using same credentials for all altnames in that certificate? I would then put same CNAME into all of these altname zones...
Maybe the biggest problem is the limit of two TXT records per subdomain. Letsencrypt currently supports up to 100 altnames per certificate. Or maybe the TXT limit can be replaced with timeout instead (eg. 10 minutes), so acme-dns will not get cloged if certbot fails to cleanup the challenges.