search

joohoi / acme-dns

Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
MIT License
2.13k stars 232 forks source link

Small regression: API domain can no longer be separate from DNS challenge domain #295

Open Ajedi32 opened 2 years ago

Ajedi32 commented 2 years ago

Not sure if this was by-design or not, but the changes in #190 have made it impossible for the API domain that HTTP clients interact with to be different from the domain that the dns challenges are served off of, so long as you're using automatic cert issuance for the API server (tls set to letsencrypt).

Previously my server was set up so that the HTTP API was served off of acme-dns.mydomain.net, while dns challenges were served off of dns-challenge.mydomain.net. With the updates in #190 I now have to serve the both the API requests and dns challenge requests off of acme-dns.mydomain.net if I want to continue using the automatic certificate issuance feature of ACME-DNS.

This isn't a big deal, as whether or not API domain should be separate from the dns challenge domain is really just a matter of personal preference. Still, I thought it was worth pointing out since the wording in the pull request suggested to me that this regression was unintentional, and I kinda liked it that acme-dns didn't have to manage the authoritative DNS records for its own server. Feel free to close if you feel that this is by-design.

gbonnefille commented 2 years ago

We have a similar deployment, with distinct domains. We use traefik to ensure the TLS termination of the API and use DNS challenge for the certificate of the API domain.

HTH

maddes-b commented 5 months ago

Sorry for being late to the party, just answering for others finding this issue.

Reading "DNS records" in README shows that it is intended that NS and auth DOMAIN have the IP addresses of acme-dns, and are therefore identical. Configuration at DNS provider and in acme-dns config.cfg must match. Design decision was to use DOMAIN for HTTP API.

If NS and DOMAIN are the same (e.g. my-auth.example.com) then glue records are needed via the DNS provider. But not every DNS provider allows glue records for subdomains, then an "external" NS server is needed: names for NS and DOMAIN have to differ and NS must not be part of DOMAIN.

nsname = "my-ns.example.com" (via DNS provider with IPs of acme-dns)
domain = "my-auth.example.com" (via acme-dns with IPs of acme-dns maintained in config.cfg below)

records = [
    "my-auth.example.com. A a.b.c.d",
    "my-auth.example.com. AAAA aaaa:bbbb::cccc:dddd",
    "my-auth.example.com. NS my-ns.example.com.",
]

Still NS and DOMAIN must have the same IP addresses, so using DOMAIN (my-auth.example.com) for the API always works.

For the data in the first post the config would be:

nsname = "acme-dns.mydomain.net" (via DNS provider with IPs of acme-dns)
domain = "dns-challenge.mydomain.net" (via acme-dns with IPs of acme-dns maintained in config.cfg)

records = [
    "dns-challenge.mydomain.net. A a.b.c.d",
    "dns-challenge.mydomain.net. AAAA aaaa:bbbb::cccc:dddd",
    "dns-challenge.mydomain.net. NS my-auth.example.com.",
]

API accessed via dns-challenge.mydomain.net

maddes-b commented 1 day ago

A reverse proxy (like nginx) can help to use a different domain for the API.