jalada
commented
5 years ago Thanks @mashedkeyboard. We'll take a look and get this merged ASAP.
Closed mashedkeyboard closed 5 years ago
jalada
commented
5 years ago Thanks @mashedkeyboard. We'll take a look and get this merged ASAP.
jalada
commented
5 years ago Hi @mashedkeyboard, I've had a chance to look in to this in some more detail. Regarding DNS validations...According to LetsEncrypt you should only do DNS01 validations if your DNS provider can automatically update DNS records via an API, presumably because the records change each time.
So what I'd really like to see is automated updates (as per your comment to do with Cloudflare). The challenge, of course, is that every DNS provider is different. Is there some kind of unified library for doing API-based DNS updates? I'd really like to make use of one, but so far it seems like there's only plugins per LetsEncrypt client (e.g. https://certbot.eff.org/docs/using.html#dns-plugins).
If there isn't something, then we could definitely start with a Cloudflare implementation. Until then, I'm not sure about merging in something that requires manual interaction, because that goes against the point of LetsEncrypt.
Your work on registering is interesting though. I'd love to pull that out and get that in separately. What do you think?
mashedkeyboard
commented
5 years ago Hey @jalada - yeah, the DNS01 docs at Let's Encrypt do say that, which is why I was waiting for CloudFlare's API to come out. There's no unified library I'm aware of, but CloudFlare is the "lowest common denominator" if you will - and there's nothing to stop people building other providers in too, so long as it's modular enough.
Incidentally, I'm currently using my fork in production, as despite Let's Encrypt's documentation, the DNS records don't change each and every time that validation is required - they change every so often, but I just manually go update them when I catch the error :)
If you'd like to pull some of the bits out and merge them in ahead of time, feel free! The only thing I would say is that I'm not sure whether it's a good idea to upgrade to ACME v2 without supporting DNS01, as I can't off the top of my head remember if there's a way to explicitly request that you're not given one of those unsupported challenges.
jalada
commented
5 years ago That's v. useful, thanks @mashedkeyboard. I'll:
jalada
commented
5 years ago @mashedkeyboard heads up that we're planning on merging #62 in by the end of the week. Please let me know any feedback before then.
As mentioned in #59. Allows DNS01 as a verification method, as well as wildcard domains.
Incidentally, also upgrades to using the latest version of the Heroku Platform API client, as it now has GA on the features required by letsencrypt-rails-heroku.
Todo on this is adding automatic DNS support through the CloudFlare API, but I'm holding off on that for now pending the new restricted tokens that CloudFlare have announced they're working on here.