search

rmbolger / Posh-ACME

PowerShell module and ACME client to create certificates from Let's Encrypt (or other ACME CA)
https://poshac.me/docs/latest/
MIT License
778 stars 190 forks source link

Investigate adding support for challenges.addr.tools #572

Closed rmbolger closed 1 month ago

rmbolger commented 1 month ago

https://challenges.addr.tools/

This is a service (optionally self-hosted) that provides an algorithmic way to do ACME dns-01 challenges via CNAME aliasing similar to acme-dns.

Users choose a custom passphrase which is hashed with SHA-224 and concatenated with challenges.addr.tools (or the self-hosted equivalent root) to make an FQDN. The user creates a CNAME for their _acme-challenge FQDN that points to the SHA-224 FQDN. Then the user (or our plugin) calls the API with the raw passphrase and the TXT value that needs to be set for the record.

The tricky part of making this work is that .NET doesn't have a native SHA-224 implementation. But we might be able to find something in BouncyCastle or maybe make a standalone PowerShell native implementation.

rmbolger commented 1 month ago

As it turns out, we don't actually need a local SHA-224 implementation. Under normal circumstances, hashing the secret is only done on the server side. The only time the user would normally need to do it is when setting up the CNAMEs and the server has an API endpoint that returns the hashed subdomain that we wrapped in a helper function.