search

terricain / certbot-dns-azure

AzureDNS Certbot plugin
Other
33 stars 16 forks source link

Use dns zone if available in resource ID #17

Closed mdhowle closed 2 years ago

mdhowle commented 2 years ago

We have a subdomain, acme.example.com, in Azure DNS that handles the DNS validation. The DNS zone for example.com is hosted outside of Azure DNS. It has a CNAME that points to acme.example.com: _acme-challenge.foo.example.com => _acme-challenge.foo.acme.example.com that will be followed by the ACME server to validate (DNS aliasing).

The current implementation of certbot-dns-azure does not take this setup into account. Registering foo.example.com with the following configuration will result in certbot-dns-azure writing to a non-existent Azure DNS zone for example.com

dns_azure_zone1 = example.com:/subscriptions/<subid>/resourceGroups/<rgname>

Also, adjusting the domain name prefix to acme.example.com:/subscriptions/... leads to an error in the plugin: Domain foo.example.com does not have a valid domain to resource group id mapping. This makes sense because foo.example.com does not end with acme.example.com. Removing this check would probably fix it in my case, but could cause issues with others' configuration.

With this PR, one can supply the full resource ID with the DNS zone in the configuration file as displayed in Azure DNS. image

dns_azure_zone1 = example.com:/subscriptions/<subid>/resourceGroups/<rgname>/providers/Microsoft.Network/dnszones/acme.example.com

The code will then attempt to index the DNS zone from resource ID. In this instance, acme.example.com will be returned. Otherwise, if a resource ID without the dnszone is not supplied, it will return example.com as defined in the domain prefix and continue to work as before as currently documented.

mdhowle commented 2 years ago

This PR is a stop-gap to fix this use case. Ideally, supplying the domain, subscription ID, resource group, and the DNS zone name would be a more succinct way of specifying the parameters.

For example:

                     domain name :   subscription id   : resource group :  dns zone
dns_azure_zone1 = example.com:a1b2c3-d34db33f-...-f00b4r:dns1:acme.example.com
dns_azure_zone2 = example.net:a1b2c3-d34db33f-...-f00b4r:dns2    # optional zone, when omitted, example.net is used

would generate the resource IDs to write the TXT records:

/subscriptions/a1b2c3-d34db33f-...-f00b4r/resourceGroups/dns1/providers/Microsoft.Network/dnszones/acme.example.com
/subscriptions/a1b2c3-d34db33f-...-f00b4r/resourceGroups/dns2/providers/Microsoft.Network/dnszones/example.net

It would be possible to check which format a user had by counting the colons. Both implementations, if you so choose to go this route, can exist side-by-side.

mdhowle commented 2 years ago

Moved branches but couldn't modify this PR to use new branch. See #18