[ENHANCEMENTS] Support DNS validation for LetsEncrypt

[ndbroadbent]

Related to #6

Is your feature request related to a problem? Please describe.

My server is not publicly accessible on the internet, but I still use a .com domain name to set up SSL with LetsEncrypt. I usually do this by adding DNS records to my Cloudflare. This is also the only way to set up a wildcard SSL certificate.

Describe the solution you'd like

I would like the Acme resolver to support DNS validation so that I can issue a wildcard SSL certificate for my private server.

Describe alternatives you've considered

I'm currently using NginxProxyManager, which supports this out of the box. (You can even give it your Cloudflare API token and it sets up all the DNS records for you automatically.) Zoraxy looks much more powerful so I'd like to switch to this, but can't migrate until I can use DNS validation.

[johntdyer]

100% want this !

[drkmtr]

Snap! this would we hugely welcomed feature!

[ExXxtr3me]

That's also the last feature i miss from NPM, i use split DNS for some dockers with cloudflare tunnels and need a lets encrypt certificate for them without disabling the proxy on cloudflare.

[tobychui]

Well tbh I am not expert in ACME protocol so there are nothing I can do to speed up this feature request. @yeungalan you are the only one who knows how to make it works, so it is on you now!

[yeungalan]

I agree that DNS Validation is a good idea however we are still trying to figure out how to include all kinds of DNS providers (due to there being no common protocols to insert DNS records for now) into Zoraxy. Thanks for your suggestions btw!

[nicedevil007]

Would like to see this feature for netcup as the DNS provider 👍 take your time! Looking pretty good what you are doing here :)

[evandcombs]

I agree that DNS Validation is a good idea however we are still trying to figure out how to include all kinds of DNS providers (due to there being no common protocols to insert DNS records for now) into Zoraxy. Thanks for your suggestions btw!

With no standardized API there is no good solution to this problem. The best you can do is create your own standard API to streamline the integration process, then use that to create integrations for DNS providers. You then create integrations for the most common DNS providers, then create integrations for other providers on an as demanded basis.

I would say maybe make the app open to plug-ins for those integrations, but that is opening a whole other can of worms that you likely do not want to tackle at this stage.

[AIEPhoenix]

The scripts within this project might just be what you need. https://github.com/acmesh-official/acme.sh

[themanbornwithin]

+1 for this. I'd love to switch!

[thytetgc]

I haven't migrated from NPM to Zoraxy yet, because it lacks this feature.

[cirrusflyer]

Same

[donslice]

+1 for DNS Challenge

[Teifun2]

Im currently trying to implement this. Im strongly following the nginx proxy manager ui design, and using acme lego proivders to fetch dns certificates.

I was able to get successfull working certificates. I know have to clean the implementation so that it can be extended for multiple dns providers.

[Teifun2]

Wildcard certificates are working. DNS Challenge aswell. Renew aswell.

Missing is the Generic implementation to actually allow for different DNS Providers.

[PastaGringo]

Great news 🎉 How can we test it? I'm running the latest 3.0.3 and can't find it. It seems all the different settings for all DNS providers can be found here: https://github.com/acmesh-official/acme.sh/tree/master/dnsapi

Could be great to begin with OVH & Cloudflare... :) Thanks for this implementation! A must-have 💯

[Teifun2]

It is currently on my fork on a branch. I think it needs a little bit of love until it can be tested.

Integrating dns providers is actually very easy as the library itself has many configured: https://github.com/go-acme/lego/tree/master/providers/dns

However i need to find a generic way this can be handled. If this is done it should be an easy breeze :)

[Teifun2]

A PR is open that should in theory support all 131 DNS providers of go-acme.

I heavily assume that some of them will not work just out of the box, but a lot of testing and feedback would be needed to figure this out!

[tobychui]

Feature added in v3.0.4 release.

[cirrusflyer]

It's not working for me at the moment - tells me it can't find the zone. But wondering if this is a split DNS issue. I have a local DNS with same name as the Cloudflare DNS. I assume it should know to access the Cloudflare DNS, but not sure.

[yeungalan]

Hi, do you mind running the below command and providing us with the Zoraxy log for further investigation?

dig yourdomain.com +trace

[cirrusflyer]

I actually did this and see that it's hitting my local DNS which obviously would cause the issue. I removed the local entry, and it's progressing correctly now, although it's getting an error "propagation: time limit exceeded". I can see the record created in my Cloudflare DNS, so not sure why it's not completing correctly. I'm using NPM on another server and it doesn't have this split DNS issue and works correctly. I'm wondering if you're able to have your software use the DNS servers of the DNS provider that's selected in the dropdown, instead of local DNS. That would resolve my split DNS issue.

[cirrusflyer]

Turns out you can specify the DNS servers:

https://go-acme.github.io/lego/usage/cli/options/

--dns.resolvers value [ --dns.resolvers value ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.

[cirrusflyer]

This might be helpful for the timeout issue.

https://community.letsencrypt.org/t/cant-renew-with-dns-01-waiting-for-dns-record-propagation/182750/8

[tobychui]

@cirrusflyer I think this is another issues on its own instead of DNS validation support. I am closing this and please move the follow up discussion to a new issue and tag the ACME module author @yeungalan . Thank you!