search

umputun / reproxy

Simple edge server / reverse proxy
http://reproxy.io
MIT License
1.23k stars 92 forks source link

Support DNS challenge for LE / ACME #110

Open umputun opened 3 years ago

umputun commented 3 years ago

it will be very nice to add such support. My first reaction was adding lego library but looks like it can be added to with golang.org/x/crypto/acme, see https://community.letsencrypt.org/t/golang-example-using-dns-verification/81696

nbys commented 2 years ago

I'd like to take this one. Could you please provide more details on how this should work from user perspective?

I don't have any experience with letsencrypt, it would be perfect hands-on for me.

umputun commented 2 years ago

I'm not sure myself. Probably we will need to support a bunch of DNS providers similarly to lego. And looks like providers may have different params. You can check how lego does it.

nbys commented 2 years ago

We could use golang.org/x/crypto/acme for initiating DNS challenges. The library doesn't have a stable version yet and is still under development. But probably we could use it in the future.

Second, we need to add a TXT record derived from the received token to the DNS provider. There is no functionality in the standard library for this task. I took a look at the list of providers supported by lego. If we could use the lego library it would make the task much easier. But you don't want to bring lego dependency to the project, correct?

umputun commented 2 years ago

But you don't want to bring lego dependency to the project, correct?

the list of lego's dependencies is huge, for real. I would prefer any other solution instead of adding all of this

ezotrank commented 2 years ago

What if move the logic of creating txt records to a separate service, and reproxy will use it? This separate service implements API on its own or uses lego DNS providers.

I've played with that a few months ago, maybe my sketches can help or maybe not acme-dns-challenge, acme-dns-api-presenter

nbys commented 2 years ago

@ezotrank thank you for your suggestions and gists. From my pov, It still would be nice to have this functionality inside of reproxy. If we are going to use some external services, why do not just use lego?

In this PR I want to implement the logic to schedule certificate renewal and creation of txt records for a couple of the most popular DNS providers.