acme-dns-server
acme-dns-certbot-joohoi
acme-dns-server | acme-dns-certbot-joohoi | |
---|---|---|
2 | 3 | |
29 | 204 | |
- | - | |
1.8 | 0.0 | |
almost 2 years ago | 7 months ago | |
Python | Python | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
acme-dns-server
-
Ask HN: What's your solution for SSL on internal servers?
DNS alias mode:
* https://dan.langille.org/2019/02/01/acme-domain-alias-mode/
* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...
* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...
You want the name "internal.example.com". In your external DNS you create a CNAME from "_acme-challenge.internal.example.com" and point it to (e.g.) "internal.example.net" or "internal.dns-auth.example.com"
When you request the certificate you specify the "dns-01" method. The issuer (e.g., LE) will go to the the external DNS server for the look up, see that it is a CNAME and then follow the CNAME/alias, and do the verification at the final hostname.
So your ACME client has to do a DNS (TXT) record update, which can often be done via various APIs, e.g.:
* https://github.com/AnalogJ/lexicon
You can even run your own DNS server locally (in a DMZ?) if your DNS provider does not have an convenient API. There are servers written for this use case:
* https://github.com/joohoi/acme-dns
* https://github.com/joohoi/acme-dns-certbot-joohoi
* https://github.com/pawitp/acme-dns-server
-
Another free CA as an alternative to Let's Encrypt
I already had Bind on the machine so it was logical to add the zone there and utilize nsupdate : https://gist.github.com/kronthto/893715f12cc0b1cda9fcfdbd8dc...
But what you are suggesting should work just fine aswell - there should be no need for a persistent service. Of course the service would need to run on port 53, so you actually cannot have another nameserver on that machine already, and also require CAP_NET_BIND_SERVICE .
A quick search lead me to this python project that could be an inspiration: https://github.com/pawitp/acme-dns-server
acme-dns-certbot-joohoi
-
Is it okay to use letsencrypt for internet facing websites? I was going to buy a digicert cert. what's the downsides to letsencrypt vs paid public CAs?
Check this out https://github.com/joohoi/acme-dns-certbot-joohoi
-
my solution to domain, certificates, ports etc (zero cost and no external server or third-party service needed)
we can use tool such as certbot to get certificates from let's encrypt (in traditional way). and to get one using DNS-01 challenge you can use something like acme-dns-certbot. even further the addition of TXT DNS record can be automated using a provider (in our case duckdns) specific tool/plugin for example certbot_dns_duckdns
-
Ask HN: What's your solution for SSL on internal servers?
DNS alias mode:
* https://dan.langille.org/2019/02/01/acme-domain-alias-mode/
* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...
* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...
You want the name "internal.example.com". In your external DNS you create a CNAME from "_acme-challenge.internal.example.com" and point it to (e.g.) "internal.example.net" or "internal.dns-auth.example.com"
When you request the certificate you specify the "dns-01" method. The issuer (e.g., LE) will go to the the external DNS server for the look up, see that it is a CNAME and then follow the CNAME/alias, and do the verification at the final hostname.
So your ACME client has to do a DNS (TXT) record update, which can often be done via various APIs, e.g.:
* https://github.com/AnalogJ/lexicon
You can even run your own DNS server locally (in a DMZ?) if your DNS provider does not have an convenient API. There are servers written for this use case:
* https://github.com/joohoi/acme-dns
* https://github.com/joohoi/acme-dns-certbot-joohoi
* https://github.com/pawitp/acme-dns-server
What are some alternatives?
acme-dns - Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
lexicon - Manipulate DNS records on various DNS providers in a standardized way.
dehydrated - letsencrypt/acme client implemented as a shell-script – just add water
certbot_dns_duckdns - Plugin for certbot for a DNS-01 challenge with a DuckDNS domain.
acme-tiny - A tiny script to issue and renew TLS certs from Let's Encrypt
mkcert - A simple zero-config tool to make locally trusted development certificates with any names you'd like.
lego - Let's Encrypt/ACME client and library written in Go
acme.sh - A pure Unix shell script implementing ACME client protocol
hancock - a simple certificate manager
public-roadmap - Checkly public roadmap. All planned features, updates and tweaks.