Page MenuHomeDevCentral

Deploy ACME-specific DNS server
Closed, ResolvedPublic

Description

Let's encrypt domain authentication can be done two ways:

  • through HTTP challenges
  • through DNS validation

The HTTP challenges work smoothly, as long as nginx is correctly configured, and web server is still alive. But how to create Openfire certificate with domains split between two serveurs (nasqueron.org on Ysul for webserver-legacy role, xmpp.nasqueron.org conference.nasqueron.org on Equatower for docker-paas role)?

The DNS challenges have been tested with manuale client, but how to automate the process? HE doesn't provide an API to update TXT records while T1217 is still open. In both scenarii, we would give full control of the DNS to each server.

A fine solution is to have a DNS with the only task to manage TXT records for Nasqueron domains, e.g. *.acme.nasqueron.org and use CNAME records to wire _acme-challenge.domain.tld to something.acme.nasqueron.org. Then, we give Let's Encrypt clients full control of this specific DNS to automate DNS verifications.

Event Timeline

Server is deployed on Equatower.

The following DNS records have been added to delegate *.acme.nasqueron.org resolution:

acme.nasqueron.org. 3600 IN A 51.255.124.10
acme.nasqueron.org. 86400 IN NS acme.nasqueron.org.

The server works fine. Next step is to integrate Certbot or any other client with it and create relevant CNAMEs.

dereckson closed this task as Resolved.Feb 8 2020, 18:39