Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for the DNS-01 challenge #7

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add support for the DNS-01 challenge #7

wants to merge 5 commits into from
+834 −11

Commits on Dec 23, 2021

  1. Add support for the DNS-01 challenge 

    If SNIKKET_DNS_CHALLENGE is set to 1, or SNIKKET_TWEAK_XMPP_DOMAIN is
set, spin up an instance of CoreDNS to respond to DNS challenges. Shut
it down once certificates are obtained, and only enable it on renewal.

Rationale
"Many DNS servers do not provide an API to enable automation for the
ACME DNS challenges. Those which do, give the keys way too much power.
Leaving the keys laying around your random boxes is too often a
requirement to have a meaningful process automation."
See https://github.com/joohoi/acme-dns

Requirements (domain.tld is SNIKKET_TWEAK_XMPP_DOMAIN or SNIKKET_DOMAIN
if not set)
 - The CNAME record of _acme-challenge.domain.tld needs to point to
   cert.snikket.domain.tld
 - The NS record of snikket.domain.tld needs to point to
   ns-snikket.domain.tld
 - The A/AAAA record(s) of ns-snikket.domain.tld needs(s) to point to
   the instance IP address

Mechanics
 - Through a certbot pre-hook, the requirements are first validated
   (although a failure is only logged). Next, a CoreDNS instance is spun
   up with just SOA and NS records for snikket.domain.tld, with the NS
   set to ns-snikket.domain.tld
 - Using certbot's manual plugin + its authorization hook, the relevant
   TXT record is added to cert.snikket.domain.tld. Multiple records are
   supported here, so this script can be used for domain.tld and
   *.domain.tld in one go.
 - Through a certbot post-hook, the DNS server is shut down after
   certificates are obtained.

Considerations
 - Since it is possible that people are hosting their instance on
   snikket.domain.tld, an override for the DNS ZONE can be added.
   Alternatively, we can keep the DNS server running, but that will add
   much more complexity to the setup.
    @Rijul-A
    Rijul-A committed Dec 23, 2021
    Configuration menu
    Copy the full SHA
    1a76080 View commit details
    Browse the repository at this point in the history

Commits on Jan 19, 2022

  1. Merge branch 'main' into dns-challenge

    @Rijul-A
    Rijul-A authored Jan 19, 2022
    Configuration menu
    Copy the full SHA
    1dc508b View commit details
    Browse the repository at this point in the history

Commits on Mar 10, 2022

  1. dockerfile: Add missing backslash

    @Rijul-A
    Rijul-A authored Mar 10, 2022
    Configuration menu
    Copy the full SHA
    fa7c861 View commit details
    Browse the repository at this point in the history

Commits on Mar 12, 2022

  1. fix: improve logs, decrease TTL, add style + wait 

     - Add wait time between DNS server creation and NS record check
 - Add logs to indicate if DNS challenge is being used, and why
 - Add logs to indicate wait time and completion
 - Add style file and pre-commit hook (activate with `git config
   --local core.hooksPath .githooks`)
    @Rijul-A
    Rijul-A committed Mar 12, 2022
    Configuration menu
    Copy the full SHA
    551fa55 View commit details
    Browse the repository at this point in the history

Commits on Mar 19, 2022

  1. fix: Remove old CoreDNS configuration file 

    To prevent `assert( token )` from failing for persistent volumes
(certificate renewal or other option changes), remove the file each time
the pre-hook is run.
    @Rijul-A
    Rijul-A committed Mar 19, 2022
    Configuration menu
    Copy the full SHA
    d21e92c View commit details
    Browse the repository at this point in the history