Sub domain DNS at Digital Ocean for Domino CertMgr DNS-01 requests
Daniel Nashed – 6 December 2021 09:59:15
What can you do if your DNS provider does not support a DNS API? There are a couple of options. And there is one I am using for a while for testing the DNS TXT API at Digital Ocean.
You can delegate a sub domain to Digital Ocean and use DNS challenges for the sub domain.
And you can even redirect ACME request for the main domain via CNAME records to that validation domain.
Digital Ocean is the only provider I found to allow sub domain DNS.
Here is my DNS configuration.I just took the sub domain digitalocean.domino-lab.net and delegated.
This is done by name server records for the sub-domain like you see below:
$ORIGIN domino-lab.net.
$TTL 600
; SOA Records
@ IN SOA hydrogen.ns.hetzner.com. dns.hetzner.com. 2021111801 86400 10800 3600000 3600
; NS Records
@ IN NS helium.ns.hetzner.de.
@ IN NS hydrogen.ns.hetzner.com.
@ IN NS oxygen.ns.hetzner.com.
acmedns 60 IN NS acme.ns.domino-lab.net.
digitalocean IN NS ns1.digitalocean.com.
digitalocean IN NS ns2.digitalocean.com.
digitalocean IN NS ns3.digitalocean.com.
On the Digital Ocean side you setup a free account and add a sub-domain configuration.
You can now create any type of DNS record for the sub domain and this includes also DNS TXT records for ACME DNS-01 challenges.
Once you have created the account you just need to get an API token and can leverage the DNS API integration:
https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/docs/dns_providers.md#digital-ocean
You can download and import the DXL file and start right away.
And you can use the sub domain also for validating any other domain by creating CNAME records pointing to a delegation DNS record in your new sub domain delegated to Digital Ocean.
Here is the official Let's Encrypt documentation --> https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html
I have ready to go configurations for Digital Ocean and Cloudflare to work with delegated DNS-01 challenges.
If you think it makes sense to add them to the GitHub repository, I would add them to a completely separate section to not confuse admins with those special configurations.
ACME DNS
The is another way. You can setup a special DNS server just for delegated DNS challenges.
There is a ready to go configuration. And here is the documentation https://github.com/joohoi/acme-dns
You can see I am also having a DNS server sub domain delegation for ACME DNS in this lab domain.
CertMgr works with those type of configurations.
There are a couple of other integrations. I wrote one with the command-line interface for AWS-CLI.
And there is one for nativ Bind 9 integration.
I did not hear any requests for those or other DNS providers.
Using DNS-01 challenges is much more convenient then HTTP-01 challenges.
And it provides a lot of flexibility including wild card certificates.
Did you know that CertMgr also supports SANs with different domains at different providers?
And you could even mix DNS-01 and HTTP-01 challenges.
-- Daniel
- Comments [1]