Project

General

Profile

Bug #64197

iXsystems should host it's own instance of acme-dns

Added by Waqar Ahmed over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
No priority
Assignee:
Waqar Ahmed
Category:
Middleware
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

A lot of people who would like to use ACME certs will be blocked by the fact that maybe their DNS providers don't provide automated support for renewals of TXT records or for those who do, their could be permission issues which can result in a catastrophe for the user if the keys are lost and abused.

The following has been taken from a user's comment in a Let's Encrypt ticket

It looks like this is planned to use DNS validation, which I think is a good call--HTTP validation would require that port 80 on the FreeNAS server be open to the Internet, which is generally discouraged. The big problem with DNS validation is API support for the DNS provider--and as a result, the GUI work needed to properly define the fields for all the supported DNS APIs.

If you haven't already considered these, I'd like to suggest two things that would make this much more valuable for the userbase:

1. iXSystems could host its own instance of acme-dns (https://github.com/joohoi/acme-dns). This would allow users with just about any DNS host to still use automated DNS validation--they'd only need to set up one, static CNAME record pointing to your validation domain, and between the client and your acme-dns instance, the rest would be taken care of. Benefit to the users is that, as long as they can set up that CNAME record, they can do this with just about any DNS provider. Benefit to you is that you might be able to get away with only supporting a single DNS API.

2. Since Let's Encrypt only provides certs for public domains, I'd suggest you provide domain names--I'm thinking this would work somewhat like what Synology does, that you'd give subdomains (perhaps user.freenasusers.com or something). To avoid rate limit, cross-site cookie, and other issues, you'd want to add that domain to the Public Suffix List. Combining with the first suggestion, you could create the CNAME record when the user registered for their subdomain.

The obvious downside to both of these is that they require you to host the respective services on an ongoing basis. But without (especially) the first, an awful lot of users won't be able to take advantage of this feature.

Unquote

Another user requested nsupdate integration as well.

We can think over these moving on, this ticket is to keep track of this feature request


Related issues

Related to FreeNAS - Feature #36403: Add Let's Encrypt Support for CertsReady for Testing

History

#1 Updated by Waqar Ahmed over 1 year ago

  • Related to Feature #36403: Add Let's Encrypt Support for Certs added

#2 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Status changed from Unscreened to Closed

Also available in: Atom PDF