[BlueOnyx:27209] Re: Subdomain delegation

Michael Stauber mstauber at blueonyx.it
Thu Aug 22 12:30:22 -05 2024 

Hi Colin,

> Following my earlier email regarding adding an NS record shown here as an example on Cloudflare
> 
> https://smarthelpguides.com/how-to-auto-renew-and-issue-plesk-lets-encrypt-ssl-certificate-with-cloudflare-dns/
> 
> Would adding _acme-challenge as a subdomain delegation in BX achieve this?

Generally speaking: What you're trying to do there won't work as it's 
only one half of the issue.

Let's Encrypt (or the ACME protocol in general) has various methods to 
check if the entity who requests the SSL certificate is authorized to do so.

We use the simplest form that'll work no matter what. Which is providing 
a web accessible /.well-known/.acme/ directory into which the ACME 
client writes a file with a signature. LE then accesses the file over 
the web to see if it can access it and to make sure that it contains the 
expected signature. If it does and everything matches? Then it knows you 
own the domain you're trying to request a certificate for.

There are other forms of checks possible and one of them is DNS based. 
In that case during the cert request the ACME client interfaces with 
your DNS server and it creates a temporary TXT record for the domain(s) 
in question WITH the signature as a payload.

LE then checks if the TXT DNS record exists and that it has the expected 
signature.

Naturally: There are many different DNS server types around. Different 
versions of Bind, PDNS and some large hosters or cloud even have APIs 
which allow DNS changes of whatever they use in-house. The ACME.sh LE 
client in BlueOnyx has some modules to deal with many of those. See the 
directory /usr/sausalito/acme/dnsapi/ on your BlueOnyx for these.

On some of my non-BlueOnyx servers I am using a slightly modified 
ACME.sh for DNS based LE verification via my PDNS servers and that 
generally works quite well.

However: It also means that the verification module in ACME.sh must be 
configured to be able to modify entries in your primary DNS server. For 
Bind the DNS server must be local, for API manageable DNS servers proper 
access credentials must be entered into the config section of those 
modules. For my PDNS I have to enter the MySQL login details of the 
server where PDNS runs.

So if you are running the DNS for your client on your own DNS servers 
and he wants to use DNS based authentication for Let's Encrypt? Then you 
need to give him the ability to modify the DNS record of his domain so 
that the ACME client can create or modify the DNS TXT record. And that's 
something you shouldn't do. Because with the Bind DNS server you're 
giving him the master-keys to the whole kingdom of yours.

My suggestion: Ask the client to use web based authentication via the 
/.well-known/.acme/ directory instead and save yourself a lot of headache.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list