Can certbot handle multiple DNS providers simultaneously?


#1

We use multiple DNS providers for redundancy. If I pass in the options for each DNS service’s plugin will certbot upload the details to each provider? I couldn’t find any documentation that clarified this issue.


#2

No. :slightly_frowning_face: One Certbot invocation can use only one plugin.

If you have time and know Python, you could write a Frankenstein plugin that copies and pastes together the other two plugins.


#3

Hmm, that seems less than ideal. I’d rather just make the tool do what I want if that is possible.

Based on my quick overview of the repo I believe it should be possible to support this feature without changing the user facing API. However, doing so would likely require some changes to the configuration file. Specifically I would rename the “authenticator” field to “authenticators” and treat it as a list of strings instead of just a single string. We could then iterate over each authenticator, make a request and validate each one succeeded, thereby solving the problem.

It looks like we would need to change the codebase in several places, to support this, and include a migration strategy for existing configuration files to go from authenticator => authenticators. I would likely need to get buy-in from the rest of the development team before actually going through and implementing it as they have more intimate knowledge of the codebase. Is there anyone I could bounce these ideas off of to make sure that my plan is sane?


#4

Using multiple different DNS providers for the same zone is a pretty uncommon config. And updating clients to support that scenario would likely decrease usability for the common case. But orgs doing this usually have the development chops in house to frankenstein an existing plugin as @mnordhoff suggested.

If you’re using multiple different DNS providers for different zones such that a single cert with multiple names might need to hit a different provider for each name, there are definitely clients out there that already support this.


#5

In either case, it might be possible to use a CNAME for the _acme-challenge record to point to a zone that is only hosted by one provider. This would still be easiest to use with acme.sh’s DNS alias mode because Certbot doesn’t have a built-in feature like that yet.


#6

@rmbolger We use different DNS providers for the same zone. I understand that this is uncommon (this is why I asked in the first place), but it is useful if you run a service that requires high availability. I don’t quite understand why you believe that updating the code to handle this case would decrease usability for the common user. (Perhaps you could enlighten me) You should be able to keep the exact same external API while being able to support this feature. Opting in should just be a matter of passing in the additional flags at the command line like for each DNS provider.

I would rather fix the problem for the general case for everyone instead of just coming up with a solution that solves my own problem. I’m fine with just solving it for myself, but I think my time could be better spent.


#7

If nothing else, it makes the documentation of how to use the client more complex. There’s more to read and digest for a new user. There are more switches to know about and get wrong. Even if you manage to make the changes in a backwards compatible way, it still increases the surface area of understanding. All I’m saying is that it wouldn’t be a zero cost change.

I’m not a part of the certbot dev team, but I wouldn’t be surprised if it was a conscious decision to not support multiple plugins to keep things simple for the most common use cases knowing full well that third party clients would fill in the gaps for more complex configs.


#8

Is each DNS provider isolated? [IMHO this is a nightmare to maintain properly synced - like SOA records]
Or are they just secondaries from a single master?

If they are all isolated, you don’t have much choice but to update all of them or CNAME to another simpler domain.

If they all act in unison, then you simply need to update the master and ensure the update/refresh and notifications happen at a reasonable interval.


#9

@rg305 Each DNS provider is isolated, but we manage the records using Terraform to keep everything in sync between providers. Otherwise it would indeed be a nightmare to maintain.


#10

Would it make sense for Certbot to have some sort of Terraform DNS plugin?


#11

Is there any single point of (synchronized) control/update?
Is there a master?