`certbot-dns-multi` - bringing lego's 100+ DNS providers to Certbot

OK, good to know. Although I'm not sure if Go would complain if a user would try to compile it with 1.18 due to the mentioning of 1.19 in go.mod..

Might be relevant for some Gentoo users still running Go 1.18, although 1.19 is stable too. Just that perhaps some users haven't updated yet.


And it's up in the overlay :slight_smile: (As soon as Gentoo has sycned it to their repo cache.)


Having contributed to lexicon, I understand your concerns.

I think something valuable you could also do, is repackage acme-dns into a snap, and offer an integration where Certbot hooks are used to start/stop the acme-dns server. That might be too difficult due to the acme-dns configuration files, but having worked with many of the DNS providers I don't think the majority can be recommended because of the extreme risk to overall security if the server is compromised and credentials are leaked.

Edit: You could also consider packaging a fork of lego that strips out all the problematic DNS providers. For those that don't know about the security concerns, very few of the commercial DNS providers offer granular permissions... so if a server is compromised the API credentials can be used to take control of the whole domain. If the DNS provider is a registrar, the credentials can often be used to transfer ownership of the domain away.


We used to use it. Lego was originally commissioned for use with Caddy and Let's Encrypt (well before ACME v2 existed, before RFC 8555). But things changed and lego cripples at scale, it turns out. So I wrote my own ACME client called acmez which solves all the problems we had with lego... except one, which is actually an oversight/bug in the ACME spec :frowning:

We don't use the DNS provider implementations either because the immense dependency tree in the singular Go module made builds highly tedious and unreliable without vendoring -- all the solutions were infeasible (vendoring, for the bloat and maintenance burden; even without, huge binaries where very little of the code was actually used -- not to mention the frequently-failed-builds due to any one dependency having a problem). Lego's DNS implementations are limited to just ACME challenges which wasn't enough for Caddy v2.

I do encourage all Go programs that need ACME to use CertMagic and/or ACMEz (depending on your specific requirements; most programs will want CertMagic) as they are very solid, production-hardened ACME clients and CertMagic is actually one of the oldest ACME clients in existence.

I'm glad you considered libdns. What was too difficult about it though? What could we do better?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.