Configuring DNS01 Challenge Provider

I have Set up end-to-end encryption for applications on Amazon EKS using cert-manager and Let's Encrypt.
Customers have 300+ domains and get the certificate and renew using Certify The Web - ACME for Windows](https://certifytheweb.com/) . we are planning to decommission Certify The Web - ACME for the Windows server.
how do configure on DNS challenge for these 300+ domains on aws route53?

Sorry but I do not understand what you need to do.

Are you providing hosting services for these customers?

If cert-manager is working for you, why can't you use that?

Where are you using the certs managed by Certify The Web today?

3 Likes

I have Set up end-to-end encryption for applications on Amazon EKS using cert-manager and Let's Encrypt and I have purchased only one domain in AWS and tested.

Currently, customers have 300+ domains in Godaddy and Certify The Web - ACME for Windows is used for generating and renewing the certificates for those 300+ domains.

We are planning to replace Certify The Web - ACME for Windows and want to use end-to-end encryption for applications on Amazon EKS using cert-manager and Let's Encrypt

how to configure 300+ domains generate and renew the certificate using route53 with EKS.

If I can make heads or tails of all those words...
It sounds like you want to know how to use cert-manager to obtain/maintain certs for 300+ domains [in an unknown number of certs] - replacing the existing certs and Windows systems.

If that sounds about right, you can just uninstall CertifyTheWeb in all the Windows servers and install cert-manager in whichever Amazon systems will be handling the encryption.

2 Likes

My recommendation for managing large numbers of certificates would be to use Certify The Web. Lol.

Actually in all seriousness we have a version of Certify The Web in the works internally (currently called Certify Server) which is linux or windows, web UI, RBAC etc, container deployment, designed more for centralised management of large number of cert renewals and deployments to things like secrets stores. I doubt if it will be available in time for your implementation however as we're still months away.

Perhaps you could look at smallstep certificate manager or something like that? I'm not too familiar with other products in detail.

Really your challenge configuration should stay pretty much the same if you are already using DNS challenges, but if you are migrating from http validation to DNS validation you will need to either get DNS credentials from each customer (unlikely) or consider using something like acme-dns (self hosted CNAME delegation of DNS challenges) or dare I say Certify DNS (a cloud hosted managed implementation compatible with acme-dns). For those solutions you would need to individually register each domain with the respective service and setup a CNAME on each domain for future challenge responses.

On some clients (like Certify) you can configure DNS challenges to use a surrogate/delegated DNS zone for ACME challenges, eg. customer01.auth.yourdomain.com and follow a CNAME from _acme-challenge to your auth domain (for each domain or subdomain you need to validate), then configure DNS validation normally with the DNS update credentials for your surrogate domain.

3 Likes

yes. you right. we are going to replace certify the web client Windows software and use EKS with cert-manager and let's encrypt.

my question is d
Do I need to create a CNAME pr TXT on GoDaddy ( my 300+ domains are in GoDaddy) . please clarify this.
_

I have configured the dns01 challenge on EKS. Do I need to create CNAME on GoDaddy( 300+ domains are hosted in GoDaddy)? please confirm

I would think that cert-manager would handle this for you.
But you should check with them - I've never even used cert-manager.

What do you mean exactly by?:"

3 Likes

you are right. but, domains are in godaddy not in aws.
my question is what record we configure in godaddy?

CNAME the TXT record type for _acme-challenge
to the entry that contains the expected response

4 Likes

so, i need to type below like info in godaddy

Type - CNAME
Name - domain name ( which domain require TLS certificate)
value - _acme-challenge

more-or-less [hard to see what your screen looks like from that minimal info].

Yes, the entry is a CNAME of type TXT
Yes, you will need one such entry in each domain [zone].
But the most important part is the entry itself.
[where the CNAME will point to]
That has to be somewhere specific within your DNS zone that is managed by EKS.

3 Likes

Have you done any testing with cert-manager and EKS?

3 Likes

yes
osboxes@osboxes:~$ kubectl get clusterissuer
NAME READY AGE
letsencrypt-cluster-issuer True 5d20h

kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-6c 1/1 Running 0 5d20h
cert-manager-cainjector-f 1/1 Running 0 5d20h
cert-manager-webhook- 1/1 Running 0 5d20h

osboxes@osboxes:~$ kubectl get certificate
NAME READY SECRET AGE
example-app False example-app-tls 5d20h

Ideas at
https://si.okiefrog.org/

2 Likes

@gopikrishna72 I think it's best to step back and consider what you are trying to achieve. If you don't know how to do this for a couple of domains then you're not in a position to design a solution that covers 300+ domains just yet.

You are asking about AWS, EKS, cert-manager, Route53, and Godaddy but it's not really clear if you understand how certificate domain validation works in ACME. We are talking about CNAMES etc but it's possible that's all wrong as we don't really understand how your system is put together or what the detailed requirements are.

If your domains are with GoDaddy then typically Route53 is not involved in the DNS validation, unless by some quirk of DNS architecture it actually is.

If you use a GoDaddy based dns validation provider directly then all that happens is for each domain a TXT record is added/updated with a required value, which the CA then checks is correct, then that domain is considered validated and the certificate order can proceed.

Keep in mind that cert-manager could be used with HTTP validation instead of DNS validation (depending on your architecture), that's generally simpler than DNS validation.

4 Likes

I have followed the below AWS document and done the configuration on AWS

Now I am configuring the domain to get the certificate from lets-encrypt. but currently,300+ domains are hosted in GoDaddy and using certify web windows software to get certification. we are planning to replace certify web windows software and use the AWS solution.

Ok, what kind of web application will the 300 customer domains point to? I presume it's not one that needs Windows and IIS? [What is the motivation for changing the architecture and why not use a couple of load balanced windows servers?]

Do all the domains point to the same application instance or is there a web application per domain?

Do you intend to keep all the customer domain DNS hosted at GoDaddy, or move their nameservers to AWS Route 53?

The guide you are using points the customers domain to the Network Load Balancer using Route 53 but presumably this can be done with a CNAME from GoDaddy to the same thing, unless the entry is dynamic in Route53.

Are you sure you need to use DNS validation and cannot use http validation in this solution?

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.