Getting a certificate on macOS using DNS-01 challenge?

Hi all,

I have been searching around these forwards and am not finding much specific to my needs.

I have a macOS server that I need to get a certificate for. It is running 4D web server.

The server is behind a router/NAT, but ports 80 and 443 are forwarded to it.

The router itself is DHCP with our ISP, so we are using a No-IP dynamic DNS hostname. However, we have a subdomain from our webhost (DreamHost, which manages DNS) pointing to our office router with a CNAME record.

So, to summarize:
www.myDomain.com goes to our DreamHost website.
office.myDomain.com goes to myDomain.No-IP.org.
myDomain.No-IP.org goes to our office router IP.

Given the DNS setup, I have gathered that the http-01 challenge will not work, but dns-01 challenge will.

Here’s what I’m trying to understand –

Given that I am on macOS, can I follow ANY tutorials or instructions for doing dns-01 challenge on macOS? Or, are specific steps for this process specific to the web server software the macOS system is running? I am NOT using the built-in webserver, so those won’t apply. All 4D does is look for key.pem and cert.pem files in the director of the database files (which may not may not be the webroot).

I definitely have the ability to add DNS records to DreamHost DNS, and I believe they have an API. I have also considered adding an A record pointing a new subdomain to the office router and skipping No-IP, but we’re not prepared to pay $20/month for a static IP, but Comcast IPs don’t often change.

FWIW, this system isn’t going to be public front-end, just used to lookup some XHR data from our website. Because our website already has a certificate, all XHR lookups are required to also be secure.

If anyone can direct me to specific resources, I would be very grateful.

Why’s that? If a normal user can retrieve a text file from your office server, I’m pretty sure the Let’s Encrypt validation server can too. You said yourself, port 80 and 443 are forwarded to the server. CNAME records aren’t a problem for Let’s Encrypt, it will be followed without a hitch.

The only thing is: you can’t get a wildcard certificate with the http-01 challenge. But if you don’t need a wildcard certificate, then just use the http-01 challenge.

Edit: Of course the IP address of your office server (or in this case: the router on which you forwarded port 80 and 443) needs to be a public one. If your office server has an address from a private IP scope (like 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16) it won’t work indeed.

1 Like

acme.sh works on macOS, and can use the DreamHost API directly: https://github.com/acmesh-official/acme.sh/wiki/dnsapi#40-use-dreamhost-dns-api

2 Likes

That’s great! I’ll check it out.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.