I can't understand acme-dns

I have spend half a day reading and trying this and I still can't understand it how to set it up.

I read

https://www.eff.org/de/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
and

And still don't know what to do...

My setup is the following: I have a domain that has a subdomain pointing to *.live.example.com where * is replaced by project names for deployment. Projects get deployed there for live testing before they get accessible via the normal domains. To test it in full environment, I of course need HTTPS and thus want to use a wildcard LE cert for *.live.example.com

Do I need live.auth.example.com or auth.example.com?

I wanted to run acme-dns on a vserver and not on the deployment server. Is this possible? What does this change in the setup other than pointing auth.example.com to the vserver instead of the deployment server?

What is my CNAME supposed to be? I already have a CNAME for *.live pointing to live that I need for projectname.live.example.com to work (I don't know why but I cant resolve something.live.example.com without this CNAME).

GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. says I supposed to register on https://auth.acme-dns.io/register but Help me understand acme-dns - #2 by sahsanu says I need to register on auth.example.com/register ... what? why? This is confusing... why am I registering to my own domain?

Github says my zone entry supposed to look like _acme-challenge.domainiwantcertfor.tld. CNAME a097455b-52cc-4569-90c8-7a4b97c6eba8.auth.example.org
domainiwantcertfor.tld. is what? example.com or live.example.com? And that's pointing to a097....auth.example.com or a097...live.auth.example.com?

My zonefile says "IN CNAME", I thought, IN means "Internet" why is that missing in the readme on github?

Additionally I don't understand what a client is? I thought I just run a bash script, curl an API-request to it containing the challenge and fire up certbot to renew certificate?

Is there somewhere a clean, understandable, step - by - step walkthrough on how to set this up for someone who's not an expert into that whole DNS thing?

Thanks

@joohoi, would you be willing to address some of these questions?

Whichever you like, it doesn't matter, but I'd go for the simpler one: auth.example.com.

_acme-challenge.live.example.com should be set as a CNAME to whatever hostname acme-dns gives you--something like a097455b-52cc-4569-90c8-7a4b97c6eba8.auth.example.org.

You (or, preferably, your client hook script) need to register with your acme-dns installation. When you do that, you'll get the credentials needed to make the DNS updates, as well as the hostname you'd use as the CNAME (in your question above).

ACME always needs a client. With acme-dns, that client needs to make the proper API calls to acme-dns, using the proper credentials, to both create and destroy the TXT records used to validate domain control. In its simplest form, your client can act like acme.sh, which requires you to manually register with your acme-dns instance, set its credentials as environment variables, and then run acme-dns--it will then save those credentials for future user. In a more sophisticated form, the client could behave like @joohoi's hook script for certbot, which handles the registration and maintains the credentials for you.

Using acme.sh, the workflow would go like this. Create the registration by running url -s -X POST http://auth.example.com/register | python -m json.tool. You'll get output looking like this:

{
    "allowfrom": [],
    "fulldomain": "44255c4e-d669-41f3-a141-672a8bd859e6.auth.example.com",
    "password": "x_Trpa04HpgQ4_ZOY7LCF6z23kf6o8i-VV_4qQk4",
    "subdomain": "44255c4e-d669-41f3-a141-672a8bd859e6",
    "username": "cc2d8066-2583-4e2c-a68f-ca45810c4f31"
}

Create your CNAME record: _acme-challenge.live.example.com CNAME 44255c4e-d669-41f3-a141-672a8bd859e6.auth.example.com.

Set the acme.sh environment variables as required (see the acme.sh docs for more information)--this example uses the credentials above, but you should of course alter to match your situation:

export ACMEDNS_UPDATE_URL="https://auth.example.com/update"
export ACMEDNS_USERNAME="cc2d8066-2583-4e2c-a68f-ca45810c4f31"
export ACMEDNS_PASSWORD="x_Trpa04HpgQ4_ZOY7LCF6z23kf6o8i-VV_4qQk4"
export ACMEDNS_SUBDOMAIN="44255c4e-d669-41f3-a141-672a8bd859e6"

Then issue the cert:

acme.sh --issue --dns dns_acmedns -d \*.live.example.com 

With the certbot hook script, most of those steps are automated. First, you'd install that script according to the instructions on its github page. Then, you'd simply call certbot with a command like:

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py \
   --preferred-challenges dns --debug-challenges -d \*.live.example.com

If you haven't previously used that hook script to get a cert for live.example.com or *.live.example.com, the script will prompt you to create the CNAME record:

Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.live.example.com CNAME 32f5274d-51e3-466d-bf38-eb9980e7bcf3.auth.example.com.

Waiting for verification...

-------------------------------------------------------------------------------
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
-------------------------------------------------------------------------------
Press Enter to Continue

Create that CNAME record, wait a few minutes, and press Enter. Your cert will be issued, and the script will remember the credentials for renewal.

Check out:

It explains what a "client" is (software tool) and lists many choices/recommendations.

Thanks I will try the suggestions as soon as possible and report how it went.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.