Registrar recommendation for Certbot

I setup Ad Guard Home on a raspberry pi running raspberry os, the web interface is not publicly accessible.
Now i want to setup automated certificate management with certbot but it seem the registrar i have my domain registered with dosent give API access, at least not with what product i have.

So i want to move my domain to a different registrar, are there any recommendation for a registrar that works well with certbot?

You don’t have to transfer the domain registration. You can just change the nameservers, which is free and easy.

Cloudflare’s DNS hosting is a good choice in my opinion. Free, fast propagation and supported by practically every ACME client like Certbot.

2 Likes

I dont follow...
So i change the NS Records to Cloudflare’s DNS, 1.1.1.1(?) and then what? How to i get a API Access to change the DNS records?

Ive read up a bit on nameservers and got a idea, i have a Windows domain with 3 domain controllers, that are also DNS servers and my Internet modem has public URL(due to dynamic IP)
Can i point the NS record to my modem and then forward that to my domain controllers?
Then it would all be internal and i can mess with it as i want.

1 Like

You should look into securing DNS before opening Windows DNS servers to the Internet.
But technically... YES, you can.
[provided the modem IP doesn't change on reboot]

1 Like

No, you don't change the NS records to Cloudflare's public DNS. You set up a (free) account with Cloudflare. You tell Cloudflare to add a domain, and enter your domain name. You then follow their instructions, including the names to put in the NS records.

Edit: For more, see:

2 Likes

There is a list of DNS providers that work "easily" with DNS validation in this thread:

2 Likes

I did this and got it setup on cloudlfare, i also enabled HTTPS in the config and a 3 month autorenewing certificate from letsencrypt was generated implicitly. noice
Can i setup a way to pull the cert and key down to on my pi or should i setup certbot to request new certs?

Yeah the security was a concern but this idea got axed because i needed to provide 2 nameserver records and my router has only one address

I doubt your Pi has the same IP, so having it might not be so useful.
[OR I could be wrong on that]

Either way, certs are FREE; So if the Pi has inbound HTTP access then all it needs is an FQDN that can globally resolve to it and then can pass HTTP validation and get its' own cert.

There is a hack for that [which I don't recommend; as it reduces the resiliency of your DNS system]
dns1.your.domain = IP1
dns2.your.domain = IP1
[use the same IP for both names - and give them the two names they request]

Yeah, i stumbled into that list myself and is the general solution id recommend, with a preference for Cloudflare as they are a solid service provider and the features on the free plan are quite good.

The web interface on th Pi isent publicly accessible, id need to setup certbot to do DNS Challenge, hence the need for a registrar with API access, my Windows domain and public domain happen to match, with a wildcard cert for the public domain im in business and that exactly what cloudflare generated, i just need to see if i can export them down to my Pi via API as to avoid duplicate cert requests on the domain.

If all public traffic is going through Cloudflare, and you just want to encrypt the traffic from Cloudflare to your back-end system, you might just want to use a Cloudflare Origin certificate. It's issued by Cloudflare's private CA instead of a publicly-trusted CA like Let's Encrypt, and is only trusted by Cloudflare to secure its own connections.

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

You can use Let's Encrypt for the connection, it's just not always the easiest approach.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.