Renewing wildcard cert while running DNS server

Hi,

I have a server in DigitalOcean which is running the Burp Collaborator service. The main function this service provides is that responds to and logs DNS requests made to a wildcard domain.

In my case, the domain is like mycollabserver.com and Collaborator responds to any DNS, HTTP, or HTTPS request made to *.burp.mycollabserver.com. I would like to generate a wildcard certificate so I can make requests to https://*.burp.mycollabserver.com. I understand that the only challenge available to me is DNS-01. This is proving difficult because the root domain has an NS record which points to the server so it can log DNS requests.

The 2 options I see for cert renewal are:

  1. Create a script which runs before validation to:
    • Programmatically delete the NS record
    • Wait for the change to propagate
    • Do the DNS challenge
    • Add back the NS record
  2. Run a DNS server "in front" of Collaborator which does conditional forwarding. Any request for _acme-challenge* gets forwarded to ns1.digitalocean.com. All other requests are forwarded to Collaborator
    • I have not been able to track down example of how to do conditional forwarding based on the query (and not the domain) in any DNS server like bind or dnsmasq.

Are there other options for me? Will one of these work better than the other?

  1. Create a CNAME record for _acme-challenge.burp.mycollabserver.com pointing to another domain whose DNS you can programmatically control. The canonical example of this is acme-dns:
    GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
5 Likes

I don't own any other domains

That isn't a difficult or expensive problem to solve.

5 Likes

Would it work to make a CNAME record of _acme-challenge.burp.mycollabserver.com pointing to challenges.mycollabserver.com ?

Then CNAME that ("_acme-challenge.burp.mycollabserver.com") name to any name that points to an IP you control and can provide the expected DNS challenge request, via TXT record, from it.

4 Likes

See this for ideas ...

https://si.okiefrog.org/

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.