I have written a small plugin for the acme.sh dnsapi that works with my DNS setup.
I run acme.sh in a FreeBSD jail (acme-client). It writes files that are picked up by another jail (acme-dns) that runs nsd. This jail is NOT one of my main authoritative name servers. It only runs _acme.mydomain.tld containing records like:
_acme-challenge.test IN TXT XXXXXXXXXXXXXXX
These records are pointed to from my main name servers with records like:
_acme-challenge.test NS acme-dns.mydomain.tld.
(CNAME seems to work too, I will probably switch to that)
All this gets me the following benefits:
a) Everything runs restricted by jails that only run for about 10 seconds when issuing or renewing certificates.
b) No need for the service to be publicly accessible. (no issues with firewalls, no need for public IP's)
c) No need for the service to be some kind of web-server (think smtp, imap, irc, xmpp, etc.)
d) The service does not need a public "A" record.
e) No risk of me or the script messing up any live/production configuration.
f) The only thing that needs to accept inbound connections is the "acme-dns" jail on port 53 for about 10 seconds when it is running.
There are still some things I need to find a good solution for. Like easier distribution of certs, keys, etc.
I also want to generate the private keys elsewhere and only give the CSR's to the acme-client jail. (If this is possible with ACME. I think it is.)
This setup is not yet complete and I am still experimenting, but it seems to work well.
Maybe when it is a bit more complete. Currently too much is hardcoded for it to be useful outside my setup. But if you look at one of the existing dnsapi plugins you will notice that only two functions need to be implemented. The rest is described above.
BTW: Remember to use letsencrypt-staging for testing.
It's the seperate nameserver and subdomain that I can't quite get my head around - are you saying you can reply to a challenge for x.y.z.org from a nameserver at a.b.c.org?
I run acme.sh in a FreeBSD jail (acme-client). It writes files that are picked up by another jail (acme-dns) that runs nsd. This jail is NOT one of my main authoritative name servers. It only runs _acme.mydomain.tld containing records like:
These records are pointed to from my main name servers with records like: (CNAME seems to work too, I will probably switch to that)All this gets me the following benefits:
a) Everything runs restricted by jails that only run for about 10 seconds when issuing or renewing certificates.
b) No need for the service to be publicly accessible. (no issues with firewalls, no need for public IP's)
c) No need for the service to be some kind of web-server (think smtp, imap, irc, xmpp, etc.)
d) The service does not need a public "A" record.
e) No risk of me or the script messing up any live/production configuration.
f) The only thing that needs to accept inbound connections is the "acme-dns" jail on port 53 for about 10 seconds when it is running.
There are still some things I need to find a good solution for. Like easier distribution of certs, keys, etc. I also want to generate the private keys elsewhere and only give the CSR's to the acme-client jail. (If this is possible with ACME. I think it is.)
This setup is not yet complete and I am still experimenting, but it seems to work well.