DNS/Domain Validation for LetsEncrypt/ACME client?

 
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates
View previous topic :: View next topic  
Author Message
JohnEDee
-


Joined: 30 Jan 2019
Posts: 16

PostPosted: Wed Mar 13, 2019 12:28 am    Post subject: DNS/Domain Validation for LetsEncrypt/ACME client? Reply with quote

I'm trying my first LetsEncrypt implementation and got everything configured, but the Abyss ACME client seems to be going straight to the option of provisioning an HTTP resource, rather than giving the choice of a DNS record. I guess that's likely because Abyss assumes it's serving the web pages, so might as well just use only the HTTP option, but in my case I'm just using Abyss to do redirecting to the actual page, and I'd rather do the DNS method (in this case I have control of the DNS but a separate consultant is the web developer.

Is there any way currently to tell Abyss to use DNS rather than HTTP provisioning?

If not, I'd like to request that be added at some point (and I can transfer this request to the Suggestions forum).

Thanks!
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 1052

PostPosted: Thu Mar 21, 2019 4:26 pm    Post subject: Re: DNS/Domain Validation for LetsEncrypt/ACME client? Reply with quote

JohnEDee wrote:
Is there any way currently to tell Abyss to use DNS rather than HTTP provisioning?


This is possible and even required when requesting certificates for wildcard host names (*.example.com).

To do so, open the console, select "Configure" associated with the host you'd like to change the way certificates are issued for. Select "General" and then press "Edit" in front of "Advanced Parameters".

Now press "Edit" in front of "SSL/TLS parameters" and set the challenge type to DNS-01 in "ACME parameters". More about that section in the console is available in https://aprelium.com/data/doc/2/abyssws-win-doc-html/hosts-configuration.html#HOSTS-GENERAL-ADVANCED-SECURELAYER .

When using DNS-01, you'll have to check the ACME-Bot status in the console and perform the required challenge (it will be displayed in clear text.) Once the challenge performed, you should go back to the ACME-Bot status and press a button there to ask the certification authority to proceed. It's an interactive process contrarily to the HTTP validation which is all automatic.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
JohnEDee
-


Joined: 30 Jan 2019
Posts: 16

PostPosted: Sat Nov 07, 2020 12:03 am    Post subject: Reply with quote

Is an automatic DNS challenge via DNS provider API anywhere on the radar? The current manual DNS challenge option is appreciated, but it's still a regular manual intervention.

It would be awesome to have the Abyss ACME client be able to interact with the larger DNS providers (AWS Route 53, MS Azure DNS, GoDaddy, etc) and be able to automatically create/change the DNS TXT record when necessary. I think that process/capability is described here, and many ACME clients can apparently do that, so the code should already be written and available.

I think the way it would work is that for a given LetsEncrypt cert, I'd give the Abyss ACME-bot the credentials to be able to make changes to the "_acme-challenge" TXT record in my DNS, and as long as I'm using a capable provider, it would do the TXT record thing itself whenever the cert needs to be renewed.

I understand that it may not be a huge priority, but hopefully it can be worked in at some point.

Thanks!
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group