Possible for DNS challenge?

letsencrypt

#1

it is possible for a DNS challenge to be used with Letsencrypt? If not, can I ask for this feature to be added for the next update where a user can choose different methods of challenge to be used?

I am having issues with my UCS behind firewalls and my reverse proxy… Or i’m not not understanding it enough to do it properly. I can request the cert on the apache reverse proxy machine without issue, but the challenge seems to fail when trying to use letsencrypt on UCS.

Thanks!


#2

Hey,

using DNS for the challenge is, unfortunately, not that easy. I’m running such a setup (not on UCS, but that’s not the point). The issue is that you have to publish and remove certain publicly viewable DNS entries automatically. “Publically viewable” means that the entries must be resolvable from any third party on the internet. This in turn means that you’ll have to interface with the provider hosting your DNS entries (such as GoDaddy or whoever you’re using) — and not all of them provide APIs that can be used in such an automated fashion.

Even if they do: setting up a script to publish them, wait until they’re actually present, notify Let’s Encrypt and remove them afterwards is a lot of work that would have to be tailored to each and every DNS provider API a user might want to use.

If you want to get an idea how much work this would be, take a look at the example DNS hook scripts for the “dehydrated” Let’s Encrypt client.

I wouldn’t hold my breath waiting for support for this from Univention’s side. If you want to use Let’s Encrypt with DNS verification, I suggest you don’t use UCS’ own Let’s Encrypt app. Use the aforementioned dehydrated, set it up manually, adopt the DNS hook script for the provider you’re using (or write your own if there isn’t one for your provider yet).

Kind regards,
mosu


#3

great answer, thank you very much.