Skip to content

Commit

Permalink
tls/acme: Add support for DNS-01 domain delegation
Browse files Browse the repository at this point in the history
See #588.
  • Loading branch information
foxcpp committed May 29, 2023
1 parent 6d5cd3b commit de756c8
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 11 deletions.
17 changes: 16 additions & 1 deletion docs/reference/tls-acme.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,13 @@ smtp tcp://127.0.0.1:25 {
You can also use a global `tls` directive to use automatically
obtained certificates for all endpoints:
```
tls &local_tls
tls {
loader acme {
email maddy-acme@example.org
agreed
challenge dns-01
}
}
```

Currently the only supported challenge is dns-01 one therefore
Expand Down Expand Up @@ -87,6 +93,15 @@ back to the one configured via 'ca' option.

This avoids rate limit issues with production CA.

**Syntax:** override\_domain _domain_ <br>
**Default:** not set

Override the domain to set the TXT record on for DNS-01 challenge.
This is to delegate the challenge to a different domain.

See https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
for explanation why this might be useful.

**Syntax:** email _str_ <br>
**Default:** not set

Expand Down
24 changes: 14 additions & 10 deletions internal/tls/acme/acme.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,15 +39,16 @@ func New(_, instName string, _, inlineArgs []string) (module.Module, error) {

func (l *Loader) Init(cfg *config.Map) error {
var (
hostname string
extraNames []string
storePath string
caPath string
testCAPath string
email string
agreed bool
challenge string
provider certmagic.ACMEDNSProvider
hostname string
extraNames []string
storePath string
caPath string
testCAPath string
email string
agreed bool
challenge string
overrideDomain string
provider certmagic.ACMEDNSProvider
)
cfg.Bool("debug", true, false, &l.log.Debug)
cfg.String("hostname", true, true, "", &hostname)
Expand All @@ -60,6 +61,8 @@ func (l *Loader) Init(cfg *config.Map) error {
certmagic.LetsEncryptStagingCA, &testCAPath)
cfg.String("email", false, false,
"", &email)
cfg.String("override_domain", false, false,
"", &overrideDomain)
cfg.Bool("agreed", false, false, &agreed)
cfg.Enum("challenge", false, true,
[]string{"dns-01"}, "dns-01", &challenge)
Expand Down Expand Up @@ -107,7 +110,8 @@ func (l *Loader) Init(cfg *config.Map) error {
return fmt.Errorf("tls.loader.acme: dns-01 challenge requires a configured DNS provider")
}
mngr.DNS01Solver = &certmagic.DNS01Solver{
DNSProvider: provider,
DNSProvider: provider,
OverrideDomain: overrideDomain,
}
default:
return fmt.Errorf("tls.loader.acme: challenge not supported")
Expand Down

0 comments on commit de756c8

Please # to comment.