You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DNS-01 challenge requires storing DNS API key in maddy.conf. DNS providers do not typically offer API keys that can be restricted to setting and removing _acme_challenge TXT records and nothing else. Storing an API key that controls DNS for the whole domain in maddy.conf is not great for security.
DNS01Solver in the certmagic package has a OverrideDomain field:
// Override the domain to set the TXT record on. This is
// to delegate the challenge to a different domain. Note
// that the solver doesn't follow CNAME/NS record.
OverrideDomain string
Allow it to be specified in maddy.conf, and pass it to DNS01Solver. Configuration mockup:
Use case
DNS-01 challenge requires storing DNS API key in maddy.conf. DNS providers do not typically offer API keys that can be restricted to setting and removing _acme_challenge TXT records and nothing else. Storing an API key that controls DNS for the whole domain in maddy.conf is not great for security.
One workaround is to delegate DNS-01 challenges to a separate domain using a CNAME record: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation (see the "Use a "Throwaway" Validation Domain" section)
Your idea for a solution
DNS01Solver in the certmagic package has a OverrideDomain field:
Allow it to be specified in maddy.conf, and pass it to DNS01Solver. Configuration mockup:
The text was updated successfully, but these errors were encountered: