Hacker News new | ask | show | jobs
by matahwoosh 3143 days ago
I'm assuming mrkurt meant that you send your users once to create a dns record (in case you haven't already) - you can add any hostname you want on Fly, it doesn't have to exist, yet. Then you go and create a DNS challenge for Let's Encrypt. Obviously, these 2 steps are orthogonal, but this is the reality of user onboarding.
1 comments
zAy0LfpBZLC8mAC 3143 days ago
But why would that need to be in two steps?
link
mrkurt 3143 days ago
Well, it's two DNS entries. You could do them both at the same time, but people were getting that TXT record wrong pretty frequently, which would have meant https connections getting an invalid certificate had they changed their actual hostname at the same time.

Since we control the http response once DNS changes, we don't have that problem. And it's simpler for people to create CNAME/ALIAS records.

link
zAy0LfpBZLC8mAC 3143 days ago
Erm ... you had people create TXT records? Why would you do that? Wouldn't people then have to manually update the TXT record on each certificate renew?!

Why not have them create a DNAME, a delegation, or just two CNAMEs?

link
mrkurt 3143 days ago
txt records are the only way to do the dns-01 challenge with certbot/Let's Encrypt.

The http-01 challenge is simpler, we can get people setup with one CNAME/A-record.

Once we're serving traffic, we can do all renewals with an http challenge and they don't need to change DNS ever again.

link
pfg 3143 days ago
This is an often overlooked option, but you can indeed solve the DNS challenge by having someone create a CNAME record for _acme-challenge.example.com that points to a domain under your control, and then serve the TXT record needed to verify the challenge from that domain. acme-dns[1] provides a nice implementation of this idea, as well as a more detailed explanation.

[1]: https://github.com/joohoi/acme-dns

link
infogulch 3143 days ago
Whoa really? I didn't know this option existed. This would make these types of configurations a lot better.
link
toast0 3142 days ago
You could also have them delegate the _acme-challenge with an NS record
link
zAy0LfpBZLC8mAC 3143 days ago
And A and AAAA records are the only way to do HTTP with web browsers ... so?!

What makes you think that CNAME or DNAME records are specific to A or AAAA records?!

link
mrkurt 3143 days ago
I'm really struggling to understand what you're recommending. Will you explain how a DNAME works with the Lets Encrypt auth process in a way that makes it as simple as a single CNAME/a-record?
link