Hacker News new | ask | show | jobs
by mrkurt 3143 days ago
Well, it's two DNS entries. You could do them both at the same time, but people were getting that TXT record wrong pretty frequently, which would have meant https connections getting an invalid certificate had they changed their actual hostname at the same time.

Since we control the http response once DNS changes, we don't have that problem. And it's simpler for people to create CNAME/ALIAS records.
1 comments
zAy0LfpBZLC8mAC 3143 days ago
Erm ... you had people create TXT records? Why would you do that? Wouldn't people then have to manually update the TXT record on each certificate renew?!

Why not have them create a DNAME, a delegation, or just two CNAMEs?

link
mrkurt 3143 days ago
txt records are the only way to do the dns-01 challenge with certbot/Let's Encrypt.

The http-01 challenge is simpler, we can get people setup with one CNAME/A-record.

Once we're serving traffic, we can do all renewals with an http challenge and they don't need to change DNS ever again.

link
pfg 3143 days ago
This is an often overlooked option, but you can indeed solve the DNS challenge by having someone create a CNAME record for _acme-challenge.example.com that points to a domain under your control, and then serve the TXT record needed to verify the challenge from that domain. acme-dns[1] provides a nice implementation of this idea, as well as a more detailed explanation.

[1]: https://github.com/joohoi/acme-dns

link
infogulch 3142 days ago
Whoa really? I didn't know this option existed. This would make these types of configurations a lot better.
link
zAy0LfpBZLC8mAC 3142 days ago
Sorry, not trying to mock you, but I'm really curious how you (or anyone else on this thread who seems to be surprised by the possibility) managed to not know.

I mean, assuming you do know that CNAMEs are a thing, this reads to me like "well, yes, HTTP can do redirects, but I didn't know you could also redirect requests for images!" ...

I guess what I am wondering is: What is/was your mental model of CNAMEs that they could redirect DNS resolution, but then it's somehow surprising that they can redirect DNS resolution!?!

link
mrkurt 3142 days ago
I don't think we'd considered a CNAME to redirect the specific txt records that Lets Encrypt requires. It's not intuitively obvious that they support redirects for those lookups.
link
toast0 3142 days ago
You could also have them delegate the _acme-challenge with an NS record
link
zAy0LfpBZLC8mAC 3143 days ago
And A and AAAA records are the only way to do HTTP with web browsers ... so?!

What makes you think that CNAME or DNAME records are specific to A or AAAA records?!

link
mrkurt 3142 days ago
I'm really struggling to understand what you're recommending. Will you explain how a DNAME works with the Lets Encrypt auth process in a way that makes it as simple as a single CNAME/a-record?
link
zAy0LfpBZLC8mAC 3142 days ago
Well, you have them create a DNAME that maps theirhostname.theirdomain to yourhostidorsomething.yourdomain, and then you have in your nameserver A and AAAA records for yourhostidorsomething.yourdomain and a TXT record for _acme-challenge.yourhostidorsomething.yourdomain!?

(Obviously doesn't work if they are to keep control over other subdomains of theirhostname.theirdomain, and also, I haven't tried it with DNAMEs, so I don't know whether their implementation is buggy.)

link