ACME DNS-01 Resolver

[Slyke]

Hello, trying to setup wildcard issuance with cert-manager and LetsEncrypt on a bare-metal Kubernetes cluster.

It seems that when trying to use wildcards, DNS-01 challenge is enforced. Luckily, cert-manager provides a generic webhook feature so that we can use our own API to add and remove records.

I also found a blog post on the Technitium blog which gives examples on how to use the API for adding and removing DNS-01 TXT challenge entries:

#!/bin/bash
API_TOKEN="your-api-token"

# Create challenge TXT record
curl "http://dns-server:5380/api/zones/records/add?token=$API_TOKEN&domain=_acme-challenge.$CERTBOT_DOMAIN&type=TXT&ttl=60&text=$CERTBOT_VALIDATION"

# Sleep to make sure the change has time to propagate from primary to secondary name servers
sleep 25

# Delete challenge TXT record
curl "http://dns-server:5380/api/zones/records/delete?token=$API_TOKEN&domain=_acme-challenge.$CERTBOT_DOMAIN&type=TXT&text=$CERTBOT_VALIDATION"

Kubernetes Issuer:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: my-email@gmail.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx
    - dns01:
        webhook:
          groupName: dns.webhook.cert-manager.io
          solverName: technitium
          config:
            url: http://technitium-dns-webhook.cert-manager

Cert-manager sends a JSON payload to the URL specified and that payload contains the data for adding/removing the TXT record. I couldn't find any details on what exactly is in this payload.

Before I go down a rabbit hole making some webhook middleman to do the translation between cert-manager and Technitium DNS, I was wondering if anyone had already done this before? There doesn't seem to be an App in the Technitium App Store for this.

[ShreyasZare]

Thanks for asking. I am not aware about cert manager but I guess they should be supporting Dynamic Updates (RFC 2136) which you can then use with the DNS server. The blog post explains how to use it with certbot. I would suggest that you explore if that is supported and try it.

[madson7]

@Slyke, how's your progress? I want to use the same approach.

[Slyke]

Haven't started yet. Life's been in the way. I'm thinking to create a docker image with NodeJS and have it as a separate server and use Technitium API. I'm not a C# developer, so it probably wouldn't be good if I wrote a plugin.