acme dns 是Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
A simplified DNS server with a RESTful HTTP API to provide a simple way to automate ACME DNS challenges.
Many DNS servers do not provide an API to enable automation for the ACME DNS challenges. Those which do, give the keys way too much power. Leaving the keys laying around your random boxes is too often a requirement to have a meaningful process automation.
Acme-dns provides a simple API exclusively for TXT record updates and should be used with ACME magic “_acme-challenge” - subdomain CNAME records. This way, in the unfortunate exposure of API keys, the effects are limited to the subdomain TXT record in question.
So basically it boils down to accessibility and security.
原理
- 人工register
- DNS解析配置將要驗證的域名的 challenge 域名 CNAME 到 acme-dns register 生成的 fulldomain
- acme.sh 命令請求 Let’s Encrypt Server 返回一個Text Value
- acme.sh 調用acme dns 的 update 接口,將上面的text Value,設置給fulldomain;這個接口的實際作用是在 acme dns上生成一條 fulldomain TXT Text-Value 的dns記錄
- Let’s Encrypt Server 驗證 Challenge 域名,看最終是否能獲取到Let’s Encrypt Server 返回給acme.sh的Text Value。_acme-challenge.test2.greenwhale.tech - CNAME-> 27a59eb9-90a6-4a04-b135-1b34dd3ae092.auth.acme-dns.io -TXT-> Txt Value(Let’s Encrypt Server 返回)
例子
這裏使用auth.acme-dns.io,爲test.greenwhale.tech生成證書
curl -X POST https://auth.acme-dns.io/register
域名解析添加
CNAME _acme-challenge.test 27a59eb9-90a6-4a04-b135-1b34dd3ae092.auth.acme-dns.io
register是獲取到的fulldomain
export ACMEDNS_UPDATE_URL="https://auth.acme-dns.io/update"
export ACMEDNS_USERNAME="b2901f5b-f033-4b46-8220-e29a1233b6eb"
export ACMEDNS_PASSWORD="e0M_BfSFm4kXhnQBHFq1JWh_ohoMCi4j3HlYoL2d"
export ACMEDNS_SUBDOMAIN="27a59eb9-90a6-4a04-b135-1b34dd3ae092"
acme.sh --issue --dns dns_acmedns -d test.greenwhale.tech
dig txt _acme-challenge.test2.greenwhale.tech
chenzhenyang@chenzhenyang:~$ dig txt _acme-challenge.test2.greenwhale.tech
; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> txt _acme-challenge.test2.greenwhale.tech
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53018
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.test2.greenwhale.tech. IN TXT
;; ANSWER SECTION:
_acme-challenge.test2.greenwhale.tech. 599 IN CNAME 50231d33-06bb-4ae0-9e31-dad3c1d705a8.auth.taomiao.store.
50231d33-06bb-4ae0-9e31-dad3c1d705a8.auth.taomiao.store. 0 IN TXT "v6gMbHuLHUPluEV1g7l8xp-Ycqi7WLT3uyYnyelWD8E"
;; Query time: 3311 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: 二 9月 10 19:14:52 CST 2019
;; MSG SIZE rcvd: 191