starred/acme-dns
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 21:05:49 +03:00
Code Issues 178 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #295] Small regression: API domain can no longer be separate from DNS challenge domain #152

New issue
Open
opened 2026-03-13 15:57:28 +03:00 by kerem · 3 comments
kerem commented 2026-03-13 15:57:28 +03:00
Owner
Copy link

Originally created by @Ajedi32 on GitHub (Feb 22, 2022).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/295

Not sure if this was by-design or not, but the changes in #190 have made it impossible for the API domain that HTTP clients interact with to be different from the domain that the dns challenges are served off of, so long as you're using automatic cert issuance for the API server (tls set to letsencrypt).

Previously my server was set up so that the HTTP API was served off of acme-dns.mydomain.net, while dns challenges were served off of dns-challenge.mydomain.net. With the updates in #190 I now have to serve the both the API requests and dns challenge requests off of acme-dns.mydomain.net if I want to continue using the automatic certificate issuance feature of ACME-DNS.

This isn't a big deal, as whether or not API domain should be separate from the dns challenge domain is really just a matter of personal preference. Still, I thought it was worth pointing out since the wording in the pull request suggested to me that this regression was unintentional, and I kinda liked it that acme-dns didn't have to manage the authoritative DNS records for its own server. Feel free to close if you feel that this is by-design.

Originally created by @Ajedi32 on GitHub (Feb 22, 2022). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/295 Not sure if this was by-design or not, but the changes in #190 have made it impossible for the API domain that HTTP clients interact with to be different from the domain that the dns challenges are served off of, so long as you're using automatic cert issuance for the API server (`tls` set to `letsencrypt`). Previously my server was set up so that the HTTP API was served off of `acme-dns.mydomain.net`, while dns challenges were served off of `dns-challenge.mydomain.net`. With the updates in #190 I now have to serve the both the API requests and dns challenge requests off of `acme-dns.mydomain.net` if I want to continue using the automatic certificate issuance feature of ACME-DNS. This isn't a big deal, as whether or not API domain should be separate from the dns challenge domain is really just a matter of personal preference. Still, I thought it was worth pointing out since the wording in the pull request suggested to me that this regression was unintentional, and I kinda liked it that acme-dns didn't have to manage the authoritative DNS records for its own server. Feel free to close if you feel that this is by-design.
kerem commented 2026-03-13 15:57:34 +03:00
Author
Owner
Copy link

@gbonnefille commented on GitHub (Feb 23, 2022):

We have a similar deployment, with distinct domains. We use traefik to ensure the TLS termination of the API and use DNS challenge for the certificate of the API domain.

HTH

<!-- gh-comment-id:1048539117 --> @gbonnefille commented on GitHub (Feb 23, 2022): We have a similar deployment, with distinct domains. We use traefik to ensure the TLS termination of the API and use DNS challenge for the certificate of the API domain. HTH
kerem commented 2026-03-13 15:57:39 +03:00
Author
Owner
Copy link

@maddes-b commented on GitHub (Apr 11, 2024):

Sorry for being late to the party, just answering for others finding this issue.

Reading "DNS records" in README shows that it is intended that NS and auth DOMAIN have the IP addresses of acme-dns, and are therefore identical. Configuration at DNS provider and in acme-dns config.cfg must match.
Design decision was to use DOMAIN for HTTP API.

If NS and DOMAIN are the same (e.g. my-auth.example.com) then glue records are needed via the DNS provider.
But not every DNS provider allows glue records for subdomains, then an "external" NS server is needed: names for NS and DOMAIN have to differ and NS must not be part of DOMAIN.

nsname = "my-ns.example.com" (via DNS provider with IPs of acme-dns)
domain = "my-auth.example.com" (via acme-dns with IPs of acme-dns maintained in config.cfg below)

records = [
    "my-auth.example.com. A a.b.c.d",
    "my-auth.example.com. AAAA aaaa:bbbb::cccc:dddd",
    "my-auth.example.com. NS my-ns.example.com.",
]

Still NS and DOMAIN must have the same IP addresses, so using DOMAIN (my-auth.example.com) for the API always works.

For the data in the first post the config would be:

nsname = "acme-dns.mydomain.net" (via DNS provider with IPs of acme-dns)
domain = "dns-challenge.mydomain.net" (via acme-dns with IPs of acme-dns maintained in config.cfg)

records = [
    "dns-challenge.mydomain.net. A a.b.c.d",
    "dns-challenge.mydomain.net. AAAA aaaa:bbbb::cccc:dddd",
    "dns-challenge.mydomain.net. NS my-auth.example.com.",
]

API accessed via dns-challenge.mydomain.net

<!-- gh-comment-id:2050707073 --> @maddes-b commented on GitHub (Apr 11, 2024): Sorry for being late to the party, just answering for others finding this issue. Reading ["DNS records" in README](https://github.com/joohoi/acme-dns?tab=readme-ov-file#dns-records) shows that it is intended that NS and auth DOMAIN have the IP addresses of acme-dns, and are therefore identical. Configuration at DNS provider and in acme-dns config.cfg must match. Design decision was to use DOMAIN for HTTP API. If NS and DOMAIN are the same (e.g. `my-auth.example.com`) then glue records are needed via the DNS provider. But not every DNS provider allows glue records for subdomains, then an "external" NS server is needed: names for NS and DOMAIN have to differ and NS must not be part of DOMAIN. ``` nsname = "my-ns.example.com" (via DNS provider with IPs of acme-dns) domain = "my-auth.example.com" (via acme-dns with IPs of acme-dns maintained in config.cfg below) records = [ "my-auth.example.com. A a.b.c.d", "my-auth.example.com. AAAA aaaa:bbbb::cccc:dddd", "my-auth.example.com. NS my-ns.example.com.", ] ``` Still NS and DOMAIN must have the same IP addresses, so using DOMAIN (`my-auth.example.com`) for the API always works. For the data in the first post the config would be: ``` nsname = "acme-dns.mydomain.net" (via DNS provider with IPs of acme-dns) domain = "dns-challenge.mydomain.net" (via acme-dns with IPs of acme-dns maintained in config.cfg) records = [ "dns-challenge.mydomain.net. A a.b.c.d", "dns-challenge.mydomain.net. AAAA aaaa:bbbb::cccc:dddd", "dns-challenge.mydomain.net. NS my-auth.example.com.", ] ``` API accessed via `dns-challenge.mydomain.net`
kerem commented 2026-03-13 15:57:44 +03:00
Author
Owner
Copy link

@maddes-b commented on GitHub (Sep 21, 2024):

A reverse proxy (like nginx) can help to use a different domain for the API.

<!-- gh-comment-id:2365307327 --> @maddes-b commented on GitHub (Sep 21, 2024): A reverse proxy (like nginx) can help to use a different domain for the API.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix_dockerhub
dockerhub
readme2.0
goreleaser_action
refactoring
linter_update_config
update_deps_122
dependabot/go_modules/github.com/valyala/fasthttp-1.34.0
deps_bump
update_goreleaser
update_golint
deps_update
update_dockerfile
v2.0.2
v2.0.1
v2.0
v1.1
v1.0
v0.8
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3.2
v0.3.1
v0.3
v0.2
v0.1
Labels
Clear labels   
Documentation

   
Documentation

   
bug

   
enhancement

   
feature request

   
feature request

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
security

   
security

   
testing
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns#152
No description provided.