starred/acme-dns
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 12:55:48 +03:00
Code Issues 178 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #338] Register endpoint with configurable subdomain #186

New issue
Closed
opened 2026-03-13 16:04:40 +03:00 by kerem · 3 comments
kerem commented 2026-03-13 16:04:40 +03:00
Owner
Copy link

Originally created by @datafoo on GitHub (Apr 24, 2023).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/338

I am interested in using acme-dns but I am wondering something. What are reasons for acme-dns to choose the subdomain itself?

I see an opportunity to automate things even more if I could choose the subdomain myself, in advance.

  • That would allow me to create the CNAME record early on.
  • The first certificate issuance could therefore be fully automated.
Originally created by @datafoo on GitHub (Apr 24, 2023). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/338 I am interested in using `acme-dns` but I am wondering something. What are reasons for `acme-dns` to choose the subdomain itself? I see an opportunity to automate things even more if I could choose the subdomain myself, in advance. - That would allow me to create the CNAME record early on. - The first certificate issuance could therefore be fully automated.
kerem closed this issue 2026-03-13 16:04:45 +03:00
kerem commented 2026-03-13 16:04:51 +03:00
Author
Owner
Copy link

@aduzsardi commented on GitHub (Apr 25, 2023):

depending on where you host your DNS zone , you can already do that with some tooling
when you request an acme-dns record , that record will be echoed out ... which you can then parse and further use in your tooling with API calls to your DNS hosting provider and Let's Encrypt or other acme CA

i think having the subdomain be defined manually by human intervention is just asking for trouble

<!-- gh-comment-id:1521815520 --> @aduzsardi commented on GitHub (Apr 25, 2023): depending on where you host your DNS zone , you can already do that with some tooling when you request an acme-dns record , that record will be echoed out ... which you can then parse and further use in your tooling with API calls to your DNS hosting provider and Let's Encrypt or other acme CA i think having the subdomain be defined manually by human intervention is just asking for trouble
kerem commented 2026-03-13 16:04:56 +03:00
Author
Owner
Copy link

@datafoo commented on GitHub (Apr 25, 2023):

depending on where you host your DNS zone , you can already do that with some tooling
when you request an acme-dns record , that record will be echoed out ... which you can then parse and further use in your tooling with API calls to your DNS hosting provider and Let's Encrypt or other acme CA

The point of ACME-DNS is to be able to automate renewal of TLS certificates with DNS-01 challenges securely: without storing a high-privilege API token on the server that needs the TLS certificates (see article from EFF: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation).

If the DNS hosting provider is already providing a API token with restricted-permission (update of a given TXT record only), then I do not need ACME-DNS.

If the DNS hosting provider is providing me with a high-privilege API token, then I am back with the problem that ACME-DNS was trying to solve initially.

So I do not understand how the solution you propose brings any value.

i think having the subdomain be defined manually by human intervention is just asking for trouble

What would those trouble be?

<!-- gh-comment-id:1521843752 --> @datafoo commented on GitHub (Apr 25, 2023): > depending on where you host your DNS zone , you can already do that with some tooling > when you request an acme-dns record , that record will be echoed out ... which you can then parse and further use in your tooling with API calls to your DNS hosting provider and Let's Encrypt or other acme CA The point of ACME-DNS is to be able to automate renewal of TLS certificates with DNS-01 challenges **securely**: without storing a high-privilege API token on the server that needs the TLS certificates (see article from EFF: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation). If the DNS hosting provider is already providing a API token with restricted-permission (update of a given TXT record only), then I do not need ACME-DNS. If the DNS hosting provider is providing me with a high-privilege API token, then I am back with the problem that ACME-DNS was trying to solve initially. So I do not understand how the solution you propose brings any value. > i think having the subdomain be defined manually by human intervention is just asking for trouble What would those trouble be?
kerem commented 2026-03-13 16:05:01 +03:00
Author
Owner
Copy link

@robalexdev commented on GitHub (May 23, 2023):

Certificate issuance and subdomain registration are already separate. When and how you perform those steps depends on the ACME client. Is there a particular ACME client you're using?

On the first run, LEGO's acme-dns provider will call /register to get a subdomain and will save the credentials to a file (see ACME_DNS_STORAGE_PATH). Then it prompts you to manually set the CNAME. You could instead call /register yourself (using curl, for example), set up the CNAME, and create that file manually. This causes LEGO to skip the registration process, since you're providing an existing subdomain, and issue a certificate right away. I'm doing this in one of my projects to pre-register subdomains.

acme-dns doesn't need any changes to support this, although your ACME client may. I may be able to point you in the right direction.

having the subdomain be defined manually by human intervention is just asking for trouble

What would those trouble be?

Presumably name collisions and ownership issues. If you're picking a subdomain name without checking if it's already been assigned then someone else may already own it. If you set up the CNAME then someone else can issue certificates for your domain. Even if you try to use an unguessable UUID, an attacker can look at your DNS records to see the dangling CNAME, then try to register the subdomain before you can.

The only way to do this safely is to register the subdomain with acme-dns before you set the CNAME. This way you know that no one else has credentials for the subdomain. Since you need to call /register first, you may as well let acme-dns pick the subdomain name for you. Then it's just a matter of configuring your ACME client.

<!-- gh-comment-id:1559722223 --> @robalexdev commented on GitHub (May 23, 2023): Certificate issuance and subdomain registration are already separate. When and how you perform those steps depends on the ACME client. Is there a particular ACME client you're using? On the first run, LEGO's acme-dns provider will call `/register` to get a subdomain and will save the credentials to a file (see `ACME_DNS_STORAGE_PATH`). Then it prompts you to manually set the CNAME. You could instead call `/register` yourself (using curl, for example), set up the CNAME, and create that file manually. This causes LEGO to skip the registration process, since you're providing an existing subdomain, and issue a certificate right away. I'm doing this in one of my projects to pre-register subdomains. acme-dns doesn't need any changes to support this, although your ACME client may. I may be able to point you in the right direction. >> having the subdomain be defined manually by human intervention is just asking for trouble > What would those trouble be? Presumably name collisions and ownership issues. If you're picking a subdomain name without checking if it's already been assigned then someone else may already own it. If you set up the CNAME then someone else can issue certificates for your domain. Even if you try to use an unguessable UUID, an attacker can look at your DNS records to see the dangling CNAME, then try to register the subdomain before you can. The only way to do this safely is to register the subdomain with acme-dns before you set the CNAME. This way you know that no one else has credentials for the subdomain. Since you need to call `/register` first, you may as well let acme-dns pick the subdomain name for you. Then it's just a matter of configuring your ACME client.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix_dockerhub
dockerhub
readme2.0
goreleaser_action
refactoring
linter_update_config
update_deps_122
dependabot/go_modules/github.com/valyala/fasthttp-1.34.0
deps_bump
update_goreleaser
update_golint
deps_update
update_dockerfile
v2.0.2
v2.0.1
v2.0
v1.1
v1.0
v0.8
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3.2
v0.3.1
v0.3
v0.2
v0.1
Labels
Clear labels   
Documentation

   
Documentation

   
bug

   
enhancement

   
feature request

   
feature request

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
security

   
security

   
testing
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns#186
No description provided.