logoalt Hacker News

justin_oakstoday at 3:42 PM8 repliesview on HN

I read a lot about people running things like Caddy which will automatically retrieve Lets Encrypt certificates. And I think it makes sense for publicly accessible web sites since you can use an HTTP challenge with Let's Encrypt.

For internal-use certificates, you'll have to make use of a DNS challenge with Let's Encrypt. I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone. I see that the author creates exactly that kind of token and has permanently accessible to his script. For a home lab where he's the only person accessing his hardware, that's less of a concern. But what about at a company where multiple people may have access to a system?

Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?

Replies

throw0101atoday at 4:17 PM

> I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone.

Depending on your DNS provider, it may be possible to narrow the permissions to allow only updates of a particular record. Route53 as an example:

      {
         "Effect": "Allow",
         "Action": "route53:ChangeResourceRecordSets",
         "Resource": "arn:aws:route53:::hostedzone/<ZONE-ID>",
         "Condition": {
            "ForAllValues:StringEquals": {
               "route53:ChangeResourceRecordSetsNormalizedRecordNames": "_acme-challenge.<SUB>.<DOMAIN>.<TLD>"
            }
         }
      }
* https://github.com/acmesh-official/acme.sh/wiki/How-to-use-A...

BIND 9 example:

* https://dan.langille.org/2020/12/19/creating-a-very-specific...

You can also point the hostname that you wish to issues certs for to another (sub-)domain completely via a CNAME, and allow updates only for that other (sub-)domain:

* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...

* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...

show 1 reply
mdhowletoday at 3:51 PM

DNS-PERSIST-01 is coming soon https://letsencrypt.org/2026/02/18/dns-persist-01

show 2 replies
captn3m0today at 3:57 PM

I used to have a separate Cloudflare account with a separate DNS Zone for my internal services. Because CF PATs were free-for-all. They've improved this since, so now you can create a token scoped to a single Zone. If you really care about, you can move a subdomain to a separate zone with a child NS record, but I haven't tried it with cloudflare. If you are using something like AWS, you can create an IAM role that can only update a single DNS record.

show 1 reply
dns_snektoday at 4:00 PM

> Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?

I'd look for a custom DNS challenge provider plugin which delegates the task of creating DNS records to another machine which holds the actual token.

show 3 replies
bombcartoday at 3:50 PM

There is a way to delegate the DNS challenges, but you can also create a dummy Caddysite for HTTP challenge (e.g., firewall.internal.example.com resolves externally to an IP that Caddy will respond to and get the certificate, and then said certificate is copied internally to whatever needs it).

swizzlertoday at 4:56 PM

There’s a way to direct dns challenges to a dns server just for the dns acme challenges: https://blog.bryanroessler.com/2019-02-09-automatic-certbot-...

No need to give broader access

krotoday at 3:52 PM

In Q2 this year, so very soon, there will be the DNS PERSIST method, which is non rotating.

show 1 reply