Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuration questions #335

Open
etfz opened this issue Mar 15, 2023 · 1 comment
Open

Configuration questions #335

etfz opened this issue Mar 15, 2023 · 1 comment

Comments

@etfz
Copy link

etfz commented Mar 15, 2023

Hi,

Don't know whether this is the appropriate place for questions, but I could not find any other support channel.

Trying to get started with this, and I've read the readme, but I am not clear on a few configuration parameters. I'd like to think I understand how things work conceptually, having previously set up different DNS servers for the same purpose.

I intend to get certificates for a few subdomains of my domain example.com, such as *.system.example.com and *.intra.example.com. I have set up DNS records in my "real" DNS server:

  • acme-ns.example.com A <acme-dns-public-ip>
  • system.example.com NS acme-ns.example.com
  • intra.example.com NS acme-ns.example.com

My confusion lies with some of the configuration parameters. In the example configuration the same domain is used pretty much for all parameters. I feel like my nsname would be acme-ns.example.com, but I don't know what domain refers to.

The *.intra subdomains are resolvable only internally, and I have that sorted out already, but *.system subdomains need to be globally resolvable. Do I then need to define those in acme-dns in the records parameter, or can I delegate those requests elsewhere, or can I manage those in some way other than having to edit the configuration file?

Also, for the nsadmin, is the substituted @ just for the sake of the example, or how would it work where multiple dots are involved? Is this the address that would get used for Let's Encrypt notifications?
@etfz
Copy link
Author

etfz commented Mar 27, 2023
edited
Loading

I will answer myself partially.

As far as I understand, the issue of having a domain resolvable through your regular DNS provider is solved by creating a permanent _acme-challenge CNAME record pointing to your acme-dns instance and not creating the NS record.

_acme-challenge.system.example.com CNAME acme-ns.example.com

Having looked through the code, it seems like nsname and nsadmin is only used for the SOA record. domain is also used for the SOA record, as well as the hostname of the API server for its Let's Encrypt certificate. (and some more things that I'm not sure what they are)

Double backslash should be used to escape dots in nsadmin, as I found in #279.

I am still uncertain of what purpose the records parameter serves, and now I am not even sure whether an acme-dns instance supports acquiring wildcard certificates for multiple domains, or how I would do that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@etfz