Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible to use Private DNS Zones? #1

Open
devopsleigh opened this issue Jul 15, 2021 · 2 comments
Open

Possible to use Private DNS Zones? #1

devopsleigh opened this issue Jul 15, 2021 · 2 comments

Comments

@devopsleigh
Copy link

I'd like to use Private DNS Zones with this solution. Will that work with a minor code change?
@jpallari
Copy link
Contributor

Hi @devopsleigh!

It's definitely tricky because Let's Encrypt servers require you to have the domain publicly available for you to get a publicly signed TLS certificate. This means that you need to actually own the domain and have public DNS records for it.

However, there's a couple of solutions I can think that might work. I haven't tested these.

Create both public and private DNS zones for the same domain

In this setup, the az-acme2keyvault function app would use a public DNS zone to coordinate certificate validation with the public Let's Encrypt servers. You could then use the private DNS zone (for the same domain) to serve all the other DNS records. No code changes would be needed for az-acme2keyvault.

This allows you to get signed TLS certificates from Let's Encrypt while exposing only the validation TXT records publicly. However, it does mean you're limited to creating private DNS zones for domains you own.

Set up your own ACME server

In this setup, you'd have your own ACME server that signs certificates for your private DNS zone domains. This allows you to use any domain for the private DNS zone and you don't need a public DNS zone. However, there's a lot of things to consider first:

  • You need to host your own certificate authority to sign the certificates provisioned with the ACME server. The ACME server can't provision public Let's Encrypt certificates. This means that you need some way securely host the certificate authority and deliver its certificate to the trust store of each client.
  • You need to host the ACME server yourself somewhere where it has access to the private DNS zone, so it can verify the TLS certs requested through it.
  • az-acme2keyvault would need to changed to support private DNS zones as well. It shouldn't be hard to add, but takes quite a bit of effort to test that it truly works.

@devopsleigh
Copy link
Author

Brilliant! I'll try out option 1 today. I appreciate your detailed reply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jpallari @devopsleigh