Add acme-dns plugin support

[rmbolger]

acme-dns is a project designed explicitly to make it easier for people to deal with DNS challenges associated with the ACME protocol. From the project readme:

Many DNS servers do not provide an API to enable automation for the ACME DNS challenges. Those which do, give the keys way too much power. Leaving the keys laying around your random boxes is too often a requirement to have a meaningful process automation.

Acme-dns provides a simple API exclusively for TXT record updates and should be used with ACME magic "_acme-challenge" - subdomain CNAME records. This way, in the unfortunate exposure of API keys, the effetcs are limited to the subdomain TXT record in question.

This would be a great way to indirectly support more DNS providers until the list of supported plugins grows.

Here's a great article about the security merits of using something like acme-dns as well.
https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation

[rmbolger]

Looking a bit deeper into the API for acme-dns, I realize it may not be possible to support without some fairly extensive changes to how Posh-ACME works or changes to how acme-dns works.

The problem stems from the limitations that a single acme-dns registration provides. When you register, you get a unique sub-domain that you point your CNAME records to in advance. You also get a username/password to authenticate with. Then, you send your challenge token to the update endpoint which adds it to the unique sub-domain's TXT record list. The problem is that you can only send two TXT updates before it starts rolling over and replacing the oldest entry with the newest one you've sent.

Posh-ACME presumes that a user will most often have a single set of credentials/parameters for a given DNS plugin. Worst case, they can have a set of credentials/parameters per Order/Certificate if they create a new ACME account for each one. But when creating a certificate with multiple SAN entries, the module uses the plugin credentials to create all of the TXT records associated with the cert before asking the server to validate any of those challenges. This is necessary to support batch mode DNS plugins where DNS changes are not saved until all of them have been added.

So if I tried to make an acme-dns plugin work today and tried to create a cert with 5 names, the first 3 names would get sent, but ultimately deleted when they were overwritten by the last two. So the last two names would validate successfully. But the first 3 wouldn't. It only gets worse the more names you add to a cert. The current SAN name limit on a single cert is 100 names. So that cert would only successfully validate 2 of the 100 names.

[rmbolger]

Off the top of my head, there are a few different ways I can think of to change acme-dns so that things would still work.

1. Raise the rollover cap to be at least the maximum SAN entries per cert supported by Let's Encrypt. That guarantees you can successfully validate at least one maxxed out cert at a time (presuming no other instances of Posh-ACME are using the same registration).

2. Get rid of the rollover mechanic altogether and switch to a more traditional Add/Remove mechanic. You can still implement a cap (same minimum as above) to prevent bloating the DB. And you could even implement a configurable TTL such that records are auto-removed when they expire. That way, existing clients can still use the current fire-and-forget update paradigm.

[rmbolger]

The only way I can think of to change Posh-ACME to work with the existing acme-dns is to add a switch that basically turns off batch DNS updating and makes it so that every record challenge must be added and successfully validated prior to moving on to the next one. But that seems super inefficient, particularly for certs with a lot of SANs.

[rmbolger]

I added a feature request in acme-dns here: joohoi/acme-dns#76

[rmbolger]

After discussion with the acme-dns devs, it seems I was mistaken about how they intended for clients to utilize them. They intend for each name in a cert to register for a unique acme-dns subdomain and present the subdomain information to the user interactively at creation time at which point they will go create the CNAME records required.

Once the CNAMEs are created, the process can continue and validate as normal and the client will then save the credentials and subdomain information for future renewals.

So the only parameter an acme-dns plugin would hypothetically need is the root URL of the acme-dns server. Everything else is generated by the plugin on demand.

It's not as elegant of a workflow as I was hoping, but I think I can make it work.

[rmbolger]

Complete as of PR #4