[enhancement]: ACME, TLS-DNS-01 support for generating certs

[onny]

Which feature or improvement would you like to request?

Since TLS-ALPN-01 got introduced with ffba9b5 , it would be nice to support tls-dns-01 support for renewing and generating certificates.

Mail server Maddy does support this as well (written in Go) https://maddy.email/reference/tls-acme/#automatic-certificate-management-via-acme

There the syntax is a bit complicated but looks like this:

tls.loader.acme local_tls {
    email put-your-email-here@example.org
    agreed # indicate your agreement with Let's Encrypt ToS
    challenge dns-01
    dns gandi {
      api_token "${GANDI_API_KEY}"
    }
}

It requires mail, TOS agreement, optional hostname and the api token to the dns provider.

It uses certmagic (libdns). Not sure what would be an appropiate acme/dns library for Rust.

Is your feature request related to a problem?

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[mdecimus]

Unfortunately there are no Rust ACME libraries that support all the DNS servers that the Go library lego supports. In Rust there is just lers that supports only Cloudflare.

To support DNS-01 this we'll have to implement the API for each DNS server so it might take a while.

[williamdes]

With the boilerplate code already merged I am willing to contribute Cloudflare DNS support
As I will need it, I can test it

[jacobsvante]

Adding Cloudflare ACME DNS-01 support would be wonderful. (For me personally this is because port 443 is already in use by my Kubernetes cluster).

[williamdes]

Let's wait for some boilerplate

The acme.sh has quite a lot of available scripts if someone needs inspiration

[udf2457]

@mdecimus

"To support DNS-01 this we'll have to implement the API for each DNS server so it might take a while."

No. You don't. Its called RFC2136, per #231

Sure the cloud providers requiring REST calls are different, but for the many people using NSD, BIND,Knot,PDNS etc. An RFC2136 implementation will fix it.

[MFAshby]

it would be nice to support tls-dns-01 support for renewing and generating certificates.

I am running a web server on the same machine and I can't let stalwart bind port 443 because the web server is already using it. It is not possible (as far as I know) to perform TLS-ALPN-01 challenge behind a reverse proxy either, so I can't configure my web server to forward the traffic.

The workaround is using cert-bot or similar and installing a certificate that both the web server and mail server can use.

[X-Ryl669]

This is what I'm doing to, but it's a PITA. I'm using nginx as the reverse proxy so it's doing the TLS-ALPN-01 part and certbot is ensuring the certificate is good and valid at /etc/letsencrypt/something, but then I'm struck with Stalwart not using the certificate on the server

[mdecimus]

The library for dynamic DNS updates that Stalwart will use for the ACME DNS-01 challenges has been published. Currently only RFC2136 (with TSIG and SIG0 auth) and Cloudflare are supported. PRs are welcome to support additional cloud providers, the goal is to support as many as Go's lego.

[jacobsvante]

Sweet, that looks awesome! 😀