Remix.run Logo
creatonez 2 days ago

Why would nginx ever need support for the DNS-01 challenge type? It always has access to `.well-known` because nginx is running an HTTP server for the entire lifecycle of the process, so you'd never need to use a lower level way of doing DV. And that seems to violate the principle of least privilege, since you now need a sensitive API token on the server.

0x457 2 days ago | parent | next [-]

Because while Nginx always has access to .well-known, thing that validates on issuer side might not. I use DNS challenge to issue certificates for domains that resolve to IPs in my overlay network.

The issue is that supporting dns-01 is just supporting dns-01 it's providing a common interface to interact with different providers that implement dns-01.

petee 2 days ago | parent [-]

dns-01 is just a challenge; which api or dns update system should nginx support then? Some API, AFXR, or UPDATE?

I think this is kinda the OPs point, nginx an http server, why should it be messing with dns? There are plenty of other acme clients to do this with ease

2 days ago | parent | next [-]
[deleted]
0x457 a day ago | parent | prev [-]

I mean, you just repeated my explanation why supporting dns-01 in nginx isn't straightforward has http-01. I've explained why dns-01 challenge is still useful and might be required for some users.

petee a day ago | parent [-]

I misread your first paragraph, and was more responding to the second that I took as supporting the adding the dns implementation in reply to the OP.

It may still be required by some users, but I don't think that it makes sense for nginx

0x457 13 hours ago | parent [-]

> I took as supporting the adding the dns implementation

Well, I am supporting it, but I pointed why it's not as straightforward as supporting http-01.

> I don't think that it makes sense for nginx

It makes sense for nginx because ultimately I don't make certificates just for the fun of it, I do it to give it to some HTTP server. So it makes sense.

However, this isn't a future that will be not used by paid users, and F5 seems to be opposing making OSS version users lives better.

justusthane 2 days ago | parent | prev | next [-]

You can’t use HTTP-01 if the server running nginx isn’t accessible from the internet. DNS-01 works for that.

chrismorgan 2 days ago | parent | prev | next [-]

Wildcard certificates are probably the most important answer: they’re not available via HTTP challenge.

abcdefg12 2 days ago | parent | prev | next [-]

Because you might have more than one server serving this domain

lukeschlather 2 days ago | parent | prev [-]

Issuing a new certificate with the HTTP challenge pretty much requires you allow for 15 minutes of downtime. It's really not suitable for any customer-facing endpoint with SLAs.

kijin 2 days ago | parent | next [-]

Only if you let certbot take down your normal nginx and occupy port 80 in standalone mode. Which it doesn't need to, if normal nginx can do the job by itself.

When I need to use the HTTP challenge, I always configure the web server in advance to serve /.well-known/ from a certain directory and point certbot at it with `certbot certonly --webroot-path`. No need to take down the normal web server. Graceful reload. Zero downtime. Works with any web server.

chrismorgan 2 days ago | parent | prev | next [-]

Sounds like you’re doing it wrong. I don’t know about this native support, but I’d be very surprised if it was worse than the old way, which could just have Certbot put files in a path NGINX was already serving (webroot method), and then when new certificates are done send a signal for NGINX to reload its config. There should never be any downtime.

kijin 2 days ago | parent [-]

Certbot has a "standalone" mode that occupies port 80 and serves /.well-known/ by itself.

Whoever first recommended using that mode in anything other than some sort of emergency situation needs to be given a firm kick in the butt.

Certbot also has a mode that mangles your apache or nginx config files in an attempt to wire up certificates to your virtual hosts. Whoever wrote the nginx integration also needs a butt kick, it's terrible. I've helped a number of people fix their broken servers after certbot mangled their config files. Just because you're on a crusade to encrypt the web doesn't give you a right to mess with other programs' config files, that's not how Unix works!

jofla_net 2 days ago | parent | next [-]

Also, whoever decided that service providers were no longer autonomous to determine the expiration times of their own infrastructure's certificates should get that boot-to-the-head as well.

It is not as if they couldn't already choose (to buy) such short lifetimes already.

Authoritarianism at its finest.

jeltz 2 days ago | parent | prev | next [-]

Certbot also fights automation and provisioning with e.g. Andible by modifying config files to remember command line options if you ever need to do anything manually in an emergency.

It is a terrible piece of software. I use dehydrated which I'd much friendlier to automation.

tomku 2 days ago | parent | prev [-]

Those choices and Certbot strongly encouraging snap installation was enough to get me to switch to https://go-acme.github.io/lego/, which I've been very happy with since. It's very stable and feels like it was built by people who actually operate servers.

Kwpolska 2 days ago | parent | prev | next [-]

Where would this downtime come from? Your setup is really badly configured if you need downtime to serve a new static file.

2 days ago | parent | prev [-]
[deleted]