Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
gerdesj 3 days ago

I've run DNS servers in the past - BIND and pdns. I've now gone all in ... because ... well it started with ACME.

As the OP states you can get a registrar to host a domain for you and then you create a subdomain anywhere you fancy and that includes at home. Do get the glue records right and do use dig to work out what is happening.

Now with a domain under your own control, you can use CNAME records in other zones to point at your zones and if you have dynamic DNS support on your zones (RFC 2136) then you can now support ACME ie Lets Encrypt and Zerossl and co.

Sadly certbot doesn't do (or it didn't) CNAME redirects for ACME. However, acme.sh and simple-acme do and both are absolutely rock solid. Both of those projects are used by a lot of people and well trod.

acme.sh is ideal for unix gear and if you follow this blokes method of installation: https://pieterbakker.com/acme-sh-installation-guide-2025/ usefully centralised.

simple-acme is for Windows. It has loads of add on scripts to deal with scenarios. Those scripts seem to be deprecated but work rather well. Quite a lot of magic here that an old school Linux sysadmin is glad of.

PowerDNS auth server supports dynamic DNS and you can filter access by IP and TSIG-KEY, per zone and/or globally.

Join the dots.

[EDIT: Speling, conjunction switch]

adiabatichottub 4 hours ago | parent | next [-]

I'm a fan of uACME:

https://github.com/ndilieto/uacme

Tiny, simple, reliable. What more can you ask?

DaSHacka 3 hours ago | parent [-]

Neat, I've used lego (https://github.com/go-acme/lego) but will certainly have to give uacme a look, love me a simple ACME client.

acme.sh was too garish for my liking, even as a guy that likes his fair share of shell scripts. And obviously certbot is a non-starter because of snap.

adiabatichottub 3 hours ago | parent [-]

Certbot has earned my ire on just about every occasion I've had to interact with it. It is a terrible program and I can't wait to finish replacing it everywhere.

The new setup is using uAcme and nsupdate to do DNS-01 challenges. No more fiddling with any issues in the web server config for a particular virtual host, like some errant rewrite rule that prevents access to .well-known/.

ozim an hour ago | parent | prev | next [-]

I think CNAME redirections being not supported is reasonable choice. Would make my life easier as well but it opens all kinds of bad possibilities that bad actors would definitely use.

9dev 3 days ago | parent | prev [-]

Seconded. Don’t use certbot; it’s an awful piece of user-hostile software, starting from snap being the only supported installation channel. Everything it does wrong, acme.sh does right.

tryauuum 2 hours ago | parent | next [-]

just installed yesterday the certbot on ubuntu 24.04, from the default repos, without any snaps

mediumsmart 2 hours ago | parent [-]

same on debian trixie. certbot works fine for me. Zone records in bind, generate the dnskey, cronjob to re-sign it daily and your off to the races. no problems no snaps.

locknitpicker an hour ago | parent | prev [-]

> starting from snap being the only supported installation channel.

This sounds like you are complaining about Ubuntu, not the software you wish to install in Ubuntu.