Menu
▾
▴
Re: [Astlinux-devel] [Astlinux-users] Securing DNS API Keys when using ACME
|
From: Lonnie A. <li...@lo...> - 2021-09-18 14:19:39
|
Hi Michael, Documenting would be great. This could be universally useful to anyone with a constellation of AstLinux boxes. Do you run the acme-dns server within your private WireGuard network? or via a public Vultr/Linode VM? If the latter, I would firewall access to the clients as close as possible. My only concern is the acme-dns Github project [2] has been 2 years since its last release with 70 open issues and 20 PR's waiting. A new acme-dns release with an update of the bundled Go library would be nice since acme-dns is a network server. Lonnie > On Sep 18, 2021, at 12:55 AM, Michael Knill <mic...@ip...> wrote: > > Hi Devs > > We have acme-dns working in our next release. Seems pretty good so far and will be a far more secure and easy to manage option. > Once I have done some real world testing would you like us to write it up? > > Regards > Michael Knill > > On 15/8/21, 1:52 am, "Lonnie Abelbeck" <li...@lo...> wrote: > > Hey Michael, > > Looking forward to hearing how acme-dns works for you. AstLinux's acme-client (acme.sh) has a plugin for acme-dns, usage: --dns dns_acmedns > > The acme-dns author "Joona Hoikkala" wrote an EFF article [1] "Securing the Automation of ACME DNS Challenge Validation" > > BTW, I would use the acme-dns Github page [2] for info rather then the nethserver wiki article you referenced. > > Lonnie > > [1] https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation > > [2] https://github.com/joohoi/acme-dns/ > > > >> On Aug 13, 2021, at 10:33 PM, Michael Knill <mic...@ip...> wrote: >> >> Actually decided that I will give acme-dns a try: https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns >> Will report how I go. >> >> Regards >> Michael Knill >> >> From: Michael Knill <mic...@ip...> >> Reply to: AstLinux List <ast...@li...> >> Date: Saturday, 14 August 2021 at 12:29 pm >> To: AstLinux List <ast...@li...> >> Subject: [Astlinux-users] Securing DNS API Keys when using ACME >> >> Hi Group >> >> I'm looking to move away from Wildcard SSL and move back to ACME Lets Encrypt to ensure a unique cert for all our systems. The reason is that we have built our new Mobile Softphone solution which is heavily reliant heavily on TLS for provisioning and SIP. >> >> As such, I want to set this up but I am concerned that if one of our systems was compromised (we have quite a few now), this will allow an attacker to do bad stuff to our DNS (currently GoDaddy). I understand that some DNS providers may be able to restrict what you can do with the API but just wondering if anyone has any better ideas? >> >> Regards >> >> Michael Knill >> Managing Director >> >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: mic...@ip... >> W: ipcsolutions.com.au >> >> <image001.png> >> Smarter Business Communications >> >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
