Re: [Astlinux-devel] [Astlinux-users] Securing DNS API Keys when using ACME

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Lonnie

Yes that is a concern ☹.
We have firewalled it using Vultr. You can also specify IP Address in the initial registration that it only allows requests from.

Although acme-dns is a much better solution, ultimately I just wanted a sacrificial DNS for the ACME Challenge TXT records rather than having my primary DNS API credentials on every system.
My understanding is that if acme-dns was compromised, the most that could be done is that we cant issue certificates any more. I'm sure there is more but certainly the risk and impact is far less than the potential release of primary DNS API credentials.

Regards
Michael Knill

On 19/9/21, 12:19 am, "Lonnie Abelbeck" <li...@lo...> wrote:

    Hi Michael,

    Documenting would be great.  This could be universally useful to anyone with a constellation of AstLinux boxes.

    Do you run the acme-dns server within your private WireGuard network? or via a public Vultr/Linode VM?  If the latter, I would firewall access to the clients as close as possible.

    My only concern is the acme-dns Github project [2] has been 2 years since its last release with 70 open issues and 20 PR's waiting.  A new acme-dns release with an update of the bundled Go library would be nice since acme-dns is a network server.

    Lonnie

    > On Sep 18, 2021, at 12:55 AM, Michael Knill <mic...@ip...> wrote:
    > 
    > Hi Devs
    > 
    > We have acme-dns working in our next release. Seems pretty good so far and will be a far more secure and easy to manage option.
    > Once I have done some real world testing would you like us to write it up?
    > 
    > Regards
    > Michael Knill
    > 
    > On 15/8/21, 1:52 am, "Lonnie Abelbeck" <li...@lo...> wrote:
    > 
    >    Hey Michael,
    > 
    >    Looking forward to hearing how acme-dns works for you.  AstLinux's acme-client (acme.sh) has a plugin for acme-dns, usage: --dns dns_acmedns
    > 
    >    The acme-dns author "Joona Hoikkala" wrote an EFF article [1] "Securing the Automation of ACME DNS Challenge Validation"
    > 
    >    BTW, I would use the acme-dns Github page [2] for info rather then the nethserver wiki article you referenced.
    > 
    >    Lonnie
    > 
    >    [1] https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
    > 
    >    [2] https://github.com/joohoi/acme-dns/
    > 
    > 
    > 
    >> On Aug 13, 2021, at 10:33 PM, Michael Knill <mic...@ip...> wrote:
    >> 
    >> Actually decided that I will give acme-dns a try: https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns
    >> Will report how I go.
    >> 
    >> Regards
    >> Michael Knill
    >> 
    >> From: Michael Knill <mic...@ip...>
    >> Reply to: AstLinux List <ast...@li...>
    >> Date: Saturday, 14 August 2021 at 12:29 pm
    >> To: AstLinux List <ast...@li...>
    >> Subject: [Astlinux-users] Securing DNS API Keys when using ACME
    >> 
    >> Hi Group
    >> 
    >> I'm looking to move away from Wildcard SSL and move back to ACME Lets Encrypt to ensure a unique cert for all our systems. The reason is that we have built our new Mobile Softphone solution which is heavily reliant heavily on TLS  for provisioning and SIP.
    >> 
    >> As such, I want to set this up but I am concerned that if one of our systems was compromised (we have quite a few now), this will allow an attacker to do bad stuff to our DNS (currently GoDaddy). I understand that some DNS providers may be able to restrict what you can do with the API but just wondering if anyone has any better ideas?
    >> 
    >> Regards
    >> 
    >> Michael Knill
    >> Managing Director
    >> 
    >> D: +61 2 6189 1360
    >> P: +61 2 6140 4656
    >> E: mic...@ip...
    >> W: ipcsolutions.com.au
    >> 
    >> <image001.png>
    >> Smarter Business Communications
    >> 
    >> _______________________________________________
    >> Astlinux-users mailing list
    >> Ast...@li...
    >> https://lists.sourceforge.net/lists/listinfo/astlinux-users
    >> 
    >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
    > 
    > 
    > 
    >    _______________________________________________
    >    Astlinux-users mailing list
    >    Ast...@li...
    >    https://lists.sourceforge.net/lists/listinfo/astlinux-users
    > 
    >    Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
    > 
    > 
    > _______________________________________________
    > Astlinux-devel mailing list
    > Ast...@li...
    > https://lists.sourceforge.net/lists/listinfo/astlinux-devel

    _______________________________________________
    Astlinux-devel mailing list
    Ast...@li...
    https://lists.sourceforge.net/lists/listinfo/astlinux-devel