Add support for Bunny.net authenticator plugin for DNS-01 about docker-nginx-certbot HOT 7 CLOSED

Anyway, the latest tag should now include the bunny DNS module.

If you want to discuss the local CA stuff more you can either continue to write here, or open a new issue where you request the TTL of the CA to be customizable. :)

from docker-nginx-certbot.

I've added a PR here: #226

It's an important feature, because atm bunny.net doesn't forward acme requests done via http to the origin, I've contacted them and they said that they are working on this feature. So the only way to generate ssl certificates using certboot is to use DNS-01 challenge.

from docker-nginx-certbot.

Hi chreniuc,

Yeah sure, I will just make sure it builds properly, but the plugin seems to follow the same argument format as the others so it is just a simple addon.

They don't do any HTTP at all or only HTTPS? Is there any documentation on their site which explains it further?

from docker-nginx-certbot.

I have migrated some websites to their CDN and activated https for those in bunny. When you activate https, the cdn intercepts all acme requests for them to be able to generate the ssl certificates and it doesn't forward them to the origin server. So if you want to also have a secure connection between the origin server and the cdn, you either have to use DNS challenge or self certificate. I've seen no mention of it in their docs that they do this, I know after opening a ticket, this was their response:

The CDN does currently hijack the .well-known directory to issue SSLs for the CDN Hostname, we do have a feature request with our developers to allow this to be passed through to the Origin as well, however we don't currently have an ETA on when this might be available, my apologies about that.

from docker-nginx-certbot.

Alright, so you are behind a CDN which hijacks all HTTP challenges, yeah then you probably need the DNS challenge :)

However, isn't the more common approach to this to just create a self-signed certificate on the origin server since this will not be exposed to the internet either way?

from docker-nginx-certbot.

Hm.. I was looking through the documentation and I've noticed that this tool also supports self-signed certificates. So if I pass USE_LOCAL_CA=1, that means that it will generate a self-signed certificate, right?

I would also mount the /etc/local_ca path, so that it will be persistent between runs.

The only drawback that I've noticed is that the expiration time is hard-coded as 30 days, which is a small time slot, can we add a default env variable that can be injected for that number?

from docker-nginx-certbot.

Indeed, the USE_LOCAL_CA=1 tries to mimic certbot as much as possible, just with a self-signed certificate.
In my documentation I say this:

The validity period for the automatically created CA is only 30 days, and the reason for this is to deter people from using this solution in production.

But with that I just mean the automatic process of creating the root CA. I would prefer that if this is to be done in production that you manually create a CA that you perhaps give the public part to the CDN so they can trust it.

What you can do is to start an instance of this container locally on your computer, change the value to whatever you want, and then provision this to your clients (later in the documentation is states that if the root CA exists it will not be overwritten). You can then probably bump the renew interval up to 25 days to not have to reload as often.

However, this limitation is only here in order for me to not have to take responsibility for any potential security issues which comes from creating your own CA, so I am not impossible to get tricked into changing these rules.

from docker-nginx-certbot.