Certificate Manager: Support CNAME delegation for creating SSL certificates #5315
lpkant
started this conversation in
Feature Request
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I haven't seen any hint in the code that this currently supported but if I am wrong please tell me how to achieve this.
This is our setting:
Our DNS provider does not provide an API so we set up a CNAME "_acme-challenge"-record which points to our Route53 zone where we can setup extensive IAM and such, which is a recommended pattern endorsed by LE as well.
Currently infisical tries to create a TXT record with the "wrong" zone in Route53 (which this service does not like):
Original domain:
example.comCNAME record:
_acme-challenge.example.com TO _acme-challenge.ssl.example.infoinfisical error:
Certificate issuance failed: [RRSet with DNS name _acme-challenge.example.com. is not permitted in zone ssl.example.info.]Maybe if it checks the zone info and creates the _acme-challenge TXT record for the actual zone (
_acme-challenge.ssl.example.info) instead of the example.com one?Is this more of a bug maybe?
In the past we used tools like CertifyTheWeb nowadays more of like LEGO, acme.sh, PoshACME and similar which all allow to set a "mapping" info, sometimes it is called:
I don't know if this "complexity" is necessary though as a simple implementation like create the _acme-challenge for the zone you are actually in could be suffice but I am not an expert to foresee all implications. LEGO at least does it a little bit "like that" by following the CNAME and using that...
So probably three options:
Thanks for any input!
Resources:
Beta Was this translation helpful? Give feedback.
All reactions