acme-dns

ACME-DNS.md

Setup acme-dns on AWS

build (slow)

sudo dnf install go htop
git clone https://github.com/joohoi/acme-dns
cd acme-dns
mkdir ~/go
export GOPATH=~/go
go build
#wait

Install (fast)

wget https://github.com/joohoi/acme-dns/releases/download/v1.0/acme-dns_1.0_linux_amd64.tar.gz
tar -xf acme-dns_1.0_linux_amd64.tar.gz
sudo mv acme-dns /usr/local/bin

sudo useradd --system --comment "acme-dns Service" --user-group --create-home --home /var/lib/acme-dns acme-dns
sudo mkdir /etc/acme-dns
sudo nano /etc/acme-dns/config.cfg
sudo mkdir /var/lib/acme-dns/

sudo mv acme-dns.service /etc/systemd/system/acme-dns.service
sudo systemctl daemon-reload
sudo systemctl enable acme-dns.service
sudo systemctl start acme-dns.service

wget https://github.com/caddyserver/caddy/releases/download/v2.6.4/caddy_2.6.4_linux_amd64.tar.gz
tar -xf
sudo mv caddy /usr/bin/caddy
sudo mkdir /etc/caddy
sudo nano /etc/caddy/Caddyfile
sudo useradd --system --comment "caddy Service" --user-group --create-home --home /var/lib/caddy caddy

wget https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service
sudo mv caddy.service /etc/systemd/system/caddy.service
sudo systemctl daemon-reload
sudo systemctl enable caddy
sudo systemctl start caddy

Test

curl -vv -X POST https://user:password@acme-dns.example.com/register

Generate password hash for basic auth

caddy hash-password

Caddyfile

acme-dns.example.com

reverse_proxy :8080

basicauth /* {
	user $2a$14$718Z3XqyhAmmttvL9.QPXOzKkyOmxkJCOonaz/jnKMGZj7bxknYJC
}

config.cfg

[general]
# DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53
# In this case acme-dns will error out and you will need to define the listening interface
# for example: listen = "127.0.0.1:53"
listen = "0.0.0.0:53"
# protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6"
protocol = "both"
# domain name to serve the requests off of
domain = "acme-dns.example.com"
# zone name server
nsname = "acme-dns.example.com"
# admin email address, where @ is substituted with .
nsadmin = "alerts@example.com"
# predefined records served in addition to the TXT
records = [
    # domain pointing to the public IP of your acme-dns server
    "acme-dns.example.com. A 127.0.0.1",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "acme-dns.example.com. NS acme-dns.example.com.",
]
# debug messages from CORS etc
debug = false

[database]
# Database engine to use, sqlite3 or postgres
engine = "sqlite3"
# Connection string, filename for sqlite3 and postgres://$username:$password@$host/$db_name for postgres
# Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3
connection = "/var/lib/acme-dns/acme-dns.db"
# connection = "postgres://user:password@localhost/acmedns_db"

[api]
# listen ip eg. 127.0.0.1
ip = "0.0.0.0"
# disable registration endpoint
disable_registration = false
# listen port, eg. 443 for default HTTPS
#port = "443"
port = "8080"
# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
#tls = "letsencrypt"
tls = "none"
# only used if tls = "cert"
tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
# only used if tls = "letsencrypt"
acme_cache_dir = "api-certs"
# optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
notification_email = ""
# CORS AllowOrigins, wildcards can be used
corsorigins = [
    "*"
]
# use HTTP header to get the client ip
#use_header = false
use_header = true
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"

[logconfig]
# logging level: "error", "warning", "info" or "debug"
loglevel = "info"
# possible values: stdout, TODO file & integrations
logtype = "stdout"
# file path for logfile TODO
# logfile = "./acme-dns.log"
# format, either "json" or "text"
logformat = "text"