Is Cloudron could get Let's encrypt SSL via DNS ?
-
Long story short my provider block (sometimes not always) many port, such as 80 (it's for my own good they said) but port 443 still open.
I use LinuxServer/LetsEncrypt has reverse proxy mainly because it allow me to prove my authority on my subdomain via DNS than I redirect all http to https with cloudflare.
Basically I would like to understand if it's possible to request the SSL of Let's Encrypt via DNS with Cloudron.
-
@nebulon said in Is Cloudron could get Let's encrypt SSL via DNS ?:
Cloudron already uses DNS challenge for Acme2 if that domain is managed by one of the automated provider. So only if a domain has one of noop|manual|wildcardset as the provider, Cloudron will use http challenge.
so what is your saying is it should work out of the box ?
-
Just wanted to add that (by default) when you use one of the DNS providers, we will also try to get wild card certs. This has the advantage that the subdomain name is not part of the certificate transparency logs. This is a form of security by obscurity but hey everything helps. For example, you can search your domain name here - https://transparencyreport.google.com/https/certificates
-
@girish said in Is Cloudron could get Let's encrypt SSL via DNS ?:
This is a form of security by obscurity but hey everything helps.
you means it is more private, more obscure ?
but it is not more secure.
I personally always choose one certificate of every subdomain, which, at the end, is not necessary more secure just more forged
-
@JOduMonT said in Is Cloudron could get Let's encrypt SSL via DNS ?:
you means it is more private, more obscure ?
yes, indeed. On some cloudron instances, I have apps which are installed as "customername.domain.com". I like to keep the 'customername' part private.
-
@girish This is an interesting observation. I was just looking to see if this was a real security threat or not, and I suppose it isn't but can offer a bit more privacy using the wildcard approach. Any particular reason why the Let's Encrypt wildcard support can't be done through the actual Cloudron wildcard DNS approach? Is there a way to support this? I'd really like to take advantage of a smaller DNS provider which has some great monitoring features included, but it isn't supported via any API by Cloudron yet, so if I go that route I can only use the Wildcard option, but those don't actually allow for the wildcard certificates.
Edit: Nevermind, I see why in the docs: "Let's Encrypt only allows obtaining wildcard certificates using DNS automation. Cloudron will default to obtaining wildcard certificates when using one of the programmatic DNS API providers."