Is Cloudron could get Let's encrypt SSL via DNS ?

JOduMonT

Long story short my provider block (sometimes not always) many port, such as 80 (it's for my own good they said) but port 443 still open.

I use LinuxServer/LetsEncrypt has reverse proxy mainly because it allow me to prove my authority on my subdomain via DNS than I redirect all http to https with cloudflare.

Basically I would like to understand if it's possible to request the SSL of Let's Encrypt via DNS with Cloudron.

nebulon

Cloudron already uses DNS challenge for Acme2 if that domain is managed by one of the automated provider. So only if a domain has one of noop|manual|wildcardset as the provider, Cloudron will use http challenge.

mehdi

@JOduMonT It is possible, just configure cloudron certificate provider to Let'sEncrypt Wildcard.

(My 2 cents : switch providers. If they are this incompetent, it does not bode well..)

JOduMonT

@mehdi said in Is Cloudron could get Let's encrypt SSL via DNS ?:

(My 2 cents : switch providers. If they are this incompetent, it does not bode well..)

yes but they are the only one which speak an english I could almost understand

JOduMonT

@nebulon said in Is Cloudron could get Let's encrypt SSL via DNS ?:

Cloudron already uses DNS challenge for Acme2 if that domain is managed by one of the automated provider. So only if a domain has one of noop|manual|wildcardset as the provider, Cloudron will use http challenge.

so what is your saying is it should work out of the box ?

nebulon

If you are using a dns provider set in Cloudron for those domains, then yes it should work already. To be clear, I am talking about providers set as mentioned in https://cloudron.io/documentation/domains/#dns-providers

JOduMonT

@nebulon thanks, it worked like a charm

girish

Just wanted to add that (by default) when you use one of the DNS providers, we will also try to get wild card certs. This has the advantage that the subdomain name is not part of the certificate transparency logs. This is a form of security by obscurity but hey everything helps. For example, you can search your domain name here - https://transparencyreport.google.com/https/certificates

JOduMonT

@girish said in Is Cloudron could get Let's encrypt SSL via DNS ?:

This is a form of security by obscurity but hey everything helps.

you means it is more private, more obscure ?

but it is not more secure.

I personally always choose one certificate of every subdomain, which, at the end, is not necessary more secure just more forged

girish

@JOduMonT said in Is Cloudron could get Let's encrypt SSL via DNS ?:

you means it is more private, more obscure ?

yes, indeed. On some cloudron instances, I have apps which are installed as "customername.domain.com". I like to keep the 'customername' part private.

JOduMonT

@girish said in Is Cloudron could get Let's encrypt SSL via DNS ?:

I like to keep the 'customername' part private.

I never taught about it this way but will definitely keep it in mind

d19dotca

@girish This is an interesting observation. I was just looking to see if this was a real security threat or not, and I suppose it isn't but can offer a bit more privacy using the wildcard approach. Any particular reason why the Let's Encrypt wildcard support can't be done through the actual Cloudron wildcard DNS approach? Is there a way to support this? I'd really like to take advantage of a smaller DNS provider which has some great monitoring features included, but it isn't supported via any API by Cloudron yet, so if I go that route I can only use the Wildcard option, but those don't actually allow for the wildcard certificates.

Edit: Nevermind, I see why in the docs: "Let's Encrypt only allows obtaining wildcard certificates using DNS automation. Cloudron will default to obtaining wildcard certificates when using one of the programmatic DNS API providers."