[Pdns-users] SSL Proxy with PowerDNS
b.candler at pobox.com
Fri May 5 07:42:37 UTC 2023
On 04/05/2023 18:21, Tom Barrett via Pdns-users wrote:
> I'm looking for a solution for running an SSL proxy with PowerDNS.
> This is a service that will auto-generate SSL certs (such as
> letsencrypt) for each zone.
I think you might be confusing several concepts here, most of which are
nothing to do with PowerDNS.
Firstly, a TLS certificate is not issued for an entire zone, only
individual hostnames in that zone (e.g. "example.com" or
"www.example.com"). As a special case, you can get a wildcard
certificate for "*.example.com" (but it only matches one subdomain deep)
Secondly, a "proxy" generally means something that passes through user
traffic. What sort of "proxy" are you looking for? There are HTTP
reverse proxies (Apache, Nginx, Traefik...): these decrypt the traffic
at the proxy, and only work with HTTP, but mean all your keys and certs
are centralised on the proxy. There are also layer 4 TCP proxies which
can forward the entire TCP session by sniffing the TLS SNI header (I use
sniproxy, but I think haproxy can do this too) - in this case the
traffic remains encrypted end-to-end, but each endpoint host needs its
own key and cert.
Thirdly, the issuance of certificates is mostly unrelated to your choice
of proxy. You might find some proxies have specific helpers available
for issuing certificates (e.g. I think there's an Apache module which
can request letsencrypt certs, and kubernetes has cert-manager). But
often you would deploy a separate tool to do this: either standalone
tools like certbot, dehydrated, acme.sh; or a centralised tool for
certificate issuance like certgrinder. The tool creates the private key
and certificate, and these are then read in by your webserver or proxy.
Fourthly, the issuance of certificates does not need to involve DNS. The
only place where DNS might come into play is if you are using the DNS01
challenge to prove your ownership of a domain (as opposed to the more
common HTTP01 challenge). You'll need to use the DNS01 challenge in two
cases: (1) your hosts do not accept incoming HTTP connections on port 80
from the Internet; or (2) you want to issue a wildcard certificate.
The DNS01 challenge requires dynamic additional and removal of TXT
records from the zone. This is the only point where PowerDNS might get
involved: your certificate issuance tool will need to be able to
add/remove those records, e.g. using RFC2136 dynamic DNS updates, or
using the PDNS API. If you prefer not to expose your important zones to
dynamic updates, you can set up a separate zone for the TXT records, and
statically point CNAMEs at it. If you delegate that zone to a separate
DNS server running acme-dns <https://github.com/joohoi/acme-dns> then
you can leave dynamic updates in PowerDNS completely disabled.
However this is all quite complicated to get your head around at first,
so for any server which is reachable from the public Internet and
doesn't need a wildcard cert, the HTTP01 challenge is likely to be much
easier to set up.
A proxy which accepts inbound connections from the public Internet will
be able to get Letsencrypt certs using HTTP01 just fine. Setting this up
is nothing to do with PowerDNS at all, and therefore I think it would be
more appropriate to continue your query at the Letsencrypt Community
I hope this gives you a few pointers anyway.
More information about the Pdns-users