[Pdns-users] SSL Proxy with PowerDNS

Fri May 5 07:42:37 UTC 2023

On 04/05/2023 18:21, Tom Barrett via Pdns-users wrote:
> I'm looking for a solution for running an SSL proxy with PowerDNS. 
> This is a service that will auto-generate SSL certs (such as 
> letsencrypt) for each zone.

I think you might be confusing several concepts here, most of which are 
nothing to do with PowerDNS.

Firstly, a TLS certificate is not issued for an entire zone, only 
individual hostnames in that zone (e.g. "example.com" or 
"www.example.com"). As a special case, you can get a wildcard 
certificate for "*.example.com" (but it only matches one subdomain deep)

Secondly, a "proxy" generally means something that passes through user 
traffic. What sort of "proxy" are you looking for?  There are HTTP 
reverse proxies (Apache, Nginx, Traefik...): these decrypt the traffic 
at the proxy, and only work with HTTP, but mean all your keys and certs 
are centralised on the proxy. There are also layer 4 TCP proxies which 
can forward the entire TCP session by sniffing the TLS SNI header (I use 
sniproxy, but I think haproxy can do this too) - in this case the 
traffic remains encrypted end-to-end, but each endpoint host needs its 
own key and cert.

Thirdly, the issuance of certificates is mostly unrelated to your choice 
of proxy.  You might find some proxies have specific helpers available 
for issuing certificates (e.g. I think there's an Apache module which 
can request letsencrypt certs, and kubernetes has cert-manager). But 
often you would deploy a separate tool to do this: either standalone 
tools like certbot, dehydrated, acme.sh; or a centralised tool for 
certificate issuance like certgrinder.  The tool creates the private key 
and certificate, and these are then read in by your webserver or proxy.

Fourthly, the issuance of certificates does not need to involve DNS. The 
only place where DNS might come into play is if you are using the DNS01 
challenge to prove your ownership of a domain (as opposed to the more 
common HTTP01 challenge).  You'll need to use the DNS01 challenge in two 
cases: (1) your hosts do not accept incoming HTTP connections on port 80 
from the Internet; or (2) you want to issue a wildcard certificate.

The DNS01 challenge requires dynamic additional and removal of TXT 
records from the zone.  This is the only point where PowerDNS might get 
involved: your certificate issuance tool will need to be able to 
add/remove those records, e.g. using RFC2136 dynamic DNS updates, or 
using the PDNS API.  If you prefer not to expose your important zones to 
dynamic updates, you can set up a separate zone for the TXT records, and 
statically point CNAMEs at it.  If you delegate that zone to a separate 
DNS server running acme-dns <https://github.com/joohoi/acme-dns> then 
you can leave dynamic updates in PowerDNS completely disabled.

However this is all quite complicated to get your head around at first, 
so for any server which is reachable from the public Internet and 
doesn't need a wildcard cert, the HTTP01 challenge is likely to be much 
easier to set up.

A proxy which accepts inbound connections from the public Internet will 
be able to get Letsencrypt certs using HTTP01 just fine. Setting this up 
is nothing to do with PowerDNS at all, and therefore I think it would be 
more appropriate to continue your query at the Letsencrypt Community 
forum <https://community.letsencrypt.org/>

I hope this gives you a few pointers anyway.

Regards,

Brian.