DEV Community

Discussion on: Let’s Encrypt Cloudflare

Collapse
flrichar profile image
Fred Richards • Edited on

So Let's Encrypt works with the ACME protocol for validation, right? You can choose other protocols than http (or https) for validation. I personally like DNS. One cool little trick, ACME will follow CNAMES linked together until it finds the validation code.

This means you can host a "validation zone" for all of your LE certs in one place. I have DNS spread across NS1, CloudFlare, some Route53 & DYN and my own personal servers. It made more sense to host my own validation zone and write ansible hooks to update them when needed. The http challenge always seemed hoakey to me.

Example included. Perform a dig TXT on this host. The challenge points to a permanent CNAME which lands inside my aval (acme validation) zone. I only update that zone. Gxize.net zone lives in Cloudflare while the real devx.gxize.net lives in Route53. I just need ansible CF hooks to update TXT records in the aval zone when needed.

I made a simple convention... this is the rb2011 host under the devx subzone, separated my a dash. Also, neat caveat. The two zones don't have to be related. I could have a validation zone in any old domain/zone I wish. Register a domain just for validations...

;; ANSWER SECTION:
_acme-challenge.rb2011.devx.gxize.net. 90 IN CNAME aval.rb2011-devx.gxize.net.
aval.rb2011-devx.gxize.net. 300 IN      TXT     "XdNEB-n0C5zU87e544qoC66SZI3R3rKKUGIp-iEgPxI"

Now, use DNS for your renewals and for security's sake, turn https back on. :D