root
/
greenlock.js
mirror of https://github.com/therootcompany/greenlock.js.git
2
0
Fork 0
Code Issues 27 Releases Wiki Activity

Is there a way to turn off the dry run? #2

New Issue
Closed
opened 2019-07-24 16:49:55 +00:00 by Ghost · 9 comments
Ghost commented 2019-07-24 16:49:55 +00:00
Copy Link

Is there any option to turn off the dry run (_greenlock-dryrun-XXXX) in DNS-01?

Is there any option to turn off the dry run (`_greenlock-dryrun-XXXX`) in DNS-01?
coolaj86 commented 2019-07-24 17:20:31 +00:00
Owner
Copy Link

I'd like to understand why you want to turn off the dry run so that I can perhaps address the deeper concern and make it a general solution that benefits everyone.

What's the problem you're facing?

I'd like to understand _why_ you want to turn off the dry run so that I can perhaps address the deeper concern and make it a general solution that benefits everyone. What's the problem you're facing?
Ghost commented 2019-07-24 17:46:03 +00:00
Author
Copy Link

I am working on a service where I am serving http requests for user's domain. I wanted to secure these custom domains. I thought instead of getting the user to set 2 records I ask them to set a single CNAME of .acme-challenge.XXXX record pointing to my domain which would in turn have the acme challenge's string. This way I can myself verify the domain and then I can request the challenge and update in my DNS. With the dry run I would need to ask the user to update 2 dns records.

I am pretty new to this ACME so sorry if the idea sounds stupid.

I am working on a service where I am serving http requests for user's domain. I wanted to secure these custom domains. I thought instead of getting the user to set 2 records I ask them to set a single `CNAME` of `.acme-challenge.XXXX` record pointing to my domain which would in turn have the acme challenge's string. This way I can myself verify the domain and then I can request the challenge and update in my DNS. With the dry run I would need to ask the user to update 2 dns records. I am pretty new to this ACME so sorry if the idea sounds stupid.
coolaj86 commented 2019-07-24 17:58:25 +00:00
Owner
Copy Link

That won't work. You have to use TXT records.

Who is your DNS provider?

That won't work. You have to use TXT records. Who is your DNS provider?
coolaj86 commented 2019-07-24 17:59:29 +00:00
Owner
Copy Link

There are a bunch of dns providers so that you just need an API token and you don't have to have manual entry every 90 days:

https://git.rootprojects.org/root?q=acme-dns-01-&tab=&sort=recentupdate

There are a bunch of dns providers so that you just need an API token and you don't have to have manual entry every 90 days: https://git.rootprojects.org/root?q=acme-dns-01-&tab=&sort=recentupdate
Ghost commented 2019-07-25 17:45:24 +00:00
Author
Copy Link

Sorry, you got me wrong. I want to issue certificates for my user's domain by getting them to set DNS of their own domain. I thought there is a way to turn off the dry run as I couldn't see any dry run record to be set on https://greenlock.domains/ when I put my domain there. But I couldn't find an option to set it off.

If I understand right greenlock verifies the DNS ownership in the dry run itself so that we don't hit the LE's rate limits by requesting for actual certificates. I believe there should be an option to turn it off if the user of the greenlock library wants to implement this verification/dry-run manually.

I also found a skipDryRun in the code of in acme.js or greenlock. So I thought maybe its an option.

Sorry, you got me wrong. I want to issue certificates for my user's domain by getting them to set DNS of their own domain. I thought there is a way to turn off the dry run as I couldn't see any dry run record to be set on https://greenlock.domains/ when I put my domain there. But I couldn't find an option to set it off. If I understand right greenlock verifies the DNS ownership in the dry run itself so that we don't hit the LE's rate limits by requesting for actual certificates. I believe there should be an option to turn it off if the user of the greenlock library wants to implement this verification/dry-run manually. I also found a `skipDryRun` in the code of in acme.js or greenlock. So I thought maybe its an option.
coolaj86 commented 2019-07-25 17:55:24 +00:00
Owner
Copy Link

You don't need to use set DNS records for the HTTP-01 challenge, which is what you'd have to use if you're setting CNAMEs.

However, in v3, which I've already finished for the browser and will be backporting to node in August, I'll be exposing the DNS challenges different (which I had to do for browser support).

You don't need to use set DNS records for the HTTP-01 challenge, which is what you'd have to use if you're setting CNAMEs. However, in v3, which I've already finished [for the browser](https://greenlock.domains) and will be backporting to node in August, I'll be exposing the DNS challenges different (which I had to do for browser support).
coolaj86 commented 2019-07-25 17:56:40 +00:00
Owner
Copy Link

Oops, hit enter too early.

Are you using http-01 or dns-01?

If you're using dns-01, who is in control of the DNS? The user? Why not user http-01 for that?

Oops, hit enter too early. Are you using http-01 or dns-01? If you're using dns-01, who is in control of the DNS? The user? Why not user http-01 for that?
Ghost commented 2019-07-25 18:12:46 +00:00
Author
Copy Link

Yes, I was wondering about that (greenlock in browser) when that when I saw requests to let's encrypt on my network tab.
The user would be in control of the DNS. I think I should be using http-01, I never really gave it a thought I always thought of using the dns-01.

Thanks

Yes, I was wondering about that (greenlock in browser) when that when I saw requests to let's encrypt on my network tab. The user would be in control of the DNS. I think I should be using http-01, I never really gave it a thought I always thought of using the dns-01. Thanks
coolaj86 commented 2019-07-26 06:01:06 +00:00
Owner
Copy Link

Yeah, the dryrun question comes up from time to time, but I don't answer directly because usually it's an indicator of "doing it wrong" / not understanding.

I'm glad that helped.

Yeah, the dryrun question comes up from time to time, but I don't answer directly because usually it's an indicator of "doing it wrong" / not understanding. I'm glad that helped.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
fix-v2-bump-deps
v2
github
next
v4
npm
v3
wip
dns-challenge-regression-fix
v2.4
v2.5
v2.3
v2.2
acmev2
v2.1
greenlock
v1
node-letsencrypt-python
v2.8.9
v4.0.5
v4.0.4
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.1.5
v3.1.4
v3.1.3
v3.0.25
v3.0.24
v3.0.23
v3.0.21
v3.0.20
v3.0.19
v3.0.18
v3.0.17
v3.0.16
v3.0.15
v3.0.12
v3.0.11
v3.0.10
v3.0.9
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v2.8.8
v2.8.7
v2.8.6
v2.8.5
v2.8.4
v2.8.3
v2.8.2
v2.8.1
v2.8.0
v2.7.23
v2.7.22
v2.7.21
v2.7.20
v2.7.19
v2.7.18
v2.7.17
v2.7.16
v2.7.15
v2.7.14
v2.7.13
v2.7.12
v2.7.11
v2.7.10
v2.7.9
v2.7.8
v2.7.7
v2.7.6
v2.7.5
v2.7.4
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.10
v2.6.9
v2.6.8
v2.6.7
v2.6.6
v2.6.5
v2.6.4
v2.6.3
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.10
v2.4.9
v2.4.8
v2.4.7
v2.4.2
v2.4.1
v2.4.0
v2.3.13
v2.3.12
v2.3.11
v2.3.10
v2.3.9
v2.3.8
v2.3.7
v2.3.6
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.20
v2.2.19
v2.2.17
v2.2.18
v2.2.16
v2.2.15
v2.2.14
v2.2.13
v2.2.12
v2.2.11
v2.2.10
v2.2.8
v2.2.7
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.0
v2.1.19
v2.1.18
v2.1.17
v2.1.16
v2.1.15
v2.1.14
v2.1.13
v2.1.12
v2.1.11
v2.1.10
v2.1.9
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v1.5.8
v2.0.5
v2.0.4
v1.5.7
v1.5.6
v1.5.5
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.2
v1.0.0
v1.0.1
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: root/greenlock.js#2
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?