DNS-01 support

[GGORG0]

Hi, is DNS-01 support planned?

I wanted to do something similar to https://www.youtube.com/watch?v=qlcVx-k-02E (issuing SSL certificates for domains pointing to local IP addresses, without exposing any ports to the open internet) at my homelab.
Is there a way to issue DNS-01 based certificates currently when using nginx-proxy?

By the way, I'm using Cloudflare for my DNS.

[EightArmCode]

I just ran into this. If you're using ZeroSSL, you have to pay for premium to get DNS-01 verification

[necaran]

I have the similar need and end up using acmesh-official/acme.sh, which allows you to deploy to docker containers.
It supports more than 100 DNS providers including CloudFlare.
You will need API token or API key to issue a cert.

---

Here is my setup to use acme.sh with nginx-proxy. Note that you do not need port 80 at all.

• compose.yml

services:
  acme:
    container_name: acme
    image: neilpang/acme.sh:latest
    restart: unless-stopped
    command: daemon
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/acme/:/acme.sh/
    environment:
      DEPLOY_DOCKER_CONTAINER_LABEL: acme-deploy

  nginx-proxy:
    container_name: nginx-proxy
    image: nginxproxy/nginx-proxy:1.5-alpine
    restart: unless-stopped
    ports:
#      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./data/nginx-proxy/certs/:/etc/nginx/certs/
      - ./data/nginx-proxy/vhost.d/:/etc/nginx/vhost.d/
    labels: [acme-deploy]

• acme-issue-deploy.sh

#!/bin/bash
CONTAINER=acme
DOMAIN=example.com

# Set Let's Encrypt as the default CA.
docker exec $CONTAINER --set-default-ca --server letsencrypt

# Issue a new cert. Wildcard is supported.
docker exec \
	-e [email protected] \
	-e CF_Key=xxxxxxxxxx \
	$CONTAINER --issue --dns dns_cf -d $DOMAIN -d *.$DOMAIN

# Deploy command tailored for nginx-proxy.
docker exec \
	-e DEPLOY_DOCKER_CONTAINER_CA_FILE=/etc/nginx/certs/$DOMAIN.chain.pem \
	-e DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE=/etc/nginx/certs/$DOMAIN.crt \
	-e DEPLOY_DOCKER_CONTAINER_KEY_FILE=/etc/nginx/certs/$DOMAIN.key \
	-e DEPLOY_DOCKER_CONTAINER_RELOAD_CMD='docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf && nginx -s reload' \
	$CONTAINER --deploy --deploy-hook docker -d $DOMAIN

Fill in your domain name, email and API key (or corresponding variables) for authentication, as described in How to use DNS API.
To switch to other DNS providers, just edit the --issue command.
Note that other than environment variables, you also have to set --dns option to specify the DNS provider (dns_cf, dns_aws, or etc.).

docker exec \
	-e AWS_ACCESS_KEY_ID=xxxxxxxxxx \
        -e AWS_SECRET_ACCESS_KEY=xxxxxxxxxx \
	$CONTAINER --issue --dns dns_aws -d $DOMAIN -d *.$DOMAIN

You only have to run acme-issue-deploy.sh once for a new domain.
There is a cronjob for renewal built into the docker image of acme.sh.
You can show crontabs with the following command.

docker exec acme cat /var/spool/cron/crontabs/root

---

It is not fully automatic like acme-companion, since you have to run issue and deploy command manually for once.
But it is kind of set-and-forget.
You can check the volume of acme for saved certs and config.

[buchdag]

This feature will be added by #1137