Hy everyone,
I'm not sure if this is the right place for feature requests, but I'd like to ask for DNS-01 validation support in the ACME functionality of the OPNWAF Plugin in the Business Edition.
Right now, I can only find HTTP-01 validation in the Business ACME integration. Maybe I overlooked something, but DNS-01 support doesn't seem to be available.
Since the ACME plugin in the Community Edition already supports DNS-01, it would be extremely helpful to have the same capability in the Business Edition. Especially for environments where HTTP validation isn't possible (internal services, restricted firewalls, wildcard certificates, etc.).
Thanks, and apologies if this post should be placed elsewhere!
Hello, DNS-01 validation requires a huge mixed bag of external DNS providers who all have different APIs and requirements.
Implementing such a subsystem into OPNWAF is just not great from a technical perspective.
I can give you the perfect example how it went in Caddy (which I also maintain for OPNsense): It once had around 50+ different DNS providers all with specific configuration, now its all gone (well except in my own branch on github, but in the OPNsense branch only Cloudflare is left now)
So for OPNWAF (on which I also develop), this would go the same, its pretty much unmaintainable without having a dedicated project all around it. Which is exactly what the acme sh script is.
You can use the ACME plugin together with OPNWAF, just let it write the certificates and use them in OPNWAF. Also, create a automation in the ACME plugin to restart OPNWAF on changes.
https://github.com/opnsense/plugins/issues/4996
Thanks for the fast reply!
OK, That makes sense. I'll go ahead and try using the regular ACME plugin together with OPNWAF as you suggested.
Thanks again!