Attention: os-caddy-2.0.0 will remove DNS Providers (except Cloudflare)

Started by Monviech (Cedrik), May 14, 2025, 01:16:38 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 14, 2025, 01:16:38 PM
Please plan the update accordingly when installing 25.1.7 when it comes out.
os-caddy will update to 2.0.0 and will remove the DNS Provider subsystem, except Cloudflare.

Here are the notes and references:

https://github.com/opnsense/plugins/blob/a5fdb9ccd1ccdf885156a702cda8920f08bb16fd/www/caddy/pkg-descr#L9-L21

Here is the why:

https://github.com/opnsense/plugins/issues/4690

I spent quite some time on possible solutions, like building a plugin around xcaddy, but it all ended in being simply unmaintainable.
Hardware:
DEC740
May 19, 2025, 01:20:37 PM #1
Temporarily putting this as sticky until next week.
Hardware:
DEC740
May 19, 2025, 08:51:50 PM #2
noooo ;(

Now i have to fight with the buildin ACME Client and Azure DNS-01 again, it just worked with Caddy.
May 19, 2025, 09:13:20 PM #3
DNS Providers are such a pain. There are hundreds of them and everybody has a slightly different API so every provider needs their own bells and whistles.

The main offender is that these providers do not offer the same standard to update records on their servers.
Hardware:
DEC740
May 22, 2025, 04:43:18 PM #4
There is a standard for dynamic DNS updates defined in RFC 2136, but I guess none of the DNS Providers does support it. I am running my own name servers, so I do not depend on their ugly APIs.

I am not using caddy or even ACME on OPNsense (yet), but I try to give another view and maybe a possibility to work around this issue with caddy and only that one DNS Provider.

I have a setup for ACME with DNS-01 challenge running on a FreeBSD server with lego. I do have a dedicated dynamic acme.example.com subzone (with only one name server running ISC bind 9.x), which then is only used from lego with the rfc2136 DNS Provider [1]. The cool thing is, that also CNAMEs in multiple other domains with _acme-challenge.example.net CNAME to e.g. example_net.acme.example.com can be used. For certificate deployment I have a hand full of custom shell scripts.

[1] https://go-acme.github.io/lego/dns/rfc2136/

Maybe something like this could be build on OPNsense as well, e.g. with the os-bind plugin serving the dynamic acme.example.com subdomain. Lego seems not to available on, but maybe acme.sh (os-acme-client plugin) is also able to use RFC 2136 and _acme-challenge CNAME. Then you only need to add an IN NS for acme in the example.com zone pointing to the IP address of your OPNsense.

Happy hacking! :-)
May 22, 2025, 05:04:32 PM #5 Last Edit: May 22, 2025, 05:06:13 PM by meyergru
Quote from: Fabian Wenk on May 22, 2025, 04:43:18 PMMaybe something like this could be build on OPNsense as well, e.g. with the os-bind plugin serving the dynamic acme.example.com subdomain. Lego seems not to available on, but maybe acme.sh (os-acme-client plugin) is also able to use RFC 2136 and _acme-challenge CNAME. Then you only need to add an IN NS for acme in the example.com zone pointing to the IP address of your OPNsense.

That actually exists in the os-acme-client in OpnSense, I used it for a long time. And you can also use those certs instead of the ones provided by Caddy.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions