Hi William.
On 2025-09-22 (Mo.) 19:02, William Lallemand wrote:
Hello Aleks,
On Mon, Sep 22, 2025 at 04:34:16PM +0200, Aleksandar Lazic wrote:
Subject: Question about "acme and challenge DNS-01"
Hi.
I like upcoming feature for ACME certificates.
As it maybe known is that the challenge DNS-01 requires to propagate the
acme-challenge into the DNS.
There are several DNS Provider which offers some HTTP API like DESec and
some others.
What's the plan to handle this DNS propagation within HAProxy?
DNS-01 is a complicated subject because there's no standardized API to do that,
so one must implement every API out there, which is kind of stupid, and we
don't have the task force for that.
DNS-01 is currently implemented that way:
- HAProxy computes a new private KEY and does the newOrder request
- HAProxy dumps detail on how to handle the challenge on the dpapi sink,
if you want to look at it, you could just do:
( echo "@@1 show events dpapi -w -0"; cat - ) | socat /tmp/master.sock - | cat
-e
- HAProxy emits a log message with the computed challenge to put in the DNS
entry
- a new "acme-vars" keyword can be used to pass other things on the dpapi
sink, like new variables for the DNS API and stuff
You would need to use an external agent, and we decided to make it easy for
people and make a first implemention directly it in the dataplaneAPI, which is
in golang and can use libdns.
Do you refer to this
https://github.com/haproxytech/dataplaneapi/blob/master/handlers/acme_provider.go
or https://github.com/haproxytech/dataplaneapi/tree/master/operations/acme*?
Is there any "Plugin" System in dataplaneAPI where the libdns could be added, so
that via an config item "dnsprovider" or something else the proper libdns plugin
can be used to handle the API Calls to the DNS Provider?
But anyone could implement something, even a simple bash script. The agent
needs to read the events from the dpapi sink, and can update the DNS entry.
Once the challenge is setup, the "acme challenge_ready" command can be called
from the CLI so HAProxy can proceed to the next steps, like it does for
HTTP-01.
For go is there the https://github.com/orgs/libdns/repositories which is
used by https://github.com/orgs/caddy-dns/repositories to handle that.
For rust is this one an example https://github.com/stalwartlabs/dns-update/
For ferronweb ( https://github.com/ferronweb/ferron/tree/develop-2.x ) is
this the config for dns challange.
There's no library like this in C unfortunately, and even if it existed it
would be complicated to make it work with our model.
However, I also have a lua callback in the making which would allow to do this
without an external agent, and would help people scripting that part easily.
With enough contributions we could have a small library of these scripts.
Hopefully this will be available for 3.3, but since it's still marked as
experimental I planned to backported it to 3.2 as well.
Oh "backported to 3.2" wow.
Regards
Aleks
