DNS/Domain Validation for LetsEncrypt/ACME client?

JohnEDee

I'm trying my first LetsEncrypt implementation and got everything configured, but the Abyss ACME client seems to be going straight to the option of provisioning an HTTP resource, rather than giving the choice of a DNS record. I guess that's likely because Abyss assumes it's serving the web pages, so might as well just use only the HTTP option, but in my case I'm just using Abyss to do redirecting to the actual page, and I'd rather do the DNS method (in this case I have control of the DNS but a separate consultant is the web developer.
Is there any way currently to tell Abyss to use DNS rather than HTTP provisioning?
If not, I'd like to request that be added at some point (and I can transfer this request to the Suggestions forum).
Thanks!

admin

JohnEDee wrote
Is there any way currently to tell Abyss to use DNS rather than HTTP provisioning?

This is possible and even required when requesting certificates for wildcard host names (*.example.com).
To do so, open the console, select "Configure" associated with the host you'd like to change the way certificates are issued for. Select "General" and then press "Edit" in front of "Advanced Parameters".
Now press "Edit" in front of "SSL/TLS parameters" and set the challenge type to DNS-01 in "ACME parameters". More about that section in the console is available in https://aprelium.com/data/doc/2/abyssws-win-doc-html/hosts-configuration.html#HOSTS-GENERAL-ADVANCED-SECURELAYER .
When using DNS-01, you'll have to check the ACME-Bot status in the console and perform the required challenge (it will be displayed in clear text.) Once the challenge performed, you should go back to the ACME-Bot status and press a button there to ask the certification authority to proceed. It's an interactive process contrarily to the HTTP validation which is all automatic.

JohnEDee

I'm trying to get my sites to do LetsEncrypt DNS provisioning using a LE wildcard cert, but following these instructions, it's still requesting a specific hostname (i.e. "host.domain.com" rather than "*.domain.com", even when the ACME account is just "domain.com".
How do I force a site to use a wildcard LE cert rather than asking for one for its own hostname?

JohnEDee

FYI for anyone running across this thread that wants to (kinda) automate LetsEncrypt wildcard certs with a DNS-01 challenge, I got with Tech Support and apparently Abyss currently can't do this, but it might be considered for a future version.
My temporary solution until Abyss is able to do it internally was to just use a LetsEncrypt client that can do DNS API stuff (in my case, I used the extremely easy-to-use CertifyTheWeb client running on a Windows box) to generate a PKCS#12 (.pfx) wildcard cert and configure a post-generate task to convert it to standard PEM-type .crt and .key files. I shared out the directory where CertifyTheWeb does this and mounted that SMB network volume on my macOS Abyss server, then imported the .crt/.key files into Abyss just like I would any commercial cert.
I will have to update that cert every few months, but I've reached out to Tech Support to see if I can automate that with a shell script to automate the whole hack. :-)
Unfortunately there's nothing like CertifyTheWeb yet on macOS, but if you want to keep it all on a Mac, you could virtualize Windows on the Abyss macOS server with VirtualBox/Parallels/VMWare, or maybe Wine (no Windows license required) and do it all in one place.
If you run Abyss on Windows, you can just install CertifyTheWeb on that same box and pull the cert right off where it gets stored in C:\ProgramData\certify\

JohnEDee

It has been a couple of years, so just wanted to check in to see if this feature request might get any love in the near future. :-) I'm still using my workaround to replace the wildcard cert every three months, but it requires some downtime and mass-editing the abyss.conf is always a hold-my-breath experience, so I wondered if we might get the domain-based auth soon.

JohnEDee

Forgot that I had posted this in the Suggestions/Ideas section, where there is more information; noting that here for anyone looking for more info on this.