Hello Aleks, On Mon, Sep 22, 2025 at 04:34:16PM +0200, Aleksandar Lazic wrote: > Subject: Question about "acme and challenge DNS-01" > Hi. > > I like upcoming feature for ACME certificates. > > As it maybe known is that the challenge DNS-01 requires to propagate the > acme-challenge into the DNS. > There are several DNS Provider which offers some HTTP API like DESec and > some others. > > What's the plan to handle this DNS propagation within HAProxy? >
DNS-01 is a complicated subject because there's no standardized API to do that, so one must implement every API out there, which is kind of stupid, and we don't have the task force for that. DNS-01 is currently implemented that way: - HAProxy computes a new private KEY and does the newOrder request - HAProxy dumps detail on how to handle the challenge on the dpapi sink, if you want to look at it, you could just do: ( echo "@@1 show events dpapi -w -0"; cat - ) | socat /tmp/master.sock - | cat -e - HAProxy emits a log message with the computed challenge to put in the DNS entry - a new "acme-vars" keyword can be used to pass other things on the dpapi sink, like new variables for the DNS API and stuff You would need to use an external agent, and we decided to make it easy for people and make a first implemention directly it in the dataplaneAPI, which is in golang and can use libdns. But anyone could implement something, even a simple bash script. The agent needs to read the events from the dpapi sink, and can update the DNS entry. Once the challenge is setup, the "acme challenge_ready" command can be called from the CLI so HAProxy can proceed to the next steps, like it does for HTTP-01. > For go is there the https://github.com/orgs/libdns/repositories which is > used by https://github.com/orgs/caddy-dns/repositories to handle that. > > For rust is this one an example https://github.com/stalwartlabs/dns-update/ > > For ferronweb ( https://github.com/ferronweb/ferron/tree/develop-2.x ) is > this the config for dns challange. There's no library like this in C unfortunately, and even if it existed it would be complicated to make it work with our model. However, I also have a lua callback in the making which would allow to do this without an external agent, and would help people scripting that part easily. With enough contributions we could have a small library of these scripts. Hopefully this will be available for 3.3, but since it's still marked as experimental I planned to backported it to 3.2 as well. Regards, -- William Lallemand
