9a05e2f927
- Implement DNSProviderCard component for displaying individual DNS provider details. - Create DNSProviderForm component for adding and editing DNS providers. - Add DNSProviderSelector component for selecting DNS providers in forms. - Introduce useDNSProviders hook for fetching and managing DNS provider data. - Add DNSProviders page for listing and managing DNS providers. - Update layout to include DNS Providers navigation. - Enhance UI components with new badge styles and improved layouts. - Add default provider schemas for various DNS providers. - Integrate translation strings for DNS provider management. - Update Vite configuration for improved chunking and performance.
6.6 KiB
DNS Providers Guide
Overview
DNS providers enable Charon to obtain SSL/TLS certificates for wildcard domains (e.g., *.example.com) using the ACME DNS-01 challenge. This challenge proves domain ownership by creating a temporary TXT record in your DNS zone, which is required for wildcard certificates since HTTP-01 challenges cannot validate wildcards.
Why DNS Providers Are Required
- Wildcard Certificates: ACME providers (like Let's Encrypt) require DNS-01 challenges for wildcard domains
- Automated Validation: Charon automatically creates and removes DNS records during certificate issuance
- Secure Storage: All credentials are encrypted at rest using AES-256-GCM encryption
Supported DNS Providers
Charon supports the following DNS providers through Caddy's libdns modules:
| Provider | Type | Setup Guide |
|---|---|---|
| Cloudflare | cloudflare |
Cloudflare Setup |
| AWS Route 53 | route53 |
Route 53 Setup |
| DigitalOcean | digitalocean |
DigitalOcean Setup |
| Google Cloud DNS | googleclouddns |
Documentation |
| Azure DNS | azure |
Documentation |
| Namecheap | namecheap |
Documentation |
| GoDaddy | godaddy |
Documentation |
| Hetzner | hetzner |
Documentation |
| Vultr | vultr |
Documentation |
| DNSimple | dnsimple |
Documentation |
General Setup Workflow
1. Prerequisites
- Active account with a supported DNS provider
- Domain's DNS hosted with the provider
- API access enabled on your account
- Generated API credentials (tokens, keys, etc.)
2. Configure Encryption Key
DNS provider credentials are encrypted at rest. Before adding providers, ensure the encryption key is configured:
# Generate a 32-byte (256-bit) random key and encode as base64
openssl rand -base64 32
# Set as environment variable
export CHARON_ENCRYPTION_KEY="your-base64-encoded-key-here"
Warning: The encryption key must be 32 bytes (44 characters in base64). Store it securely and back it up. If lost, you'll need to reconfigure all DNS providers.
Add to your Docker Compose or systemd configuration:
# docker-compose.yml
services:
charon:
environment:
- CHARON_ENCRYPTION_KEY=${CHARON_ENCRYPTION_KEY}
3. Add DNS Provider
- Navigate to DNS Providers in the Charon UI
- Click Add Provider
- Select your DNS provider type
- Enter a descriptive name (e.g., "Cloudflare Production")
- Fill in the required credentials
- (Optional) Adjust propagation timeout and polling interval
- Click Test Connection to verify credentials
- Click Save
4. Set Default Provider (Optional)
If you manage multiple domains across different DNS providers, you can designate one as the default. This will be pre-selected when creating new wildcard proxy hosts.
5. Create Wildcard Proxy Host
- Navigate to Proxy Hosts
- Click Add Proxy Host
- Enter a wildcard domain (e.g.,
*.example.com) - Select your DNS provider from the dropdown
- Configure other settings as needed
- Save the proxy host
Charon will automatically use DNS-01 challenge for certificate issuance.
Security Best Practices
Credential Management
- Least Privilege: Create API tokens with minimum required permissions (DNS zone edit only)
- Scope Tokens: Limit tokens to specific DNS zones when supported by the provider
- Rotate Regularly: Periodically regenerate API tokens
- Secure Storage: Never commit credentials to version control
Encryption Key
- Backup: Store the
CHARON_ENCRYPTION_KEYin a secure password manager - Environment Variable: Never hardcode the key in configuration files
- Rotate Carefully: Changing the key requires reconfiguring all DNS providers
Network Security
- Firewall Rules: Ensure Charon can reach DNS provider APIs (typically HTTPS outbound)
- Monitor Access: Review API access logs in your DNS provider dashboard
Configuration Options
Propagation Timeout
Time (in seconds) to wait for DNS changes to propagate before ACME validation. Default: 120 seconds.
- Increase if you experience validation failures due to slow DNS propagation
- Decrease if your DNS provider has fast global propagation (e.g., Cloudflare)
Polling Interval
Time (in seconds) between checks for DNS record propagation. Default: 10 seconds.
- Most users should keep the default value
- Adjust if hitting DNS provider API rate limits
Troubleshooting
For detailed troubleshooting, see DNS Challenges Troubleshooting.
Common Issues
"Encryption key not configured"
- Ensure
CHARON_ENCRYPTION_KEYenvironment variable is set - Restart Charon after setting the variable
"Connection test failed"
- Verify credentials are correct
- Check API token permissions
- Ensure firewall allows outbound HTTPS to provider
- Review provider-specific troubleshooting guides
"DNS propagation timeout"
- Increase propagation timeout in provider settings
- Verify DNS provider is authoritative for the domain
- Check provider status page for service issues
"Certificate issuance failed"
- Test DNS provider connection in UI
- Check Charon logs for detailed error messages
- Verify domain DNS is properly configured
- Ensure DNS provider has edit permissions for the zone
Provider-Specific Guides
For other providers, consult the official Caddy libdns module documentation linked in the table above.