Restricted access tokens for letsencrypt dns challenge

Hi,

it is great that you provide integration with certbot.
To limit the risk of access tokens that are located on online systems for automated certificate renewal it would be nice if one could create ‘letsencrypt only’ tokens that are only authorized to create/change
_acme-challenge TXT records.

What do you think about a feature like that?

To give a specific example:
for a webserver running
www.example.com
one would create a specific access token, and that letsencrypt-only token can only create/modify
TXT records for _acme-challenge.www.example.com but not for _acme-challenge.webmail.example.com

Hi appliedprivacy,

We have been thinking about scoped tokens in general, also to associate them with a specific set of domains, for example (so that domains within the same account can be managed more granularly).

At the moment, we have not started implementing this, but it’s definitely an important feature. You can track progress here: https://github.com/desec-io/desec-stack/issues/347

If you have more feature requests, it may be easier if you open a GitHub ticket directly.

Stay secure,
Peter

Probably more like a workaround, but you can CNAME the _acme_challenge DNS entries to a different (sub-) domain that may be managed by a different account and therefore have a different api token. That way, a compromise of the second account will not result in the attacker being able to hijack the whole domain.

The CNAME variant works fine with lego (https://go-acme.github.io/lego/dns/#experimental-features )

also relevant in this context, this blog post by the EFF and their software solution to this: ACME-DNS

Hello,

i saw that the commit for restricted token is ready to be applied.

Do you have any ETA or schedule for this to be enabled ?

Thank you again for this service,

Romain

Dear NewRedsquare,

we’re aiming at having the token scoping available at the end of the year. For more detailed information, please track the issue/PR on GitHub.

Best,
Nils