03:12 <kentonv> whelp. my local dev server just automatically obtained and deployed a valid TLS certificate using Let's Encrypt on my own domain using Cloudflare DNS

03:14 <kentonv> now... I have to build a UI

03:25 <JacobWeisz[m]> Yay! \o/

03:25 <JacobWeisz[m]> The amount of less config complaints people will have with the ability to do that built into Sandstorm!

03:34 <ill_logic> Did you need your dev server to be exposed to the Internet?

03:35 <ill_logic> Otherwise I don't know how letsencrypt would work

03:42 <kentonv> ill_logic, nope. Let's Encrypt doesn't need to reach the server, it only needs you to set a DNS record to prove you own the domain.

03:42 <kentonv> so in my case my server talked to the Cloudflare DNS API to set those records

04:05 <ill_logic> Ah. Is the old way still supported? Where the server plays back a secret?

04:05 <isd> "old way?"

04:06 <isd> there are different acme challenge types, but wildcards require using dns-01

04:07 <ill_logic> Well, the way I used, at any rate, or I think I used. Where my server temporarily shows a secret supplied by letsencrypt, and letsencrypt checks it.

04:07 <isd> Other mechanisms don't require being able to configure dns, which is an advantage, but no wildcards, and typically the server needs to be publicly accessible

04:07 <ill_logic> Okay cool.

04:13 <kentonv> yeah, we have to use DNS because we require wildcards. Annoying because there's no standard API for pushing DNS changes so we have to one-off support a bunch of popular providers... luckily we can use an existing framework that already has a bunch of such plugins

04:17 <JacobWeisz[m]> GoDaddy made this cool thing: https://www.domainconnect.org but support for it hasn't been taken up by as many services as I'd like.

04:18 <JacobWeisz[m]> They wrote an open source dynamic DNS client for it too, which is why one of my domains can't be transferred to Cloudflare.

04:27 <JacobWeisz[m]> It's basically a standard API to delegate DNS configuration via OAuth. I know I at least nudged someone at Cloudflare about wishing they'd support it.

04:29 <isd> Sadly OAuth also requires per-provider logic :(

04:29 <JacobWeisz[m]> As of right now I do my DDNS with a domain I don't use for anything else, so it's not a big deal I can't use it on a sub domain of anything I have with Cloudflare. But it does cost me an extra ten bucks a year over Cloudflare's registrar prices.

04:30 <isd> It would be really nice to have a standard protocol that actually enabled not writing separate code for every provider. Otherwise what's the point?

04:30 <kentonv> Cloudflare doesn't have an oauth flow of any sort yet. That's probably a prerequisite to supporting this.

04:30 <JacobWeisz[m]> I am not sure it has the exact same sticking points as OAuth, I know the flow is similar for the user.

04:31 <kentonv> once CF has oauth then I bet the entirety of DomainConnect could be implemented as a fairly simple Cloudflare Worker on top of our existing API...

04:31 <isd> I mean, it sounds like it is literally built on top of OAuth. It therefore has at least all of the problems of OAuth...

04:31 <JacobWeisz[m]> kentonv I am very excited about API scopes and such though. Cloudflare's API has seen some real progress lately.

04:34 <JacobWeisz[m]> Though I updated the Cloudflare Wordpress plugin today, which said it supports the new scoped keys, I made a key with the Wordpress template... and it didn't work at all.

04:34 <JacobWeisz[m]> So I need to experiment with that more.

04:35 <kentonv> yeah I had a problem with the acme-dns-01-cloudflare plugin, the instructions for creating the OAuth token depended on a "bug" that was recently "fixed" so the token did not work...

04:35 <JacobWeisz[m]> Ian: I wasn't positive because the site talks about two different flows, only one of which mentions OAuth.

04:36 <isd> Yeah, everything I'm reading suggest the same blindness to anything that isn't sass.

04:36 <isd> the process for integrating your service with a provider is "contact them"

04:37 <isd> SaaS

04:38 <isd> That's disappointing.

04:39 <JacobWeisz[m]> I mean, if they have an open source desktop app which can update DNS records from arbitrary PCs on dynamic addresses behind NAT...

04:40 <isd> I suppose it depends on how flexible it is.

04:41 <isd> I should dig into the actual protocol, rather than just reading the advertizing.

04:41 <JacobWeisz[m]> I think the DNS providers have to explicitly contact the SaaS services for support. But the DNS side should be accessible from any arbitrary application.

04:42 <JacobWeisz[m]> Like it sounds like if a DNS provider wants Office 365 to configure it using DomainConnect they have to contact Microsoft to enable support in Office 365.

04:43 <JacobWeisz[m]> But that sounds mostly like a choice on Microsoft's part.

04:44 <isd> The docs suggest to me that it's a two-way manual process? not sure.

04:44 <isd> Here's the "template" for the dynamic dns thing: https://github.com/Domain-Connect/Templates/blob/master/domainconnect.org.dynamicdns.json

04:45 <isd> Not usable by us as-is, since it only sets A-records.

04:46 <isd> I dunno. Maybe this can be turned into something we can use. We may have to actually talk to people though :P

04:48 <JacobWeisz[m]> Other templates definitely support other record types. Particular as configuring MX records is a key purpose of it. I saw Google domain verification templates and the like too.

04:48 <isd> It does look like this might provide a template for how to do this in a not-saas way, if we can talk dns providers into it: https://github.com/Domain-Connect/DomainConnectDDNS-Windows#secrets

04:49 <JacobWeisz[m]> It basically says in the spec I scrolled through that providers can decide whether or not to care who the other end is.

04:51 <JacobWeisz[m]> So presumably it's up to the DNS provider if they want to support that "secret".

04:51 <isd> Yeah. So it might mean we just have to convince some folks at various providers to support one of these "templates"

04:52 <JacobWeisz[m]> I mean, right now the primary limitation is how few DNS providers support DomainConnect itself. :P

04:54 <isd> https://www.domainconnect.org/dns-providers/

04:54 <JacobWeisz[m]> But as a "I found out about it, and it instantly 'just worked' for me as a free DDNS solution", it made me a fan. :P

04:54 <isd> I guess that's not a lot

04:55 <isd> ...but it's more than that library kentonv found had custom plugins for?

05:14 <JacobWeisz[m]> It just kinda seems like a lot are "under development"... And have been a long time.

05:14 <isd> Really, given that I'm already running my own DNS server, I'd like a way to just get sandstorm to talk to it.

05:16 <isd> It probably wouldn't be that hard to turn the sandcats protocol into something reusable.

05:16 <JacobWeisz[m]> I also like the 'standard providers support' model better than the 'library with individual hacks for each' model, from a design standpoint.

05:17 <isd> agree.

05:19 <isd> Honestly a small bit of server software that controls powerdns and provides just enough API to do dynamic DNS and get let's encrypt certs via DNS-01 would probably be useful to a lot of people

05:20 <isd> Anyway, I'm off to bed. Hopefully I'll talk to some of you tomorrow afternoon (office hours)

17:46 <isd> Reminder: office hours in 15

18:00 <kentonv> I'll be about 15 minutes late