ACME DNS-Authenticators - Add More (All) Options

Problem/Justification
The DNS plugin for acme supports a long list of providers, but TrueNAS only implements 4! …
Since each provider is just a config entry, it should be trivial to support more if not all instead of just a select few.

Impact
Not all users are customers of the 4 providers chosen by TrueNAS
This change will enable a lot more users to easily generate valid certificates for their Install

User Story
I have my domains registered with x and thus can’t use the ACME implementation provided by TrueNAS

Doesnt DNS authentication get removed completely with 25.10?

Since Im doing the testing on the 25.10RC1 then no

I got so frustrated with the poor ACME implementation in Scale that I installed Nginx Proxy Manager as a docker app and use that for my apps. Scale itself uses a self-signed cert. It’s management interface isn’t exposed to any public networks anyway

Right i got confused, it was the certificate authorities that gets removed, my mistake.

I use traefik for my apps (not running on TrueNAS) highly recommended

I ofc also have a self signed cert in TrueNAS, but even if not exposed, then a valid cert is always better imo, and feature is present and working, just only for the select few atm

Yeah, I looked at Traefik and decided against it for some reason, can’t remember why.

If your service has a self-signed cert (which is still “valid”) and is only being accessed internally, it’s no better than a CA signed cert. You get exactly the same level of encryption, you just don’t get the chain of trust that another user outside of your organisation might want to prove that the server/service is what it says it is.

And, a CA signed certificate has a much shorter life, so you’re potentially creating more risks of the service becoming inaccessible if your cert renewal process breaks and the it expires.

That’s not really the question here, we hopefully all know how certs works.

TrueNAS has this feature, but for some reason they stopped implementing after 4 providers

Yeah, sorry, bit of a tangent there.

Good/better ACME implementation would be a win for all users.

I would also like to add

That the possibility to run own custom script as the 5th option in the current implementation.

Really goes against the mantra of TrueNAS as an appliance for the average user.

This just further presses the issue of implementing the full range of acme supported DNS options

There is no such thing as an “acme supported DNS option.” Various ACME clients support (sometimes directly, sometimes by means of plugins) automated DNS updates to various DNS providers–so the support is not with the ACME protocol, but with whatever ACME client TrueNAS uses.

And the problem with this request, much as I agree with expanding the list, is that every DNS host uses different credentials, which means the devs need to build a new form for each one. Doable, yes, but a non-trivial amount of work.

For ACME best is just to rely on Certbot or Lego.

This is a one time job and very small compared to keeping apps catalog up to date…

I have seen up to 4 credentials in a dns config, so a generic form that than can pass that,probably with generic formatting as most other implementations do seem very feasible and well within a days work

This seems like the supported list to me :

Ok i just saw DNS provider count is 170+

Im not saying all need support directly in GUI, but maybe the 50 most used, possibly with a gui option to pass unsupported as per acme documetation …

This would require pass of DNS provider moniker + parameters, that seems more that doable

For that one client. That isn’t a list of “acme supported DNS option[s]”; it’s a list of DNS providers supported by the acme.sh client (which may or may not be what TrueNAS uses).

That might be, but it sure does contain all the needed info