diff --git a/infrastructure/acme.md b/infrastructure/acme.md index dc590a7..057d328 100644 --- a/infrastructure/acme.md +++ b/infrastructure/acme.md @@ -1 +1,32 @@ -#ACME \ No newline at end of file +# ACME DNS Challenges +## Summary +We agreed to use **ACME DNS-01 challenges** for issuing certificates for **both public-facing and internal services**. A key benefit is that DNS-01 **enables internal certificate issuance** in the first place, since the CA only needs to verify TXT records in DNS (no inbound HTTP/ALPN access to the service). To keep our primary DNS zones clean, we will create a **separate, dedicated zone** for ACME challenges and **delegate** challenge records to it via **CNAME**. + +## Decisions +- Use **ACME DNS-01** as the challenge type for **both external/public and internal** certificate issuance. +- Create a **dedicated DNS zone** for ACME challenges (e.g., `_acme.example.com`). +- For each certificate FQDN, publish a **CNAME** at `_acme-challenge.` that points into the dedicated challenge zone. +- Store the **TXT token(s)** only in the dedicated challenge zone to avoid cluttering primary zones. +- Keep **low TTLs** (e.g., 60-120s) on both CNAME and TXT records to speed up renewals. +- Restrict write access to the challenge zone to the ACME automation only. + +## Reference Design +**Dedicated zone:** +`_acme.example.com` + +**For a service FQDN:** +Target certificate: `app1.example.com` + +**Publish in the primary zone:** +```dns +; Delegate the challenge to the dedicated zone +_acme-challenge.app1.example.com. CNAME app1._acme-challenge._acme.example.com. +``` + +**Publish in the dedicated zone (managed by the ACME client/automation):** +```dns +; ACME client writes the TXT token here +app1._acme-challenge._acme.example.com. TXT "ACME_VALIDATION_TOKEN" +``` + +> During validation, the CA will follow the CNAME from the primary zone to the dedicated zone and read the TXT record there. \ No newline at end of file