Created attachment 680215 [details] acme-dns-0.8.ebuild In order to issue wildcard SSL certificates by Let's Encrypt, the domain ownership has to be proven by use of "_acme-challenge" TXT records. If you don't use your own DNS but rely e.g. on provider or registrar DNS services, automatic renewal becomes tricky because it requires e.g. "certbot" to push updates to the external DNS which may or – more often – may not be possible. An elegant solution is "acme-dns", a minimalistic local DNS which only serves the purpose of providing the TXT records as pushed by "certbot": https://github.com/joohoi/acme-dns All it takes on the external DNS is a "_acme-challenge" CNAME record which directs Let's Encrypt to the locally running "acme-dns" server. This latter doesn't have to be up permanently, it should be started prior to doing e.g. "certbot renew" and stopped afterwards – e.g. by a daily CRON job. "acme-dns" is written in Go and there used to be an ebuild on a private Gentoo overlay which has been removed some time ago. I've therefore moved the ebuild to my "bitcetera" overlay. Recent changes broke the original "acme-dns-0.7.2-rc1" and it took me a while to update the ebuild to a working "acme-dns-0.8". However, this is actually above my head: I don't (currently) do Go and my ebuild skills are not sufficient to maintain a Go ebuild. I'll attach my ebuild for reference only, it compiles with FEATURES="-network-sandbox" only and the LDFLAGs are hardcoded. Looking at other ebuilds on the Go overlay (https://github.com/Dr-Terrible/go-overlay), there are most likely a bunch more issues and shortcomings with this ebuild. However, "acme-dns" IMO is essential enough for the main Portage tree. It would be great if someone with the necessary skills could have a go. Please note that for "acme-dns" to work with "certbot", an authentication hook has to be installed. There are two implementations, one in Python and the other in Go. I'm currently using the Python script which works just fine. Not sure whether the hook should be a separate ebuild or part of the "acme-dns" ebuild. See https://github.com/joohoi/acme-dns#authentication-hooks for more.
By the way, there is something I could do once a working ebuild lands in the main Portage tree: I've privately documented in detail how to configure the moving parts and which DN recs to set for the "certbot" and "acme-dns" combo to issue wildcard certs. I'd be happy to share this and extend the Gentoo wiki page on Let's Encrypt: https://wiki.gentoo.org/wiki/Let%27s_Encrypt
Thank you for your contribution. I had a short look on the ebuild. Here a few ideas: * why do you set RESTRICT="mirror"? * Please test the ebuild with repoman full -d -x https://wiki.gentoo.org/wiki/Repoman and pkgcheck scan --net * A bot can look for additional mistakes, if you upload a PR via github
@Jonas Stein Thanks for the hints, however, as mentioned, I'm a poor choice for streamlining and maintaining this ebuild. Maybe someone with more kudos wants to chip in.
