Skip to content

add proxy support and dns resolver in acme providers #2485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add proxy support and dns resolver in acme providers #2485

wants to merge 1 commit into from

Conversation

@mcarbonneaux
Copy link

@mcarbonneaux mcarbonneaux commented Nov 25, 2025

Title

ACME: per‑provisioner networking options (proxy and DNS resolver) + CLI flags and help

Summary

This PR adds provider‑level networking options to ACME provisioners so you can control, per provisioner, the HTTP(S)/SOCKS proxy used for outbound ACME validation requests and the DNS resolver used during ACME challenges. The CLI exposes new flags, help text is updated, and the ACME server injects a per‑provisioner client honoring these settings at request time.

Motivation

  • Enterprises often require outbound Internet access through an explicit proxy; ACME http‑01 validations and callbacks must respect that.
  • Segmented/custom DNS environments may need a specific resolver for ACME‑related lookups.
  • Scoping these settings per provisioner avoids global side‑effects and enables different policies across ACME provisioners.

What’s changed

  • CLI: new flags on ACME provisioners
    • --acme-proxy-url <url>: explicit proxy URL for outbound ACME validation requests.
    • --acme-disable-proxy: disable any proxy usage (ignores HTTP_PROXY/HTTPS_PROXY).
    • --acme-dns-resolver <host:port>: force a specific DNS resolver for ACME challenge operations.
      Available in:
    • step ca provisioner add --type ACME
    • step ca provisioner update (when the target is ACME)
  • Server: ACME router constructs and injects a per‑provisioner acme.Client configured with proxy/DNS settings, if present, for each request.
  • Internal model: the provisioner.ACME struct exposes ProxyURL, DisableProxy, and DNS so the handler can apply them.

linkedca schema

  • A companion change is required in linkedca.ACMEProvisioner to persist these values via the Admin API:
    • string proxy_url
    • bool disable_proxy
    • string dns_resolver

Usage examples

  • Add with explicit proxy and DNS resolver:
step ca provisioner add acme --type ACME \
  --acme-proxy-url http://proxy.local:3128 \
  --acme-dns-resolver 8.8.8.8:53
  • Disable proxies entirely:
step ca provisioner add acme --type ACME \
  --acme-disable-proxy
  • Update an existing ACME provisioner:
step ca provisioner update acme \
  --acme-proxy-url http://proxy.corp:3128 \
  --acme-dns-resolver 1.1.1.1:53

Rules and precedence

  • --acme-disable-proxy wins: when set, no proxy is used at all (even if --acme-proxy-url or env vars are present).
  • If not disabled, --acme-proxy-url overrides system/env proxy settings.
  • --acme-dns-resolver expects host:port (e.g., 8.8.8.8:53).

@CLAassistant
Copy link

CLAassistant commented Nov 25, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Nov 25, 2025
@mcarbonneaux
add proxy support in acme providers
5832238 
add dns resolver support in acme providers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs triage Waiting for discussion / prioritization by team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mcarbonneaux @CLAassistant