Two questions about iroh dns automatic certificate management

[ISensuiI]

I recently used iroh dns automatic management and found two problems.

1. Now iroh relay manual mode should already support pem certificate format. But I found that iroh dns manual mode iroh-dns-server/src/http/tls.rs

if domains.len() != 1 { bail!("Multiple domains in manual mode are not supported"); } let keyname = escape_hostname(&domains[0]); let cert_path = dir.join(format!("{keyname}.crt")); let key_path = dir.join(format!("{keyname}.key"));

2. The default format is crt, which is very unfriendly to some free certificate authorities, such as let's encrypt. I don't know if let's encrypt supports crt format application. As far as I know, it defaults to pem, but some tools I use, such as allinssl (Automatic certificate management including renewal application) always uses pem format first. Can the manual mode also support pem, so that it is unified and convenient to manage?

3. Regarding the manual management of iroh-dns certificate location, after analyzing the source code, it should be in the .cache directory. I can't find any options for setting the certificate path or name in the selection. Can it be added, just like iroh relay (if I remember correctly, iroh relay can be customized).

Why do I use https://github.com/allinssl/allinssl to manually manage certificates instead of using iroh dns internal automatic maintenance?

• a. iroh dns / iroh relay have different certificate management methods, one with automatic management (iroh dns) and the other requires manual management. This is very inconvenient when doing automation
• b. After I used iroh dns for a certificate cycle (3 months), I found that it can apply successfully, But when the certificate expires, it does not automatically renew, nor does it automatically load a new certificate. I'm not sure if there is something wrong with my understanding. I saw the functions of automatic loading and automatic renewal (in the relevant code) in the options. But the specific reason why it failed to renew is unknown. My process has been running for 3 months without interruption. The shortest time for let's encrypt test certificates is also 3 months, so I don't know how to reproduce this problem.
• c. So I used allinssl to facilitate the management of iroh relay iroh dns certificates. However, iroh - dns manual management only supports crt format. This makes it very difficult for me to automate management. If iroh dns can support pem manual loading, I can achieve long-term automated management without having to restart the node every 3 months.

[Arqu]

Thanks for the detailed report.

I pretty much agree with your setup, hence why the manual mode exists. Also spot on analysis.
The issue you have is that I never finished the switch to pem for iroh-dns as I did for the iroh-relay. I'll aim to take this on next week if time permits.

The other issue you mention about certs expiring after 3 months, I guess we update more regularly than that and don't hit it either, hence never saw the issue. My assumption would be that we currently have code that handles automatic updates, but we don't periodically start the challenge, but only on startup. A simple restart every 2.9 months would probably be a band aid till we fix that.

[ISensuiI]

Thanks for the detailed report.

I pretty much agree with your setup, hence why the manual mode exists. Also spot on analysis. The issue you have is that I never finished the switch to pem for iroh-dns as I did for the iroh-relay. I'll aim to take this on next week if time permits.

The other issue you mention about certs expiring after 3 months, I guess we update more regularly than that and don't hit it either, hence never saw the issue. My assumption would be that we currently have code that handles automatic updates, but we don't periodically start the challenge, but only on startup. A simple restart every 2.9 months would probably be a band aid till we fix that.

Thank you very much for your reply. It would be great if iroh dns can add manual mode and support pem format.