agnos

Agnos is a single-binary program designed to streamline the process of obtaining wildcard certificates from Let's Encrypt using DNS-01 challenges, without requiring API access to your DNS provider. By serving its own DNS answers, Agnos eliminates the need for API credentials and concerns about propagation times, addressing the common drawbacks associated with DNS-01 challenges.

To use Agnos, you need to add specific DNS records to your DNS zone. This includes an A (or AAAA) record pointing to the public-facing IP address of the server running Agnos and an NS record for each domain's _acme-challenge sub-domain, indicating Agnos as the name server. The server must have UDP port 53 open and free.

Agnos is configured via a single TOML file, where you can specify the IP address to listen on, Let's Encrypt accounts, and the certificates to be ordered. Each certificate can cover multiple domains and is represented by two files on disk: the full certificate chain and the private key.

The program is written in Rust and can be built using the Rust toolchain. Pre-compiled binaries are available for Linux/amd64, and an Archlinux AUR package is also provided for easy installation. Agnos requires special privileges to bind to port 53, which can be granted without running the program as root by setting the appropriate capabilities.

Agnos can be run with a single command line argument pointing to its configuration file, with optional flags for using Let's Encrypt's production server and displaying debug information. It is designed to check and renew certificates automatically if they are expiring within the next 30 days, making it suitable for use in a cron job. Systemd units and timers are provided for managing the service.

Developers are encouraged to contribute via pull requests and issues, with integration testing facilitated through a Makefile and Docker Compose setup.