Home Original page

add proxy support and dns resolver in acme providers by mcarbonneaux · Pull Request #1526 · smallstep/cli

Title

ACME: per‑provisioner networking options (proxy and DNS resolver) + CLI flags and help

Summary

This PR adds provider‑level networking options to ACME provisioners so you can control, per provisioner, the HTTP(S)/SOCKS proxy used for outbound ACME validation requests and the DNS resolver used during ACME challenges. The CLI exposes new flags, help text is updated, and the ACME server injects a per‑provisioner client honoring these settings at request time.

Motivation

  • Enterprises often require outbound Internet access through an explicit proxy; ACME http‑01 validations and callbacks must respect that.
  • Segmented/custom DNS environments may need a specific resolver for ACME‑related lookups.
  • Scoping these settings per provisioner avoids global side‑effects and enables different policies across ACME provisioners.

What’s changed

  • CLI: new flags on ACME provisioners
    • --acme-proxy-url <url>: explicit proxy URL for outbound ACME validation requests.
    • --acme-disable-proxy: disable any proxy usage (ignores HTTP_PROXY/HTTPS_PROXY).
    • --acme-dns-resolver <host:port>: force a specific DNS resolver for ACME challenge operations.
      Available in:
    • step ca provisioner add --type ACME
    • step ca provisioner update (when the target is ACME)
  • Server: ACME router constructs and injects a per‑provisioner acme.Client configured with proxy/DNS settings, if present, for each request.
  • Internal model: the provisioner.ACME struct exposes ProxyURL, DisableProxy, and DNS so the handler can apply them.

linkedca schema

  • A companion change is required in linkedca.ACMEProvisioner to persist these values via the Admin API:
    • string proxy_url
    • bool disable_proxy
    • string dns_resolver

Usage examples

  • Add with explicit proxy and DNS resolver:
step ca provisioner add acme --type ACME \
  --acme-proxy-url http://proxy.local:3128 \
  --acme-dns-resolver 8.8.8.8:53
  • Disable proxies entirely:
step ca provisioner add acme --type ACME \
  --acme-disable-proxy
  • Update an existing ACME provisioner:
step ca provisioner update acme \
  --acme-proxy-url http://proxy.corp:3128 \
  --acme-dns-resolver 1.1.1.1:53

Rules and precedence

  • --acme-disable-proxy wins: when set, no proxy is used at all (even if --acme-proxy-url or env vars are present).
  • If not disabled, --acme-proxy-url overrides system/env proxy settings.
  • --acme-dns-resolver expects host:port (e.g., 8.8.8.8:53).

Related pull request :