I'm tryin to understand and configure (my first) dns delegation for _acme-challange to another domain.
Example: domain1.com in our azure cloud zone. But I would like (if possible) to delegate _acme-challenge.domain1.com to another domain called domain2.com which is hosted on Cloudflare.
Now, I'm no sure should I create NS or CNAME records in domain1.com zone.
And what to add in cloudflare in zone domain2.com?
Because when I tried to create wildcard cert *.domain1.com on cloudflare api, I got rejected from cloudflare that domain1.com zone does not exist.
I'm missing one (or more) steps. Can anyone give example which records to add in which zone?
Thank you in advance
Welcome to the Let's Encrypt Community!
In reading through your description, it sounds to me like you're trying to get a Cloudflare certificate (possibly an Origin CA cert) for domain1. Is that correct? What I'm confused about is how you think you're going to get Cloudflare to issue a certificate via ACME with their API since Cloudflare isn't an ACME CA. To my knowledge, Cloudflare only issues two types of certificates: publicly-trusted certs for domains for which they are proxying and non-publicly-trusted certs (aka Origin CA certs) for backend servers to which they are proxying. What exactly is the relationship you're trying to establish between these two domain names? Is it purely for certificate issuance purposes?
@griffin It's also common for people to use Cloudflare as their DNS provider as there are multiple ACME clients with Cloudflare DNS challenge integration.
@davorbettercare If you want to use the
dns-01 challenge using Cloudflare, you need to add
domain1.com to your Cloudflare account. Cloudflare will present you two of their nameservers. Note that it isn't required to entirely change the DNS provider from Azure to Cloudflare with those 2 nameservers: it should be possible to simply add those two nameservers as NS RR to the
_acme-challenge label only in your Azure DNS zone editor. There's no need to include
domain2.com in this.
What do you mean by this? Looks like we're kinda confused to what you're actually trying to achieve. Can you please elaborate on that?
At the time I wrote this topic, I did know exactly how to do it.
For some reason I wanted to delegate _acme-challenge txt records (domain1.com) to another domain (domain2.com).
Since Azure has limits on principal service account, where secret is valid only 2 years, I wanted to use Cloudflare for delegation, because there is no limit on api access token.
Idea was delegate domain1.com acme-challenge from my zone domain1.com in Azure DNS to cloudflare domain2.com zone.
But when I read the plugin more in details and had a look in a code of plugin, I realized this kind of delegation is possible only inside Azure DNS service.
I'm still looking to a solution with lower maintenance (no inbound access to VM) ssl renewal, because changing token every 2 years on multiple VMs is not a good idea.
EDIT: just found an option to use ssh key instead pf generated secret
EDIT2: ah, it's not ssh key, it's certificate and this has expirate date too...
You also have to watch out for cloudflare having their own hidden _acme-challenge DNS entry for your domain, which they use for their own certificate renewals against your domain.
In general though, you can create an _acme-challenge.whatever.domain.com CNAME record and point to _acme-challenge.somwhereelse.com (or even a differntly named record) and as long as your client has updated the target record TXT value it will work ok, as Let's Encrypt will follow the CNAME redirection if it can.
[Note: lots of exist acme clients cannot support this method due to limitations of their DNS providers as it often requires a substitution of the first domain with the second domain, due to the way zones are resolved by DNS integration code]
Idea with letting cloudflare to deal with _acme-challenge sounds very good, but not completely sure how to do that.
I assume I need to add
_acme-challenge.domain1.com NS cloudflare ns server
That will resolve TXT record on Cloudflare.
What about subdomains, do I need to add _acme-challenge NS record for every subdomain?
You need to use a CNAME for each _acme-challenge (which is one per domain/subdomain).
I'm pretty sure there is no way to delegate _acme-challenge.* in one zone to some other zone. NS is for delegating lookups for entire subdomains.
I believe that is possible, just as @davorbettercare suggested in the previous post.
Thanks, every day is (potentially) a school day!
My interpretation (which could be wrong) is that would only redirect a specific _acme-challenge record to an entire zone and still only resolve to a single TXT record at the root of that target zone, but it wouldn't let you redirect both _acme-challenge.whatever.yourdomain and _acme-challenge.something.yourdomain.com to an _acme-challenge record in your target zone without having an NS record for each variation.
I feel like if there was a way to cleanly delegate
_acme-challenge.*.whatever.com to a different zone we'd have seen it used a lot already, instead of setting up individual CNAMEs.
I think these concepts prevent generalized delegation:
- Only a single wildcard can be specified in a domain name
- A wildcard must be the leftmost label (before the first dot) of a domain name
- A wildcard only matches for a single label, not every sublabel
- A wildcard in a source domain name is only used for matching (i.e. there isn't some kind of regex substitution going on from source to sink)
- A DNAME provides a kind of exception to the above, but it operates en masse and is very rarely used (or useful)
Ah, I see what you mean now, I missed the
* earlier.. Not sure if such a wildcard "in the middle" works. Not for certificates of course, but I'd say perhaps for DNS software it could work? I dunno, couldn't find a clear answer about BIND for example.
Perhaps in database driven DNS systems [like: PowerDNS], such a wildcard entry may within an SQL statement match multiple requests.
[just speculation on my part - I would never use a wildcard this way]
On second thought, it would take some tweaking; As "
*" and "
%" are unequal by default.
It would be a pretty cool feature especially for challenges and TXT records in general to save polluting the real zone with miscellaneous records, and it would make "sacrificial" zones for auth much easier.
The canonical name doesn't need to match the alias. The important part is that the ACME client uses the correct alias in the challenge and updates the canonical name with challenge token. The ACME validator will follow the CNAME and find that token.
True, but if you imagine being the next person who has to maintain that you're going to hope they've followed some sort of standard, and I think some clients do require _acme-challenge specifically because that's what they're configured to update in the target zone.
I wouldn't start the canonical name with anything other than
_acme-challenge. I was referring more to the next label. You can safely use the same canonical name with more than one alias. Obviously some quantity may eventually have a collision risk. My sample ratio is currently at 2:1 without complication.
Sure, yes I believe the limit is 4096 bytes, so it gets unpredictable as you reach about 90 entries against one TXT record, I think many services would fail to update before that.
What limit are you referencing?