Acme-DNS-Server for multiple domains/zones. Help :(

Dear friends.

I have a use case where I have multiple domains/zones. Example:

• one.example.com
• two.example.com
• one.another.example.net

My Acme-dns-server config points to auth.example.com. Everything runs perfectly even for subdomains, since I changed the zones with the proper CNAMEs, and I create the A Record in my example.com to point to the auth.example.com node (where acme dns server service is running).

My question is... in a situation where I have multiple domains/zones (like the example above), do I need to create 1 Acme-dns-server per domain in order to create certificates for every single domain? This doesn't make any sense in my head...

Full example (this is working for 1 domain):

My ACME-DNS-Server Config:
listen = "22.2.2.22:53"
protocol = "both"
domain = "auth.example.com"
nsname = "auth.example.com"
nsadmin = "email@email.example.com"
records = [
# domain pointing to the public IP of your acme-dns server
"auth.example.com. A 111.1.1.111",
# specify that auth.example.org will resolve any *.auth.example.org records
"auth.example.com. NS auth.example.com.",
]

On my DNS Server I have this (and again, this is working perfecly for 1 domain and subdomains):
auth.example.com A IP_OF_MY_ACME_SERVER

_acme-challenge.one.example.com. CNAME 734895738538hjfjfgh.auth.example.com
_acme-challenge.two.example.com. CNAME 11111111111111sssss.auth.example.com

auth.example.com NS auth.example.com

Now... if I have a completely different domains/zones... lets say another.example.com what do I need to do, for this to work with multiple domains?

Please help... I'm in fully desperate mode ... (sorry for any typos).

Hi @JoaoBarreto, and welcome to the LE community forum

I'm not sure [yet].

Why are you not doing CNAME to the same destination?:

[it might simplify things if they all went to the same exact location]

Hi rg305. Thank you for your kind message!

I have this use case for a big customer who has tons of domains, wildcards, subdomains... they have multiple zones. I've created a python script for them to automate the certificate creation for all this domains, subdomains,etc.

On my dev environment... I tried with my personal domain (I have a microscopic website). And everything worked perfectly because... well... the (configuration)/communication between acme-dns-server and my DNS server was... (can I say) simplified. 1 for 1. I could create multiple subdomains (one, two, three, example) and I only had to add the CNAMES for the challenges, etc, etc (like I showed in the above example), everything is working perfectly...

My main concern at this point in time... is doing this for completely different/multiple domains using only one instance of acme-dns-server... I'm super scared if I committed a huge mistake thinking I could use acme-dns-server for.... multiple and completely different zones/domains... and in reality... maybe I just can use it for only, ONE, domain. And this is scaring me A LOT!

As long as the customer CNAMEs the _acme-challenge FQDN to your DNS server, everything should work the same - for one domain or one thousand domains.

Naturally, you would want to scale that up slowly.
Try with one.
Try with ten.
Try with one hundred.
Try with one thousand.

And at some point, you will need to add in some redundancy.
Single points of failure will get you every time.

Thank you again for helping me rg305.

Correct me if I'm wrong please.

Please validate me this situation:

• My acme-dns-server has the configuration of my first message example auth.exampledomain.com
• I have a completely different domain, let's say epichelpfromrg305.com
• On my DNS Zone, I just need to put (example) _acme-challenge.epichelpfromrg305.com CNAME ttttttt1111.auth.example.domain and this will work, regarding "network" communications?

I just need to put the CNAME there? Don't I need to put the A Record and NS Record in all dns zones? How will the zone know where the acme-dns-server will be? Sorry, my questions may be related more with DNS configurations then with Let's Encrypt...

No, that's just for auth.example.com

Then you have

_acme-challenge.client.example.org in CNAME SOMETHING.auth.example.com

The SOMETHING can be the same or not. Only difference is the acme-dns account. It should at least be unique for each client (you don't want a client to issue certificates for another one).

That would be problematic.
But @JoaoBarreto, aren't going to be the only one controlling this system?
OR
Do the clients have control of it as well?

It does use basicauth on the API, and the acme client has access to that.

Also: how many txt records do you want to put on a single label?

Dear @9peppe . Thank you for your answer!

So I need to create a new zone in the customer DNS to accommodate the needed parameters for my Acme-DNS-Server? Right?

And then for each zone/domain, (like in a normal situation) I just need to put the CNAME there.

Basically each zone, will ask for the resolution of the auth.example.com, which will be answered as a normal DNS request.

Is this logic right?

Dear @rg305 .

The customer has the control of its DNS Server. But I could say, that I can request any changes to setup the needed logic. If I understood correctly, as @9peppe kindly explained, I need to create a new zone, regarding my acme-dns-server (example auth.customer.com), and proceed with the CNAMES in each zone.

The customer will perform these changes. I'm not the sysadmin of the DNS Server but I have someone that will help me out. So that won't be a problem.

I think my main problem is not deeply knowing how a DNS Server works. But I'm gonna wait for the answer of Mr. 9pepe to ask more questions if needed. thanks for the help!

You need a single RR in customer's DNS. (One per fqdn you want to validate!)

_acme-challenge.your.customer.example.com -> client-name.auth.your.own.domain.example.org

I'm not sure I understand what you're saying, but you should find out how CNAME and NS resource records work. They can do the same thing, but they're very, very different.

So basically this is what I'm trying to understand... and sorry to be such a pain in the arse... This examples were generated by chatgpt but it demonstrates what I'm trying to say and ask if it's correct, and if I just need to add the CNAME.

My Example, let's call it example number 1, Domain Zone:

$TTL 86400
@       IN      SOA     ns1.example.com. admin.example.com. (
                           2024011801 ; Serial
                           3600       ; Refresh (1 hour)
                           1800       ; Retry (30 minutes)
                           604800     ; Expire (1 week)
                           86400      ; Minimum TTL (1 day)
                       )

; NAMESERVERS
@       IN      NS      ns1.example.com.

; A RECORDS 
ns1     IN      A       192.168.1.10
www     IN      A       192.168.1.20

; CNAME SECTION for the domain www.example.com
_acme-challenge.www.example.com.   IN      CNAME   SOMETHINGSOMETHING.auth.acmeDNSServer.com.

Example nº2, another domain, another zone:

$TTL 86400
@       IN      SOA     ns1.rg305.com. admin.rg305.com. (
                           2024011801 ; Serial
                           3600       ; Refresh (1 hour)
                           1800       ; Retry (30 minutes)
                           604800     ; Expire (1 week)
                           86400      ; Minimum TTL (1 day)
                       )

; NAMESERVERS
@       IN      NS      ns1.rg305.com.

; A RECORDS 
ns1     IN      A       192.168.1.111
ftp     IN      A       192.168.1.222

; CNAME SECTION for the domain ftp.rg305.com
_acme-challenge.ftp.rg305.com IN     CNAME    SOMETHING.auth.acmeDNSServer.com.

My AcmeDNSServer , completely new zone, that doesn't exist today:

$TTL 86400
@       IN      SOA     auth.acmeDNSserver.com. admin.acmeDNSserver.com. (
                        2024011801 ; Serial
                        3600       ; Refresh (1 hour)
                        1800       ; Retry (30 minutes)
                        604800     ; Expire (1 week)
                        86400      ; Minimum TTL (1 day)
                    )
; A RECORDS
auth.acmeDNSserver.com.    IN      A 	11.1.1.111 ; just an example of an ip, nevermind

; NAMESERVERS
auth.acmeDNSserver.com.      IN      NS      auth.acmeDNSserver.com

1 new zone for the "auth.acmednsserver.com" domain which is used in the config of the service:

My ACME-DNS-Server Config:

listen = "local_ip_address_nevermind:53"
protocol = "both"
domain = "auth.acmeDNSServer.com"
nsname = "auth.acmeDNSServer.com"
nsadmin = email@email.example.com
records = [
        "auth.acmeDNSServer.com. A 111.1.1.111",
        "auth.acmeDNSServer.com. NS auth.acmeDNSServer.com.",
]

Will this example work? By just putting the CNAME record in each zone, and creating a new one for the acme-server-dns?

Sorry if I'm confusing you guys.

I think so.

Let me try to explain this differently:

The only connection between the acme-dns server and the domain(s) you wish to authenticate, is the CNAME on the domain-to-authenticate pointing it to the acme-dns domain.

The DNS records creating auth.example.com and establishing it as the namesever for that namespace (A and NS records) only exist for the creation of the acme-dns server in general that are under your control. You could easily avoid all that by using a free or commercial service that offers acme-dns or other nameserver systems. By creating this, you can even offer a free or commercial service of your own.

In other words, you only did that work so that you can have your own generic nameserver on the public internet.

The only thing any domain must do in order to handle DNS-01 challenges with your installation is to CNAME their _acme-challenge onto your domain. Your other customers could do this with any number of their domains and no other configuration is needed. If you were to give a random person an account on your server, the only DNS work they would need to do is to CNAME their challenge onto your server.

Does that make more sense?

I think I understood. Still I need to test it to fully understand it...

Thank you all for the help and time!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.