Acme.sh --domain-alias not working or I don't undestand?

Help
1

I'm trying to setup an issue and renew for a domain ( wildcard ) ( let's say example.com ) by delegating the acmedns to another domain ( let's say example.net ) wich already has his acme.sh script for his own certificates thus I have to use a subdomain to achieve this ( to not broke the working one ).
I have created a CNAME in example.com:
_acme-challenge.example CNAME authfr.example.net
In example.net I have created an A record:
authfr.example.net A xx.xx.xx.xx
and an NS record:
authfr.example.net NS authfr.example.net

Then, on the server xx.xx.xx.xx I have setup the acmedns with the same two records:
nsname = "authfr.example.net" nsadmin = "pigi.example.com" records = [ "authfr.example.net. A xx.xx.xx.xx", "authfr.example.net. NS authfr.example.net.", ]

Then I launch:
acme.sh --issue --server 'letsencrypt_test' -d '*.example.com' --domain-alias authfr.example.net --dns dns_acmedns -k 2048 --debug 2
which starts doing his things and it ask me to add:
# Create _acme-challenge.authfr.example.net CNAME c76432a1-02b2-4ee1-ad61-08f841bf1d9a.auth.acme-dns.io DNS entry #
which I do in example.net DNS, but it would not work, obviously as the authoritative server for authfr.example.net is on xx.xx.xx.xx server as instructed before, on acmedns server.
In the acmedns logs I see:
DEBU[4687] Answering question for domain domain=_acme-challenge.authfr.example.net. qtype=CNAME rcode=NOERROR

DEBU[4687] Answering question for domain domain=_acme-challenge.authfr.example.net. qtype=CNAME rcode=NOERROR
DEBU[4701] Answering question for domain domain=_ACme-chALLeNGE.aUthfr.EXample.neT. qtype=CNAME rcode=NOERROR
DEBU[4701] Answering question for domain domain=_acme-challenge.authfr.example.net. qtype=CNAME rcode=NOERROR
which is expected as I haven't add those records in acmedns ( I can't find a way ).
After a while I found a way to add those records to acmedns, by stopping it and adding in config.cfg, which now results in a valid response when querying, but still the acme.sh cicle without issuing the certs with those two messages:
Not valid yet, let's wait for 10 seconds then check the next one.
and
Purging Cloudflare TXT record for domain _acme-challenge.example.com
...
...
Purging Cloudflare TXT record for domain authfr.example.net

If, moreover, I add the --dnssleep 300 to avoid the loop on dns checking, the process ends but with an error, stating it cannot find th TXT record at example.com:
error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"No TXT record found at _acme-challenge.example.com","status": 403'
errordetail='No TXT record found at _acme-challenge.example.com'
*.example.com: Invalid status. Verification error details: No TXT record found at _acme-challenge.example.com
Skipping for removelevel:
pid
No need to restore nginx config, skipping.
_clearupdns
dns_entries='example.com,_acme-challenge.example.com,authfr.example.net,dns_acmedns,cr4FXO_NNGSdAP30F3pAfct4v53gAJk3I6_x_K2FXUs,/root/.acme.sh/dnsapi/dns_acmedns.sh '
Removing DNS records.
d='example.com'
txtdomain='_acme-challenge.example.com'
aliasDomain='authfr.example.net'
_currentRoot='dns_acmedns'
txt='cr4FXO_NNGSdAP30F3pAfct4v53gAJk3I6_x_K2FXUs'
d_api='/root/.acme.sh/dnsapi/dns_acmedns.sh'
Removing txt: cr4FXO_NNGSdAP30F3pAfct4v53gAJk3I6_x_K2FXUs for domain: authfr.example.net
Using acme-dns
fulldomain authfr.example.net
txtvalue cr4FXO_NNGSdAP30F3pAfct4v53gAJk3I6_x_K2FXUs
Successfully removed

Am I doing somethin wrong of maybe I hit a bug ?

Thanks !
Pigi_102

2

It looks like that CNAME is not working as expected. Without the actual domain names it is difficult to say. But, a request to:
_acme-challenge.example.com should follow the CNAME to authfr.example.net
I'm not sure why you have _acme-challenge.example or if that is a typo but that is what you should review.

I am not certain you needed to do that. The correct CNAME should be all you need. Your ACME Client will be placing a TXT record at authfr.example.net

3 Likes
3

Sorry, my fault.
The CNAME I have created is:
_acme-challenge.example.com CNAME authfr.example.net
to allow the --domain-alias option to work ( as explained in the wiki page ).
I need to "delegate" the DNS-01 challend for example.com to example.net
The request to follow works as expected ( I' ve checked with dig ).
Being that I'm going to use the acmedns plugin ( I have no way to use API to add the TXT record on both registrar, but on example.net I can add an NS record but I cannot add this record to example.com ).
For my understanding ( and I have verified this on example.com when it was on the old registrar ) when you use the acmedns plugin you are required to insert the NS record to allow acme.sh to add the required TXT record on the DNS server ( in this case acmedns process ) as asked by LE.
My understanding is:

  1. acme.sh contact LE asking for the TXT value to add.
  2. LE reply with the value, and wait for it to "come alive".
  3. acme.sh, using the acmedns plugin add the txt record and "ask" LE to check it for verify.
  4. LE query his DNS server for who has this TXT record and check for it.

To allow the step nr. 3 acmedns process ( or program ) to work, the only way is to have an authoritative DNS for the domain you are working on.
If the authoritative NS is the registrar one, and you cannot add it via API, the only way is by hand ( wich is not what you want as you are trying to automate the procedure ).
This configuration, as told, has worked every time for me on all configuration, but this time there is a complication: I cannot add an NS record on example.com, so I decided to try the "delegation" way.
For this there are two way:

  1. you use --challenge-alias but this need to have an NS record on example.net which is exactly called _acme-challenge.example.net but I already have one of this, as also example.net has a wildcard certificate and is using the procedure I have descibed before.
  2. you use the --domain-alias which does not need the _acme-challenge.example.net but can use whatever hostname you prefer, and ( almost ) use the before procedure.
    Difference in this step # 2 is that you alse need to create the _acme-challenge.authfr.example.net pointing to what acme.sh tell you ( after having register the record on the acme-dns.io DNS.

Probably there is a third option, that could simplify a bit the step #2 but allows to override limitation of #1.
I can ( and would ) try to use the --challenge-alias option but on a subdomain of example.net.
In this way I should be asked to register the _acme-challenge.authfr.example.netdirectly on theexample.net`registrar ( avoiding the need to have it in acmedns program/process.

I'm not sure I've been able to explain as english is not my native language, but I hope :slight_smile: