Can't make _acme-challenge NS record on hover

I’m trying to make a cert for a server on a private IP (but on a domain I own)
Something like this:
https://www.florian-schulze.net/blog/2016/01/30-letsencrypt-certificates-for-private-servers/

I need to " delegate _acme-challenge.localhost.example.com to an IP which is reachable by the Let’s Encrypt servers"

I have the server, it’s just hover (my registrar) won’t let me make a glue record with an underscore in it. I’m only pretty sure that “glue record” is the thing I need to make. The “Add a Record” form doesn’t have a “NS” option.

Any tips? Can I make letsencrypt use a different NS name, without an underscore? Or go about using a different method?

Could you explain more about the DNS setup, and provide the domain name and FQDN?

You most likely don’t need to create any NS records.

If you want to get a certificate for localhost.example.com, using DNS-01 validation, you need to create a TXT record for _acme-challenge.localhost.example.com.

You may simply create a TXT record by that name in your zone, or use NS records to delegate it to different DNS server(s), or create a CNAME record to point it at a different name, or do both at once.

If you want to follow that tutorial while dealing with Hover’s limitations, you may be able to do something like:

_acme-challenge.localhost  CNAME  localhost-acme-challenge
localhost-acme-challenge   NS     www

and modify the client to create a TXT record called “localhost-acme-challenge.example.com” instead of “_acme-challenge.localhost.example.com”.

Hey thanks for answering. This is just for a test/learning exercise, but

I just registered tarvis.online and was going to do :
laptop.tarvis.online -> 192.168.82.25
server.tarvis.online -> 192.168.82.30 (also has a public IP)

The CNAME trick seemed promising, but the UI at my registrar is pretty broken right now. I should just change name servers :slight_smile:

That might be best. Some ACME clients have fully automated integration with the APIs of different DNS providers. You can install the client, configure your username and API key, and create whatever certificates you want.

I looked at the clients I usually check, and didn't see Hover integration in any of them.

Certbot has plugins for several DNS providers (directory listing), but it's not always easy to install them yet. :sweat:

For example, GetSSL (directory listing) and acme.sh have plugins for a number of DNS providers, plus plugins for the lexicon library, which supports even more DNS providers.

I'm not sure I want to shill particular DNS companies too much, but some of them are free, or have free plans, or are paid hosting companies or domain registrars that provide DNS at no extra cost (which may be of less use to you).

Edit: While you can always combine different DNS providers, if you aren't strongly attached to Hover's DNS service, switching entirely may be the simplest choice.

Edit again: This post was largely a digression, since you asked for help with your ACME client, and I kind of suggested switching to a different client. I'd suggest keeping your options open and doing whatever you prefer. :slightly_smiling_face: Which might mean switching clients, or continuing to use your current client and switching to a DNS provider that lets you create NS records with underscores, or something else.

Thanks so much.
I already have accounts at some of the places acme.sh supports!
It’s a huge topic and I’m glad I got pointed in a better direction before spinning my wheels even longer.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.