I don't see the CNAME there ...
sorry, my bad. I removed it while I worked on some other things. I have placed it back as it doesn't interfere with my other modifications.
I hope that you are testing against staging - LOL
that's what --dry-run does...right? Pretty sure the logs showed "staging" in the acme server name...
Yes, "--dry-run" is good for that.
Yes, I had to look all the way up.
None of the logs shown showed staging.
I didn't include the earlier parts of the log since that had nonces and such which I didn't know were sensitive or not...
--dy-run is for testing
You can hammer away at it!
I was testing locally on an example with SiteA CNAME to SiteB.
But I fear that not all DNS servers are created equal - and they may not react in the same way.
In my test, I can get the fake DNS server to respond via the CNAME; As it has both zones [fake and real one] and although it does return the "CNAME" and the "TXT" record, it should be authoritative response and meet the challenge.
But I'm a glutton for punishment and like to reinvent perfectly good working wheels as often as possible - LOL
My best advice is to use another client.
I guess the short answer is that certbot and the corresponding rfc2136 plugin don't support this use case with CNAMEs (yet)? I'm glad I posted instead of spending another 12 hours working on it!
Yeah, acme.sh calls this DNS alias mode, and there's nothing like it built into Certbot that I know of. But that may be a term that other clients might use, too. But like the forum post you linked to in your first message says, you may be able to just write your own certbot manual authentication script to do whatever you need to, if you want to stick with tried-and-known certbot.
and this is the piece I was still missing...I'll take a look at the acme.sh script...I didn't know how to pick from the long list, but you've provided enough of a nugget to look into.
through my reading, I learned that dnssec requires additional hoops for these dynamic updates to continue working. I've already modified my "flow" (it's not significant) to do http challenges for these names. That said, I'm still interested in this overall approach.
See also this as of yet unfixed issued at Certbots github repo: Allow updating domain pointed to by CNAME in DNS plugins · Issue #6566 · certbot/certbot · GitHub
yes! That's another one...started 4 years ago...it probably isn't happening
lol, was looking through my notifications and I guess I'm following myself by 3 years:
For those who stumble across this, I've implemented my http challenge setup since I have a web server on my mail server for now. I configured mail.example.com virtual hosts and run the http challenge there, which configures the certificate just fine.
I'll probably still dig into acme.sh for some closure.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.