We have a small webhosting business which provides services to a number of domains. We have access to some of the DNS providers, and others we don't.
During a "renew", we need to use:
A number of different DNS providers that can use DNS challenge (e.g. DNS Made Easy, Dreamscape Networks etc)
We also need to use HTTP challenges for those domains we don't have access to their DNS
If we use something like dns-multi, we need to change the configuration file each time a new domain name is added.
Is it possible for certbot to determine which challenge to use? For example, it could query DNS NS records and make a determination from there, based on a "mapping" file (e.g. "ns10.dnsmadeeasy.com" uses "certbot-dns-dnsmadeeasy")
Hello @rego, welcome to the Let's Encrypt community.
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Apologies. Because this is a "generic query", rather than domain specific, I didn't complete the form, and I'm not sure how to complete it, because it is a generic query. Perhaps I have posted this in the wrong section, for which I also apologise in advance. I can provide the information in the form, but it will be one snap-shot, which is not what my question is about.
My domain is: farq.co.nz
I ran this command: certbot renew
It produced this output: The output is as expected.
My web server is (include version): n/a - certificate only generation
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is: self
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0 BUT migrating to certbot 5.1.0
No, it isn't. And, I'm not aware of any ACME Client that does that.
Would you explain more about that? Because to automate a DNS Challenge means you need a password or security token for the API for that DNS system. That is needed to add/delete the required TXT record. Are all your customers willing to give those to you? It seems unlikely to me
For some use cases it works to have your customer delegate the challenge record to a DNS system you control. For example, have them add (once) a CNAME like
We only use the DNS challenge on those that we have access to and it works fine. The others (which we don't have DNS access to) we have to use an HTTP challenge.
I'm conscious of being overly self-promoting here but It's possible to use the Managed ACME feature of Certify Management Hub to do this from most normal ACME clients (the hub will decide which pre-defined managed challenge config to use based on each "domain match" rule). https://docs.certifytheweb.com/docs/hub/ you can also just use the hub or an agent to get/update your certs, but we don't currently have apache/ngnx integration to auto update web server config with the final certs. You can try out the hub etc via docker or directly installing on linux/windows. Feedback appreciated.
So, yes there is a way to do this, but probably not with certbot.
