Certbot dns validation specify different domain

jacobdevans · March 14, 2018, 1:33pm

I am looking options to support alternate domains for the api endpoints when doing dns validation.

Let me explain.
I have a customer, they use unsupported vendor for DNS, but want to use letsencrypt wildcard certs, since a big win of letsencrypt is automation, using --manual each time isn’t an option, and neither is moving NS providers.

What we can do is add a CNAME to another zone which we can use any existing provider with a supported API, only downside is none of the dns providers in certbot (for example) support a different domain than the cert requested.

Process:
User runs certbot to setup the account, they specify their domain -d example.com -d *.example.com and have an existing CNAME of _acme-challenge.example.com IN CNAME acme-api.example.net
I want to add the TXT validation records to cname target acme-api.example.net instead of _acme-challenge.example.com

I’m thinking a command line option is all I would need, nsone for example.

--dns-nsone-credentials ~/.secrets/certbot/nsone.ini
--dns-nsone-propagation-seconds 60
--dns-nsone-delegated-zone acme-api.example.net

Answer:
acme.sh - https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
certbot - https://github.com/certbot/certbot/pull/5350

stevenzhu · March 14, 2018, 1:43pm

Hi,

If this is the case, can you please provide us the DNS provider that you wish to add automation?

Thank you

jacobdevans · March 14, 2018, 1:44pm

Did you ready the post? I’m not looking to add a dns provider, looking to support specifying an alternate domain for the existing providers.

stevenzhu · March 14, 2018, 1:49pm

Hi,

Please at least share the DNS provider (unsupported vendor) name so people can know if an automation is available.

jacobdevans · March 14, 2018, 1:51pm

not relevant, what if the customer refuses to provide api access to the dns system or the dns provider cannot scope api types to only TXT or only specific subdomains.

jacobdevans · March 14, 2018, 1:51pm

This would also allow web providers to take www in cname hosting-platform.example.net and issue certs with dns.

sahsanu · March 14, 2018, 2:58pm

Hi @jacobdevans,

Yes, you can do it already, I wrote a post showing an example here,

Regarding the lack of DNS providers supported by certbot, you can always write your own script to talk to your DNS provider API or you could use lexicon, this tool supports a lot of DNS providers and @_az has a wonderful page that explains all the steps to use lexicon with certbot-auto, you just select the DNS provider and it creates all the commands, scripts for you ;).

Cheers,
sahsanu

Patches · March 14, 2018, 6:21pm

acme.sh has this feature if you need it now:

There is a similar feature for certbot that is currently undergoing review, so this should be possible in a future Certbot release as well.:

github.com/certbot/certbot

Overriding the default challenge domain in DNS authenticators

certbot:master ← quinot:topic/dns-follow-cnames

opened 07:24PM - 25 Dec 17 UTC

quinot

+436 -255

Support a new option --dns-<plugin>-follow-cnames whereby certbot will follow a… (chain of) CNAME record(s) at the challenge domain (_acme-challenge.<domain>) and instead update the target domain. Independently of this option, this change also incidentally fixes the possibly uncommon use case where _acme-challenge is itself a delegation apex (previously the RFC2136 plugin would generate an update for the wrong zone in that case).

jacobdevans · March 16, 2018, 12:58pm

I’ll take a look at acme.sh, I’m fully aware and understand how the txt validation and cname/dname’s work. I simply wanted a way to override the domain that is updated via the dns-api.

edit: the PR mentioned is exactly what I am looking for, thank you.

system · April 15, 2018, 12:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.