Certbot dns validation specify different domain


#1

I am looking options to support alternate domains for the api endpoints when doing dns validation.

Let me explain.
I have a customer, they use unsupported vendor for DNS, but want to use letsencrypt wildcard certs, since a big win of letsencrypt is automation, using --manual each time isn’t an option, and neither is moving NS providers.

What we can do is add a CNAME to another zone which we can use any existing provider with a supported API, only downside is none of the dns providers in certbot (for example) support a different domain than the cert requested.

Process:
User runs certbot to setup the account, they specify their domain -d example.com -d *.example.com and have an existing CNAME of _acme-challenge.example.com IN CNAME acme-api.example.net
I want to add the TXT validation records to cname target acme-api.example.net instead of _acme-challenge.example.com

I’m thinking a command line option is all I would need, nsone for example.

--dns-nsone-credentials ~/.secrets/certbot/nsone.ini
--dns-nsone-propagation-seconds 60
--dns-nsone-delegated-zone acme-api.example.net

Answer:
acme.sh - https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
certbot - https://github.com/certbot/certbot/pull/5350


#4

Hi,

If this is the case, can you please provide us the DNS provider that you wish to add automation?

Thank you


#5

Did you ready the post? I’m not looking to add a dns provider, looking to support specifying an alternate domain for the existing providers.


#6

Hi,

Please at least share the DNS provider (unsupported vendor) name so people can know if an automation is available.


#7

not relevant, what if the customer refuses to provide api access to the dns system or the dns provider cannot scope api types to only TXT or only specific subdomains.


#8

This would also allow web providers to take www in cname hosting-platform.example.net and issue certs with dns.


#9

Hi @jacobdevans,

Yes, you can do it already, I wrote a post showing an example here,

Regarding the lack of DNS providers supported by certbot, you can always write your own script to talk to your DNS provider API or you could use lexicon, this tool supports a lot of DNS providers and @_az has a wonderful page that explains all the steps to use lexicon with certbot-auto, you just select the DNS provider and it creates all the commands, scripts for you ;).

Cheers,
sahsanu


#10

acme.sh has this feature if you need it now:

There is a similar feature for certbot that is currently undergoing review, so this should be possible in a future Certbot release as well.:


#11

I’ll take a look at acme.sh, I’m fully aware and understand how the txt validation and cname/dname’s work. I simply wanted a way to override the domain that is updated via the dns-api.

edit: the PR mentioned is exactly what I am looking for, thank you.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.