Clarification re DNS Challenges

My domain is: <hidden, not relevant>

I ran this command: not relevant

It produced this output: extensive, nothing unusual or unexpected

My web server is (include version): Exchange 2010 / IIS 7.0

The operating system my web server runs on is (include version): SBS2011 (i.e. Windows Server 2008r2)

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don't know): yes (ie. Powershell)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): n/a (using poshacme)


I've succeed in setting up and using a wildcard cert with poshacme and DNS challenges. But I have a conceptual question.

Exchange, when running as part of SBS, needs several names listed in the cert. At a minimum:

In addition, exchange by default uses the same cert for IMAP and SMTP connections, which means it has to list mydomain.com as well (or whatever the MX record says).

So far so good, but there's a gotcha: I can use a wildcard cert, but it's a real PITA as there's a lot of manual configuring of the IMAP and SMTP services.
OR
I could create a cert listing all the needed sites. This is where I go off the rails.

PS C:\Windows\system32> new-pacertificate 'remote.mydomain.com', 'autodiscover.mydomain.com' -accepttos -contact admin@mydomain.com

Please create the following TXT records:
------------------------------------------
_acme-challenge.remote.mydomain.com.ca -> jaNmIJ.....XPc
_acme-challenge.autodiscover.mydomain.com -> m8lst...2eI
------------------------------------------

Press any key to continue.:

Here (finally) is my actual question:

I don't have a DNS zone for remote.mydomain.com into which to add an _acme-challenge TXT record. Ditto for autodiscover. The zone I have is simply mydomain.com. Is the idea that I create these DNS zones, add the TXT records, let the challenge complete, and then delete both the TXT records and the zones? Surely this is a very complex and time-consuming way to go about this!

Am I missing some easier method?

1 Like

Hi @evenmoreconfused

you have one. If there is no special dns zone, the mydomain.com zone is the place to create an entry

_acme-challenge.remote.mydomain.com

Same with www via dns validation, that would require a

_acme-challenge.www.mydomain.com

entry.

2 Likes

Thanks for responding so quickly -- clearly easy once one understands!

This may be a Windows vs Linux thing, because in Windows DNS you enter only the host name in the table, not the FQDN. I'll try making adding a TXT record _acme-challenge.remote and see if it likes it.

As it happens we use name servers on both Windows and Linux boxes, so I can always temporarily turn off the (master) Windows one, promote a Linux one to master and follow your method.

Thanks again

1 Like

I think it would be weird if something like this isn't possible.

2 Likes

So for the record, this solution works perfectly, both in Windows DNS, and at No-IP, another DNS we use.

Silly how blinkered one can be until the obvious solution is pointed out.

4 Likes

Yep, it's more a question of the dns menu. Most user interfaces add the zone name, so

_acme-challenge.remote

is enough.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.