(Cloudflare) cerbot DNS plugins and _acme-challenge CNAME

Apologies if I missed this in the documentation, but can I combine:

  • use of a CNAME value for the _acme-challenge.example.com
  • where the A record value of CNAME is hosted by Cloudflare (in this example).
  • use the DNS cloudflare plugin to manage the challenge response

Our example.com domain is hosted on a very old, manually operated environment where it would be infeasible to do challenge response, so we plan to do so via a separate domain hosted by cloudflare.

1 Like

It sounds like you may end up putting the response in the wrong domain.
If the challenge is to validate domain1, and you CNAME that to domain2.
How will the plugin know to make the entry into domain2?
I don't know enough about CF plugin to be sure how that should be done correctly.
As long as you can force the entry into domain2, then it will pass.
Of course this should all be tested before moving to production.
Which means you should using the LE staging environment for all these tests and until you get it right.

Hi rg305, thanks for the response. I went through the code and issues list for certbot and it appears the included cloudflare plugin does not know that the challenge txt record may exist in a different domain, even though ACME protocol supports validating via CNAME.

We are going to look into creating our own validation hook or maybe we will somehow monkey patch existing plugin and run locally.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.