Cname should point to dynamic dns service


#1

Hi,

thank you for all your work on this fascinating project.

I’ve read already that there are limits to the use of subdomains with lets encrypt.
We are a small sports club of around 200 members of all ages.

Hosting on a dedicated root server would be too expensive. Therefore we want to selfhost.
Buying just a domain and web-space is because of photo and video content also expensive.
We would also like to sync locally in our LAN.

On our self-hosted web-server we would like to host owncloud and joomla.
We already bought a banana pi and installed apache, phpmyadmin, MySQL.

We usually use dtdns.com as our dyndns-service.
But I’ve read something about a list. Could you point me to which dynamic dns-service provider is adapted to lets encrypt and has a Debian client or a working bash script?
Thank you very much. I am looking forward to using lets encrypt for the first of hopefully many times.

with kind regards webminbw


#2

Hello @webminbw,

The list is the Public Suffix List and these are the contents of the list.

Checking the list I can see several dynamic dns services added, dyndns.com, duckdns.org, dynv6.net, etc. being in that list doesn’t mean that Let’s Encrypt will use the last version of the list. Let’s Encrypt updates the PSL they use from time to time, so maybe a dynamic service is already added into the official PSL but not in Let’s Encrypt side.

Said that, I know for sure that you won’t have any issue using duckdns.org, it is free, it is added into the PSL used by Let’s Encrypt and you could use it on any Linux machine, there are a lot of ways to update your current ip.

Now my recommendation, buy a domain (there are domains for just 0,88$) or even better, you can get a free domain from freenom and create a CNAME record pointing your new domain to your dtdns domain. In that way you don’t need to worry about PSL, hit the rate limit because your dyn dns service is not inclluded in the list, etc. the only thing you should worry about is to not hit the rate limit for your domain that is 20 certificates per domain in 7 days.

I hope this helps.

Cheers,
sahsanu


#3

Have you checked the costs of VPS - they can be very reasonable ( they can be as low as $1/month) so cheaper than selfhosting. I’m not wanting to start a long discussion on the topic here, more just checking that you have considered the alternatives.

That will be the Public Suffix List - dtdns.com doesn’t appear to be in the list - so you may be as well using your own (free ) domain name ( see http://www.freenom.com/ )

See the list of alternate clients ( which includes 3 bash scripts )


#4

Thank you for your fast replies @sahsanu, @serverco!
That was the list I was looking for.

I will take a closer look at duckdns.org, but I am wondering about @sahsanu 's comment I should buy a domain. I must have not stated clearly enough in my first posting. We do have a domain. It is a .de-domain hosted at 1und1, being one of the bigger german providers. pointing the CNAME to our .dtdns.com-subdomain was what I wanted to do all along.
We already have our E-Mail there. Since we don’t have a static IP with our ADSL, I don’t think we should move that. Perhaps when IPV6 is mainstream?

So am I understanding this correctly? I don’t have to use duckdns and can keep using dtdns.com with CNAME pointing to our dtdns.com-subdomain. That would be really great!

We currently only want to have three subdomains. One beeing owncloud (oc), one for testing (testing) purposes and (www) for the main website. With 1und1 the webhoster CNAME is already in place.
Is there a good howto, manpage, tutorial on how to implement that with the CNAMES with lets encrypt?


#5

if you are running on debian, then I’d suggest looking at the official Let’s Encrypt client. The cocumentation can be found at https://community.letsencrypt.org/c/docs and the full documentation at https://letsencrypt.readthedocs.org/en/latest/


#6

Yes, if you already have a domain with a CNAME pointing to your dtdns domain you don’t need to use any other dyn dns provider like duckdns.

@serverco pointed to the official doc that should be enough to issue your certificate, anyway, I just want to comment that the fact you use CNAME is irrelevant, you don’t need to take any special step to get your cert

If you have any doubt or question to issue your cert… you know where we are :wink:

Cheers,
sahsanu.


#7

Thank you for your help. I think I will go with this howto: http://www.tecmint.com/install-free-lets-encrypt-ssl-certificate-for-apache-on-debian-and-ubuntu/


#8

That howto is largely OK.

Note: when it comes to renewal you don’t need to manually do things ( as that howto says ) you can simply use the letsencrypt renew command - https://letsencrypt.readthedocs.org/en/latest/using.html#renewal


#9
  • After this command

sudo ./letsencrypt-auto --apache -d domain.tld -d subdomain1.domain.tld -d subdomain2.domain.tld -d subdomain3.domain.tld

  • I get these error messages:

Failed authorization procedure. subdomain1.domain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘’, subdomain2.domain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘’, domain.tld (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge, subdomain3.domain.tld (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

IMPORTANT NOTES:

  • If you lose your account credentials, you can recover through
    e-mails sent to email@domain.tld.

  • The following errors were reported by the server:

    Domain: subdomain1.domain.tld
    Type: unauthorized
    Detail: Correct zName not found for TLS SNI challenge. Found ‘’

    Domain: subdomain2.domain.tld
    Type: unauthorized
    Detail: Correct zName not found for TLS SNI challenge. Found ‘’

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: domain.tld
    Type: connection
    Detail: Failed to connect to host for DVSNI challenge

    Domain: subdomain3.domain.tld
    Type: connection
    Detail: Failed to connect to host for DVSNI challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Let’s Encrypt
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Let’s
    Encrypt so making regular backups of this folder is ideal.

  • Question

What am I doing wrong? I wanted to use CNAME not DNS A-Record.
Right now my CNAME-settings don’t point to the server yet onto I am installing
lets enrypt. It takes a little while to rsync the webcontent of 13 GB.
Will changing the CNAME settings solve the problem?

Any advice? Thank you for reading so far and giving it a thought!!

with kind regards

webminbw


#10

I’m not 100% sure if I understood your setup correctly, but yes, the DNS for the domains you’re trying to request a certificate for need to point to the server where you’re executing the client. Whether the DNS record for your domain is a CNAME or A record doesn’t matter.


#11

It worked after the update! Thank you!