thank you for all your work on this fascinating project.
I’ve read already that there are limits to the use of subdomains with lets encrypt.
We are a small sports club of around 200 members of all ages.
Hosting on a dedicated root server would be too expensive. Therefore we want to selfhost.
Buying just a domain and web-space is because of photo and video content also expensive.
We would also like to sync locally in our LAN.
On our self-hosted web-server we would like to host owncloud and joomla.
We already bought a banana pi and installed apache, phpmyadmin, MySQL.
We usually use dtdns.com as our dyndns-service.
But I’ve read something about a list. Could you point me to which dynamic dns-service provider is adapted to lets encrypt and has a Debian client or a working bash script?
Thank you very much. I am looking forward to using lets encrypt for the first of hopefully many times.
Checking the list I can see several dynamic dns services added, dyndns.com, duckdns.org, dynv6.net, etc. being in that list doesn't mean that Let's Encrypt will use the last version of the list. Let's Encrypt updates the PSL they use from time to time, so maybe a dynamic service is already added into the official PSL but not in Let's Encrypt side.
Said that, I know for sure that you won't have any issue using duckdns.org, it is free, it is added into the PSL used by Let's Encrypt and you could use it on any Linux machine, there are a lot of ways to update your current ip.
Now my recommendation, buy a domain (there are domains for just 0,88$) or even better, you can get a free domain from freenom and create a CNAME record pointing your new domain to your dtdns domain. In that way you don't need to worry about PSL, hit the rate limit because your dyn dns service is not inclluded in the list, etc. the only thing you should worry about is to not hit the rate limit for your domain that is 20 certificates per domain in 7 days.
Have you checked the costs of VPS - they can be very reasonable ( they can be as low as $1/month) so cheaper than selfhosting. I'm not wanting to start a long discussion on the topic here, more just checking that you have considered the alternatives.
Thank you for your fast replies @sahsanu, @serverco!
That was the list I was looking for.
I will take a closer look at duckdns.org, but I am wondering about @sahsanu 's comment I should buy a domain. I must have not stated clearly enough in my first posting. We do have a domain. It is a .de-domain hosted at 1und1, being one of the bigger german providers. pointing the CNAME to our .dtdns.com-subdomain was what I wanted to do all along.
We already have our E-Mail there. Since we don’t have a static IP with our ADSL, I don’t think we should move that. Perhaps when IPV6 is mainstream?
So am I understanding this correctly? I don’t have to use duckdns and can keep using dtdns.com with CNAME pointing to our dtdns.com-subdomain. That would be really great!
We currently only want to have three subdomains. One beeing owncloud (oc), one for testing (testing) purposes and (www) for the main website. With 1und1 the webhoster CNAME is already in place.
Is there a good howto, manpage, tutorial on how to implement that with the CNAMES with lets encrypt?
Yes, if you already have a domain with a CNAME pointing to your dtdns domain you don't need to use any other dyn dns provider like duckdns.
@serverco pointed to the official doc that should be enough to issue your certificate, anyway, I just want to comment that the fact you use CNAME is irrelevant, you don't need to take any special step to get your cert
If you have any doubt or question to issue your cert... you know where we are
Failed authorization procedure. subdomain1.domain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘’, subdomain2.domain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘’, domain.tld (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge, subdomain3.domain.tld (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge
IMPORTANT NOTES:
If you lose your account credentials, you can recover through
e-mails sent to email@domain.tld.
The following errors were reported by the server:
Domain: subdomain1.domain.tld
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found ‘’
Domain: subdomain2.domain.tld
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found ‘’
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
The following errors were reported by the server:
Domain: domain.tld
Type: connection
Detail: Failed to connect to host for DVSNI challenge
Domain: subdomain3.domain.tld
Type: connection
Detail: Failed to connect to host for DVSNI challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.
Question
What am I doing wrong? I wanted to use CNAME not DNS A-Record.
Right now my CNAME-settings don’t point to the server yet onto I am installing
lets enrypt. It takes a little while to rsync the webcontent of 13 GB.
Will changing the CNAME settings solve the problem?
Any advice? Thank you for reading so far and giving it a thought!!
I’m not 100% sure if I understood your setup correctly, but yes, the DNS for the domains you’re trying to request a certificate for need to point to the server where you’re executing the client. Whether the DNS record for your domain is a CNAME or A record doesn’t matter.
