DNS-01 challenge - CNAME/TXT Record incorrect Issue

Hi all,

I'm new to certbot so please forgive any rookie questions/mistakes...

I have setup two servers running certbot with the intention of using them as certificate staging servers for a wildcard certificate which will be distributed to clients on private networks.

In my Lab environment I installed certbot on an Ubuntu 18 server - version 0.31.0 it using DNS-01 challenge. (acme-dns-auth.py)

I ran the following command
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.my.domain -d my.domain

I added the generated DNS _acme- challenge entry as a CNAME (as per certbot's instruction) to my public DNS server and it worked a treat the wildcard certificate and key was provided.

I then setup a test server on Centos 7 running certbot version 1.11.0
I ran the same command for the same domain
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.my.domain -d my.domain

and updated the _acme-challenge CNAME entry with the new string and that also worked I got the certs.

However the _acme-challenge is now incorrect for my lab server. So instead of a CNAME entry I changed to a TXT entry and added both the challenge strings as they were generated when I ran the certbot command.

The result is that the Lab machine is now okay. When i run sudo certbot renew --dry-run all renewals succeed but when I run the command on the lab machine I get the following error

Any ideas why this is happening and how to fix it?
Thanks in advance

So, if I understand correctly, the situation is as follows:

  • You've got an external domain, e.g. example.com;
  • You've got two actual servers, one for the lab and one "other", e.g. lab.example.net and other.example.net;
  • You've put a CNAME for _acme-challenge.example.com in your DNS zone, pointing to lab.example.net OR pointing to other.example.net, depending on on which server you're running certbot, right?

Why did you change the CNAME to manual TXT records when switching back to the lab server? Why not change the CNAME back to lab.example.net? Why the change of resource record? (CNAME -> TXT) The error shows it's still using the acme-dns.io zone, so this suggests it still finds a CNAME. However, without the actual hostname used, we cannot verify that.

Also, I'm not sure how to interpret the two different servers, the "lab server" and "other Centos server". Why those two? Can't you distribute the certificate from just one server to the other?

Hi Osiris,

Thanks for your reply. I may not have explained the issue very clearly.

I have a Lab server and a Test server in unconnected locations. both of which I am using to request a wildcard certificate that I will distribute to clients on private networks. Both servers are requesting the same certificate *.my.domain. i.e. I am trying to request the same wildcard certificate from two different servers.

Each server uses a different DNS challenge value. So I need to be able to use multiple values in the _acme-challenge entry for my domain. A CNAME will only allow a single value whereas a TXT entry allows multiple values on separate lines. the record looks like this..

record name = _acme-challenge.my.domain
Type = TXT
Value = "9e3d1417-49c1-4e26-a7f6-b8194d2549bc.auth.acme-dns.io." (Lab server)
"d955ac17-3a06-43b0-9b23-0c7437b59c0a.auth.acme-dns.io." (Test Server)

The Lab server is happy and works with this setup but the Test server doesn't. The test server seems to look at both values and reject both of them as incorrect. the value for the test server is correct.

Hope this clarifies things

by the way - my initial post was missing some important text due to me using angle brackets to enclose it :man_facepalming:

That's just the way the DNS system works: only a single CNAME is allowed. And those TXT values are "CNAME redirects" and not the actual tokens required as TXT records for the hostname validation.

I suppose it's not possible to use multiple acme-dns accounts for a single hostname this way. Maybe @joohoi (author of acme-dns) has an idea on how to make this work?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.