DNS challenge question for user owned domains

My question isn’t about a specific domain, but rather to better understand the process which you use dns-01 to validate a domain and if the steps can be separated.

I’ll list out my desired process below.

  • Client registers custom domain to replace their subdomain.application.com
  • We begin a DNS challenge, requesting the TXT record value from Let’s Encrypt
  • We return that TXT record to the client, with instructions on how to update/add the entry
  • We have a process that periodically checks the _acme-challenge TXT entry to see if it’s present/valid (based on what was previously returned)
  • When that check returns positive, we finalize the authorization and get the appropriate cert files from Let’s Encrypt, allowing us to deliver secure content over their domain (or subdomain) that is pointing to our application via CNAME.

The issue with this is since we’re relying on our users to update their DNS entries, it can take anywhere from hours to days for the TXT record to be put in place. At the moment, I’m having trouble finding out how to “split” the dns challenge process into requesting the record value, and authenticating the record value into two individual requests.

Is this even possible with Let’s Encrypt/ACME, or should I look for another solution?

Let the user make a CNAME _acme-challenge to a record in one of your own zones, and change this record to the desired challenge response.


I love this idea - it would solve the reauthorizing problem as well.

I wasn’t aware you could set a CNAME for a subdomain and have the TXT entry where the CNAME is pointing to. If that works then this is definitely the end-all solution to my problem.

I don’t believe that solves the issue. It seems the concern is that clients will take considerable amounts of time to enter this, and thus the question is how to split up the receiving of an authz and asking for its verification.

I’m not sure if certbot can do this, it will probably take a different, or custom-coded, ACME client.

1 Like

If I am able to do what tob indicated, and somehow pass along the TXT request via CNAME to a DNS server that I own, I could update that automatically after the initial CNAME is created.

I wouldn’t have to start the Let’s Encrypt process until after the CNAME is already present.

Unfortunately I’m not sure how to what tob suggested, I’ve tried a few tests and I’m not able to get it working.

Hey guys just to want to tie this off - I was able to solve this by what tob suggested initially. I’ll need to setup a dedicated DNS host so I can programmatically add/update the required TXT entries, but this brings all of the validation for their domains into my environment.

You guys are lifesavers!


can you explain this a bit more

what did you actually create

I am still a bit confused on the CNAME for the TXT RECORD

_acme-challenge.example.com points to your DNS server?

I would have thought it would have made more sense to use TLS-SNI or HTTP Challenge and get the clients to add one CNAME pointing at a web server that you own and can pass challenges with.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.