I'm a bit unsure on how to correctly setup the DNS text record for wildcard on sub domains
Lets say I want a cert for the following.
example.com
*.example.com
*.hosting.example.com
Is this the correct way to set the DNS text records? it's the last one I'm really unsure of.
_acme-challenge.example.com=
_acme-challenge.example.com=
_acme-challenge.hosting.example.com=
Thanks in advance for any help on this.
Al
.
Sorry site stripped off the value part, it looks like this
_acme-challenge.example.com=token1
_acme-challenge.example.com=token2
_acme-challenge.hosting.example.com=token3
Correct. Even though the wildcard and non-wildcard hostname have the same challenge hostname, they indeed have different tokens and have to be present both.
And then there's also the extra hostname for the hosting subdomain, which also needs to be present.
That said, it's recommended to automate the dns-01 challenge, because that's the whole idea behind Let's Encrypt. Automation.
Osiris,
Thanks for the clarification.
I'm trying to automate the DNS challenge but unfortunately my ISP doesn't provide me the ability to update DNS and I have to send them an email for the requested changes and wait up to 24 hours for the changes to be provisioned.
My plan is to automate the sending of the email requesting the DNS changes and then poll the authorization every 30 or 60 minutes for up to 24 to 36 hours.
Once the validation process passes or fails I will continue with processing the certificate or marking it as a failure.
I know it seems a bit clunky but it's the best I can do as there is no way to change our ISP and they have no intention of updating their systems in the near future to provide me remote access.
I wouldn't recommend relying on such a system - Let's Encrypt has considered in the past to shorten the maximum authorization lifetime to 7 hours, which you would definitely have problems with. They didn't go forward on the idea as of today, but the general expectation is that you should be able to complete a DNS challenge in a few hours max.
It should be noted that the dns-01 challenge allows for CNAMEs to be used: You can delegate the _acme-challenge.... FQDNs you're interested in to a different domain, hosted by a different DNS provider (which has API access). You then deploy the token there, independent of whatever your ISP does. You only have to deploy a CNAME at your ISP once.
This technique is used by the acme-dns project, which is essentially a lightweight DNS server designed to only answer dns-01 validation requests.
Perhaps just a terminology problem but normally your domain registrar is where you configure the DNS provider. It is not the "ISP". It would be unusual for your registrar to block the use of a different DNS provider.
If you can change the DNS provider to one that offers an API (many do) that would be the easiest way forward.
That said, is this some comprehensive hosting package you have? If so and they don't offer an easy way to allow certs (HTTPS) that is a big shortcoming. If a different service is not possible maybe add a CDN in front of it that will provide HTTPS to the end user-agent.
For what it's worth, that discussion was only about the reuse after authorization, not about the time between creating an order and checking the authorization. That time (at least as of that discussion) was 7 days, and I think there was recognition that that couldn't be reduced significantly due to wonky DNS setups like the one mentioned here.
But I'll second the recommendation for acme-dns. Or, maybe you could see if you could get away without needing wildcard certificates and thereby being able to use an easier challenge type. (Few people actually need a wildcard certificate, and just automatically getting separate certificates for each name can sometimes be easier even though it ends up with more certificates.)
Oh no that's no good for me...
I'll look into the CNAME
Thanks for your help.
Yes, but it's common to validate multiple names to have on the same cert. For instance, OP seems to want a wildcard which always requires at least two authorizations. When the DNS server provider needs multiple hours for each - which could happen - then it won't work unless you specifically wait for all authorizations to be in place before validating the first one.
It's not that we can't change DNS providers it's that we wont as we have a fantastic relationship with our ISP and have been with them for 30 years.
But you have to EMAIL them for DNS RR changes?
I'd cut ties with such ancient companies even if I was with them for 100 years.. You can't have to email to change DNS records in 2024.. How are they surviving among the competition?
I looked into the CNAME path and maybe that can work for me.
My situation is a bit more complex than I originally stated as I want a SAN certificate for multiple domains each structured the same as my original example.
Lets say I need a certificate for the following.
example.com
*.example.com
*.hosting.example.com
example2.com
*.example2.com
*.hosting.example2.com
I'm guessing here because I couldn't find a good example on how to do this.
_acme-challenge.example.com=CNAME cert.example3.com
_acme-challenge.example.com=CNAME cert.example3.com
_acme-challenge.hosting.example.com=CNAME cert.example3.com
_acme-challenge.example2.com=CNAME cert.example3.com
_acme-challenge.example2.com=CNAME cert.example3.com
_acme-challenge.hosting.example2.com=CNAME cert.example3.com
I would register cert.example3.com with a third party provider and use the API co create the following text records.
_acme-challenge.example.com=token1
_acme-challenge.example.com=token2
_acme-challenge.hosting.example.com=token3
_acme-challenge.example2.com=token21
_acme-challenge.example2.com=token22
_acme-challenge.hosting.example2.com=token23
Am I on the right trach here or barking up the wrong terr.
Thanks
Al
Almost. You've got the CNAMES correct, but then you'd use the third-party DNS provider's API to set:
cert.example3.com in TXT token1
cert.example3.com in TXT token2
cert.example3.com in TXT token3
cert.example3.com in TXT token21
cert.example3.com in TXT token22
cert.example3.com in TXT token23
Or, more specifically, you'd use your ACME client's integration with that third-party provider's API to set those TXT records for you.
How many domain names in the same cert? Because there is a limit to how many TXT records Let's Encrypt will tolerate in the DNS. From here: Challenge Types - Let's Encrypt
You can have multiple TXT records in place for the same name. For instance, this might happen if you are validating a challenge for a wildcard and a non-wildcard certificate at the same time. However, you should make sure to clean up old TXT records, because if the response size gets too big Let’s Encrypt will start rejecting it.
When choosing the CNAME target maybe split your target name into groups to keep below, say, 20 TXT records outstanding at one time. Easier to split now than later.
Some ACME Clients place all the TXT records at once and others serialize it so that's a factor too. Certbot is all at once, for example.
Awesome!
Thanks for helping me understand this, I think I may be able to get it working now.
Al
(duplicate post removed)
@TonyStark Please do not post in multiple topics. I moved your other post into its own thread. Please continue there.
Hi Mike,
I think I can do that, my question is can I use CNAMES for this as well
Sorry if I mess this up but I don't really have much experience with DNS.
In my new third party DNS provider that has an API I do the following:
Create a an A record for example3.com
Create a CNAME for example1.example3.com pointing to the A record of example.com
Create a CNAME for example2.example3.com pointing to the A record of example.com
At my existing DNS provider (my ISP) I add the following text records:
_acme-challenge.example.com=CNAME example1.example3.com
_acme-challenge.example.com=CNAME example1.example3.com
_acme-challenge.hosting.example.com=CNAME example1.example3.com]
_acme-challenge.example2.com=CNAME example2.example3.com
_acme-challenge.example2.com=CNAME example.2.example3.com
_acme-challenge.hosting.example2.com=CNAME example2.example3.com
Now this is the part I'm a little confused on.
What would the text records on the third party DNS provider look like in this case? Do they get put on example1.example3.com and example2.example3.com or would they be placed on example3.com?
Thanks again to everyone for all the help on this.
Al
Why would you require CNAMEs in the DNS zone of your API enabled third party DNS provider?
The idea is that you'd put the TXT RRs there directly.
Because
[MikeMcQ] > "When choosing the CNAME target maybe split your target name into groups to keep below, say, 20 TXT records outstanding at one time. Easier to split now than later"
So I assumed I needed to group things into separate sub domains as in my example.
I used CNAMES because I don't have any other available IP addresses for the example3.com domain.
Al