But then you group them again with those second CNAMES into a single hostname.. So you'd still end up with a lot of TXT RRs at a single location, thus potentially causing issues.
And you don't need any A RRs for the dns-01 challenge when working with CNAMEs (assuming otherwise functioning DNS). It works with TXT RRs.
You don't need that at all
You don't need two identical CNAMEs
Not here either (I assume example.2.example part was a typo)
Yes, respectively. Note the CNAME as used here is a redirect, if that helps.
I only noted the concern about "too many" TXT records as you never said how many of these you have. I assume now you do have a lot which is why you've grouped them.
You now have to use an ACME Client that can place the TXT records at the proper place in the example3 zone. I believe lego does that (link here) and acme.sh does in its alias feature. The lego docs link to this Let's Encrypt page which might be helpful for your understanding.
These twists and turns would be eliminated by changing your DNS provider. More complicated setups often have more problems. If not for you then someone later. Be sure to carefully document everything you do for reference later.
Thanks for the update, like I said I don't have much experience with DNS, that's why we pay out ISP to do these things.
How would I be able to do this for say 6 to 10 domains?
Al
Thanks for all your help,
I currently have 8 domains and could see this reaching 12 but I don't think I would every have more than that.
I understand everyone thinks the easy solution it to change my DNS provider but that's a decision made way above my pay scale.
what would the text record look like for cert.example3.com
This is what I think but I'm gust guessing.
_acme-challenge.cert.example3.com=token1 (for example.com)
_acme-challenge.cert.example3.com=token2 (for *.example.com)
_acme-challenge.cert.hosting.example3.com=token3 (for *.hosting.example.com)
Thanks again for everyone's help but I'm having a hard time getting my head around all this.
Al
It came up earlier but are you sure you need a wildcard cert?
Because if your list of domain names is fairly static you could use the HTTP-01 challenge instead. This relies on a webserver to reply to the challenge. Some ACME Clients even have a standalone server in case you don't have one. The HTTP Challenge is generally easier to setup and automate than the DNS Challenge.
Let's Encrypt allows up to 100 names per cert. Although, certs are usually easier to manage in smaller groups. You haven't said much about how you plan to use these certs so hard to give specific advice without knowing that.
My list of samples are static but my real life situation isn't, some may have only 2 domain names and others may have several.
Yes, at first I was able to use http challenges but the issue came up with things like mail.example.com and autodiscover.example.com then things didn't work that's when I started looking into DNS challenges.
Trust me this project has expanded way past where I thought it was going to be but I'm getting close so that's good.
Al
Yeah, I'd guess because you don't have anything listening on HTTP (port 80) for those names. Which is when using a standalone listener can help or even setup a "fake" listener in a web server just for port 80 challenges.
There are also options like caddy server. Or mod_md if using Apache. Both can easily manage HTTP challenges for wide variety of names (or TLS-ALPN or DNS challenges).
Have you chosen an ACME Client yet? Which is it?
Understood,
I think I resolved this issue by creating A records instead of CNAMES.
Thanks for the clarification.
How exactly? A records provide IP addresses, not (indirectly) TXT RR?
Guess I wasn't clear,
First in my new third party DNS provider I removed the CNAME records I created for example1.eample.3.com and that pointed to example3.com.
Then I created A records for
example1.example.3.com
example2.example3.com
My ISP DNS has the following text records.
_acme-challenge.example1.com=CNAME example1.example3.com
_acme-challenge.example2.com=CNAME example2.example3.com
What would the purpose of those A RRs be? The only thing Let's Encrypt would be looking for, is TXT RRs. It would follow the CNAME to e.g. example1.example3.com and again look for a TXT RR. Those A RRs would be of no use at all.
Unless you need the hostnames e.g. example1.example3.com to be resolvable to an IP address for any other reason than the dns-01 challenge.
Don't I need an A record for example1.example3.com in the third party DNS that has the text records when I on my ISP DNS I have the following text record _acme-challenge.example1.com=CNAME example1.example3.com?
Otherwise how would the CNAME on my ISP DNS resolve example1.example3.com
The original mistake I thought you pointed out was because example1.example3.com was originally created as a CNAME pointing to example3.com all the text records would come from example3.com and not example1.example3.com
And yes text records are added to example1.example3.com
_acme-challenge.example1.example3.com=token1
_acme-challenge.hosting.example1.example3.com=token2
Are you still saying this is not correct?
No, why would you?
Your ISP DNS would not resolve anything, it would tell the DNS client to fetch the result from the CNAME. Certbot, using some kind of DNS API plugin, would add the required TXT RRs to your third party DNS zone, which then can be fetched.
That's fine, it just doesn't need A RRs.
By the way, if you're adding the TXT RRs to _acme-challenge.example1.example3.com (thus including _acme-challenge, I believe you should also add _acme-challenge.example1.example3.com as the CNAME value, thus also including _acme-challenge. Or don't add _acme-challenge on these items.
Ok so I can get rid of _acme-challenge, that's good to know, I believe someone else said that but I didn't understand. So the text record key can be example1.example3.com.
If I understand you correctly, when a DNS client contacts my ISP DNS and asks for the acme text file if the value is a CNAME pointing to example1.example3.com the DNS client will go to example1.example3.com to query for the text records.
How does the client DNS know where to go, if my third party DNS doesn't have some sort of record (A, CNAME, etc.) for example1.example.com then then how do they query for the text records?
It won't "go" to that hostname, it will resolve that hostname, to entirely different things. There might not even be a DNS server running on example1.example3.com.
It will "crawl" the DNS from the root up again.
I think I have lost my way on this.
In order to reduce the number of text records I thought I could create several subdomains and that would be responsible for smaller groups of the domains that I wanted validated.
example:
example1.example3.com
example2.example3.com
This in combination with adding text records on my ISP DNS for the domains I wanted validated that included a CNAME pointing to the subdomain for each group.
example:
_acme-challenge.example1.com=CNAME example1.example3.com
_acme-challenge.example2.com=CNAME example2.example3.com
The issue is there seems to be a difference between a DNS subdomain and a DNS subdomain record.
When I looked at the documentation of mt third party DNS provider on how to subdomain I didn't realize there was a DNS subdomain and a DNS subdomain record.
DNS subdomain
Subdomain record
I followed the instructions to create a subdomain record which is not what I wanted.
Unfortunately the ability to create a SNS subdomain is only available on the enterprise plan of the third party DNS provider and that's and that's not in the budget.
I chose the third party DNS provider as they were the only one I was familiar with but now it looks like I need to do some research to find one that will allow DNS subdomains and is within the budget.
I'm not sure I follow.
I have a specific hostname in Cloudflare as a "Website" with name "osirisinferi.subdomain.example.org" on a Free plan as "DNS only". I do not own subdomain.example.org, it's a service that offers free subdomains.
I can get a certificate with the certbot-dns-cloudflare DNS plugin for foo.bar.baz.osirisinferi.subdomain.example.org without any issue?
What kind of issue are you actually running into and did you try it already?
Edit:
Above was an example to show that Cloudflare really doesn't care much about (subsubsub)subdomains. Certbot however doesn't like CNAMEs, so you'd need to use e.g. lego or acme.sh. But that was always required when using CNAMEs to begin with.
I haven't tried anything yet I've been trying to get information on how I would set things up but you just seem to be telling me that everything I'm preposing is wrong!
How did you add osirisinferi.subdomain.example.org to Cloudflare?
If I try to add a subdomain example1.example2.com (I used my real subdomain) it tells me
"Please ensure you are providing the root domain and not any subdomains (e.g., example.com, not subdomain.example.com)"
The only way I can see to add example1.example2.com is to create an A or CNAME record.