DNS validation: getting all the TXT record togheter


#1

I use the DNS validation for a certificate valid for the following domains: lorenzo.click, *.lorenzo.click, *.otto.lorenzo.click.

I must say that my provider (namecheap) is terribly slow in DNS propagation, even if I set the TTL to 5, it takes pretty much half an our to see the new TXT online.

The issue is that, for this certificate, I must change 3 different TXT records in sequence, which means wasting more than 1 hour.

Is it possible to get all the TXT records together? In this way I could upload them, wait for their propagation in parallel and validate all of them together in 1 step by the end.

My domain is: lorenzo.click

I ran this command:
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory
–manual --manual-public-ip-logging-ok --preferred-challenges dns
-d lorenzo.click
-d *.lorenzo.click
-d *.otto.lorenzo.click

It produced this output:

Please deploy a DNS TXT record under the name
_acme-challenge.lorenzo.click with the following value:

XXXXX

Before continuing, verify the record is deployed.


Press Enter to Continue

x 3 times, with 2 different domains.

My web server is (include version):
don’t know

The operating system my web server runs on is (include version):
linux, unsure about the version

My hosting provider, if applicable, is:
namecheap

I can login to a root shell on my machine (yes or no, or I don’t know):
no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
cPanel 70.0.61

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0


#2

Hi @Lorentz83

you can do that in one step.

Start Certbot, copy the first value in a text editor, then the second, then the third.

Then open your dns settings and add the three required entries.

You don’t need

  • create first
  • wait, if first is visible
  • create second
  • wait, if second is visible
  • create third
  • wait, if third is visible

Instead:

  • save first, second, third value
  • create first, second, third dns entry
  • check your config with the correct command

Use an online tool or something like

nslookup -type=TXT lorenzo.click. dns1.namecheaphosting.com.

same with the nameserver of your otto-subdomain.


#3

Thank you. Just to be a little clearer

The point is that certbot shows them only 1 by 1, and before showing the next one says very clearly

Before continuing, verify the record is deployed.

Should I just continue, fail the validation and retry it once they are deployed?
Are the validation tokens guaranteed to be the same if the next run is within a certain amount of time?


#4

You don’t actually have to verify each record one at a time.

Certbot only asks Let’s Encrypt to validate them once you’ve done all of them. So you can do each one immediately and then wait once and verify them all.

The best option would be if you could automate this.

Can you use cPanel AutoSSL?


#5

You have one order. The order has three domain names.

Then three challenges are created, with three different token. So if the order is created, the tokens are fixed.

Token -> compute hash -> show it to the user or use the API to add this value.

If all values are deployed, the ACME-client must confirm that the job is done.

-> three calls -> Letsencrypt checks every challenge -> if every challenge is ok, the order is ready.

So if you use an API, the dns values are created in one or two seconds.

It’s only a limitation of using --manual, not a limitation of the ACME-protocol.


#6

I would continue, three validations per try would not exceed the limits that quickly.

Since validations are usually cached, the list should shrink; Until all have been validated and the cert can be issued.

I think the real solution is to put all the validation TXT entries into one single TXT record.
But that is easier said than done.
[at least when done automatically]


#7

Great, I was confused by the message, so I supposed that the validation happened before the next token was issued

I don’t find any option, and reading namecheap documentation I think it is by design.

Sadly it seems that namecheap doesn’t offer any public API for this. I wanted to try to do some scripting to try to simulate CPanel calls, but I never had time.

Thank you everyone


closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.