DNS validation: getting all the TXT record togheter

Lorentz83 · February 12, 2019, 7:40pm

I use the DNS validation for a certificate valid for the following domains: lorenzo.click, *.lorenzo.click, *.otto.lorenzo.click.

I must say that my provider (namecheap) is terribly slow in DNS propagation, even if I set the TTL to 5, it takes pretty much half an our to see the new TXT online.

The issue is that, for this certificate, I must change 3 different TXT records in sequence, which means wasting more than 1 hour.

Is it possible to get all the TXT records together? In this way I could upload them, wait for their propagation in parallel and validate all of them together in 1 step by the end.

My domain is: lorenzo.click

I ran this command:
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory
--manual --manual-public-ip-logging-ok --preferred-challenges dns
-d lorenzo.click
-d *.lorenzo.click
-d *.otto.lorenzo.click

It produced this output:

Please deploy a DNS TXT record under the name
_acme-challenge.lorenzo.click with the following value:

XXXXX

Before continuing, verify the record is deployed.

Press Enter to Continue

x 3 times, with 2 different domains.

My web server is (include version):
don't know

The operating system my web server runs on is (include version):
linux, unsure about the version

My hosting provider, if applicable, is:
namecheap

I can login to a root shell on my machine (yes or no, or I don't know):
no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
cPanel 70.0.61

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.28.0

JuergenAuer · February 12, 2019, 7:47pm

Hi @Lorentz83

you can do that in one step.

Start Certbot, copy the first value in a text editor, then the second, then the third.

Then open your dns settings and add the three required entries.

You don't need

create first
wait, if first is visible
create second
wait, if second is visible
create third
wait, if third is visible

Instead:

save first, second, third value
create first, second, third dns entry
check your config with the correct command

Use an online tool or something like

nslookup -type=TXT lorenzo.click. dns1.namecheaphosting.com.

same with the nameserver of your otto-subdomain.

Lorentz83 · February 12, 2019, 9:00pm

Thank you. Just to be a little clearer

The point is that certbot shows them only 1 by 1, and before showing the next one says very clearly

Before continuing, verify the record is deployed.

Should I just continue, fail the validation and retry it once they are deployed?
Are the validation tokens guaranteed to be the same if the next run is within a certain amount of time?

mnordhoff · February 12, 2019, 9:04pm

You don't actually have to verify each record one at a time.

Certbot only asks Let's Encrypt to validate them once you've done all of them. So you can do each one immediately and then wait once and verify them all.

The best option would be if you could automate this.

Can you use cPanel AutoSSL?

JuergenAuer · February 12, 2019, 9:14pm

You have one order. The order has three domain names.

Then three challenges are created, with three different token. So if the order is created, the tokens are fixed.

Token -> compute hash -> show it to the user or use the API to add this value.

If all values are deployed, the ACME-client must confirm that the job is done.

-> three calls -> Letsencrypt checks every challenge -> if every challenge is ok, the order is ready.

So if you use an API, the dns values are created in one or two seconds.

It's only a limitation of using --manual, not a limitation of the ACME-protocol.

rg305 · February 12, 2019, 9:52pm

I would continue, three validations per try would not exceed the limits that quickly.

Since validations are usually cached, the list should shrink; Until all have been validated and the cert can be issued.

I think the real solution is to put all the validation TXT entries into one single TXT record.
But that is easier said than done.
[at least when done automatically]

Lorentz83 · February 12, 2019, 11:19pm

Great, I was confused by the message, so I supposed that the validation happened before the next token was issued

I don't find any option, and reading namecheap documentation I think it is by design.

Sadly it seems that namecheap doesn't offer any public API for this. I wanted to try to do some scripting to try to simulate CPanel calls, but I never had time.

Thank you everyone

system · March 14, 2019, 11:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.