DynDNS with wildcard capability

hendersj · December 23, 2015, 11:23pm

I’ve got a DynDNS Pro account, which allows me to register a domain (I use hendersj.dyndns.org) and enable wildcards to specify multiple child records.

I was able to obtain a LetsEncrypt certificate for hendersj.dyndns.org, but I’m trying to expand that to include a host called dlhost.hendersj.dyndns.org (this is actually handled by a reverse proxy that uses the virtual host name to select a back-end webserver). It looks like dyndns creates this as a CName record pointing to the main A record for hendersj.dyndns.org.

When I run the client, I run:

sudo ./letsencrypt-auto certonly -d hendersj.dyndns.org -d dlhost.hendersj.dyndns.org --standalone

The result I get back is:

Failed authorization procedure. hendersj.dyndns.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found hendersj.dyndns.org, dlhost.hendersj.dyndns.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found hendersj.dyndns.org

IMPORTANT NOTES:
 - The following 'urn:acme:error:unauthorized' errors were reported by
   the server:

   Domains: dlhost.hendersj.dyndns.org, hendersj.dyndns.org
   Error: The client lacks sufficient authorization

I also tried just using dlhost.hendersj.dyndns.org - but got the same result.

What am I missing here? Is what I’m trying to do possible?

Osiris · December 24, 2015, 12:02pm

The HTTPS server behind the host dlhost.hendersj.dyndns.org does not have a certificate for that host.

I’m seeing that your current Let’s Encrypt certificate for hendersj.dyndns.org is installed for dlhost.hendersj.dyndns.org too. That’s not gonna work, because the hostname does not match the certificate.

You should generate a self-signed certificate for dlhost.hendersj.dyndns.org and set your server up so it will supply browsers with that certificate (for that host only ofcourse).

hendersj · December 29, 2015, 12:06am

Thanks for that pointer - I had tried to do that, but was using my reverse proxy to try to forward to the standalone client. I came up with a better way to do this using webroot, and that solved it. I had actually tried using a self-signed certificate with the proper hostname (you probably saw the redirection to the authentication server, which is hosted by hendersj.dyndns.org), but was still getting the zName error.

But now it’s all working - thanks again.

mbrugger · December 29, 2015, 10:43am

The following flag for the standalone plugin could probably also solve the authentication issues:

--standalone-supported-challenges http-01

In this case the LE server only uses http and ignores https for authentication.

Topic		Replies	Views
Failed authorization procedure Help	7	856	April 22, 2020
Failed authorization procedure usign the client Help	3	2203	February 18, 2016
Question on wilcard and multiple domains Help	8	687	May 22, 2020
DNS-01 validation- TLD and wildcard Issuance Tech	4	2434	November 9, 2018
Multi-Level Wildcard Domain Authentications Help	28	2172	October 27, 2020

DynDNS with wildcard capability

Related topics