DynDNS with wildcard capability

I’ve got a DynDNS Pro account, which allows me to register a domain (I use hendersj.dyndns.org) and enable wildcards to specify multiple child records.

I was able to obtain a LetsEncrypt certificate for hendersj.dyndns.org, but I’m trying to expand that to include a host called dlhost.hendersj.dyndns.org (this is actually handled by a reverse proxy that uses the virtual host name to select a back-end webserver). It looks like dyndns creates this as a CName record pointing to the main A record for hendersj.dyndns.org.

When I run the client, I run:

sudo ./letsencrypt-auto certonly -d hendersj.dyndns.org -d dlhost.hendersj.dyndns.org --standalone

The result I get back is:

Failed authorization procedure. hendersj.dyndns.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found hendersj.dyndns.org, dlhost.hendersj.dyndns.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found hendersj.dyndns.org

IMPORTANT NOTES:
 - The following 'urn:acme:error:unauthorized' errors were reported by
   the server:

   Domains: dlhost.hendersj.dyndns.org, hendersj.dyndns.org
   Error: The client lacks sufficient authorization

I also tried just using dlhost.hendersj.dyndns.org - but got the same result.

What am I missing here? Is what I’m trying to do possible?

The HTTPS server behind the host dlhost.hendersj.dyndns.org does not have a certificate for that host.

I’m seeing that your current Let’s Encrypt certificate for hendersj.dyndns.org is installed for dlhost.hendersj.dyndns.org too. That’s not gonna work, because the hostname does not match the certificate.

You should generate a self-signed certificate for dlhost.hendersj.dyndns.org and set your server up so it will supply browsers with that certificate (for that host only ofcourse).

Thanks for that pointer - I had tried to do that, but was using my reverse proxy to try to forward to the standalone client. I came up with a better way to do this using webroot, and that solved it. I had actually tried using a self-signed certificate with the proper hostname (you probably saw the redirection to the authentication server, which is hosted by hendersj.dyndns.org), but was still getting the zName error.

But now it’s all working - thanks again. :slightly_smiling:

The following flag for the standalone plugin could probably also solve the authentication issues:

--standalone-supported-challenges http-01

In this case the LE server only uses http and ignores https for authentication.