Get certificate for a domain without A record


#1

I am trying to get a certificate for a domain that do not have an A record (let it be mydomain.net) but it has a NS record to an IP resolvable domain (let it be example.com). Getting the certificate for example.com and using a service delegated on mydomain.net, I get an alert on my service clients that mydomain.net is not trusted. When I tried to get an certificate for mydomain.net, I got an error because it is not a resolvable domain. What I need to do?

My domain is:
mydomain.net
I ran this command:
certbot certonly -d mydomain.net --standalone
It produced this output:
Domain: mydomain.net
Type: unknownHost
Detail: No valid IP address found for mydomain.net
My operating system is (include version):
Debian 3.16.36
I can login to a root shell on my machine (yes or no, or I don’t know): I have root access only on example.com


#2

Hi @sym, I didn’t understand what you meant by “using a service delegated on mydomain.net”. How is the service “delegated on mydomain.net” if mydomain.net isn’t a resolvable domain and doesn’t have an A record?


#3

I have a XMPP server running on example.com but I want the relevant JID’s to be user@mydomain.net. I am sorry for being inaccurate in my question, I am still a newbie…


#4

I don’t know exactly how XMPP handles this kind of naming or how that interacts with certificates. Are you sure that the DNS record that relates the two is an NS record? Like the example.com nameserver is an authoritative nameserver for the mydomain.net domain?


#5

Yes, I am sure about that.


#6

When you said [quote=“sym, post:1, topic:26837”]
I get an alert on my service clients that mydomain.net is not trusted
[/quote]

how did the service clients know how or where to connect at all if mydomain.net doesn’t have an A record? Why didn’t they just say that mydomain.net doesn’t exist?


#7

In the configuration file of the XMPP server I have example.com in the hosts block (domains served by ejabberd) as well as in the access control lists part where I have specified an admin at example.com. I guess this makes things work…


#8

I’m no XMPP expert but I think I remember reading that it was a SRV record. Googling this hunch brings me here, which seems to agree.


#9

XMPP is indeed delegated via SRV records in DNS. In the scenario put forth by @sym, mydomain.net has a well-known SRV record that points XMPP clients to a service hosted on example.com.

However, for clients to validate the TLS certificate, it must be valid for mydomain.net, regardless of whatever may be found in the SRV record. Hence sym needing to get an LE certificate for mydomain.net rather than example.com.

@sym, to answer your question, you will either need to add an A record and run a simple server there to issue your certificate before moving it over to your XMPP server on example.com, or you may be able to use one of the DNS API or manual methods; I’m not at all familiar with those, however, but hopefully with the confusion vis-a-vis XMPP and the various hosts involved here cleared up someone else can step in and point you in the right direction.


#10

Yeah, that’s about it. To do DNS-01 validation for example.net, you’d create a TXT record named _acme-challenge.example.net. containing the required magic random data. You don’t need any A or AAAA records.

You can use Certbot’s manual mode, and edit your DNS records by hand, and have to do this again every 2-3 months to renew the certificate.

If you have a programmatic way to change your DNS records (nsupdate, sed, an API server…) or can set up a CNAME record or delegation to a DNS host with a programmatic way to change the records, you can automate everything.

Several of the bash clients have supported scriptable DNS-01 validation for years. Certbot only added the feature in version 0.10, with cerbot manual --manual-auth-hook and --manual-cleanup-hook; it ought to be relatively simple to write or adapt a script for it, but there probably aren’t many already written.

It may be easier to set up A and/or AAAA records for example.net. and use HTTP-01 or TLS-SNI-01 validation with, for example, Certbot’s standalone server mode.


#11

I tried to make such a record in the zone file for mydomain.net but it was ignored as out-of-zone data. Where I should place this record? Or maybe I have not entered the right thing… my record is:
_acme-challenge.example.com 300 IN TXT “667drN…Undc”


#12

Hard to say. What precisely did you try? Opening the zone example.net., creating a record of name _acme-challenge, type TXT and value "667...ndc"?


#13

I opened the zone mydomain.net and there I create the TXT record, I do not have a zone file for example.com, but on example.com is the XMPP server.


#14

did you “open the zone” in some kind of control panel ? or open it as a text file in an editor ?


#15

I opened the zone file for it in text editor :slight_smile:


#16

OK - you will then need to reload that to your DNS servers ( possibly restarting bind … I don’t know what you are using ) .


#17

I’ve done it but in Pidgin it still says that the certificate for mydomain.net cannot be validated and it claims to be from example.com. This makes my server unable to connect to another server that requires verification…


#18

Would you like to show us the certificate and domain names in question?


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.