Having a hard time renewing wildcard certificate using TXT record validation

Due to the fact that updating of DNS TXT records takes a while, every time I have to renew the certificate for my *.domain.tld, I have to wait around 10-15 minutes for the record to propagate and - of course - for letsencrypt to also read the TXT entry.
Since I am using more than one NS, is there any way I could use only one of them for validation and point certbot to that NS? I have 4 NS from which 3 of them are in US and one in Europe, therefore propagation takes some time...
Or is there any easier way to renew the certificate automatically?

Thanks for helping!

1 Like

Certbot cannot influence the validation: certbot is run locally, but the validation is done remotely from the Let's Encrypt servers.

2 Likes

OK, then what would be the best way to automatically renew a wildcard cert?

1 Like

Probably just wait until the update has propogated to all authorative DNS servers. You might be able to check all the authoriative directives for proper propogation, although some DNS servers use anycast, so even if you directly query DNS server A with IP address X there might be a different DNS server B with also IP address X (anycast) at the other side of the world which has not propogated yet.

2 Likes

Perhaps you can configure your authoritative DNS server to notify the secondary servers whenever the zone changes. That can dramatically speed up the process of propagating changes to the secondary servers. But it's not perfect. I've recently seen cases where one secondary server is updated immediately, but the other still took a while.

1 Like

Yes, I have already configured it that way, but I am only owning one NS of all, the other are from some provider and I cannot force update on the entries, I can only notify them of changes.

So, I guess, there is no way of renewing a wildcard certificate, other than using TXT records...

1 Like

Yes, that's true for Let's Encrypt indeed. While not mandated by the Baseline Requirements of the CA/Browser forum, Let's Encrypts policy is to only allow wildcard certificates using the dns-01 challenge.

1 Like

You could also use your own acme-dns type service (or Certify DNS, which is a managed service), that way DNS challenge updates are instant via a CNAME.

Is there any documentation available on how to implement this?

1 Like

acme-dns: https://github.com/joohoi/acme-dns

Certify DNS: certifydns | Certify The Web Docs - this is a commercial service (currently free in beta) my company operates and is mainly designed for use with Certify The Web, but will work with various other acme-dns compatible clients.

Note that acme-dns is primarily an application, but also offers acme-dns as an online service. Please note that it's preferable to run your own service instead of relying on third party services (acme-dns as an online service, Certify DNS or any other service managed by a third party) for security reasons: you put ALL the trust regarding issuance of certificates into the hands of a third party if you choose to do so.

Also notice the subtle remark about Certify DNS being free in beta, which suggests you'll have to pay for it at some time in the future :wink:

3 Likes

Yes, all correct! [the Certify DNS docs state the same]

For my wildcard domains, I use a CNAME for _acme-challenge that points to a dedicated domain I use just for renewals (actually a subdomain). This dedicated domain only has 3 authoritative servers, and they are on the same LAN, so the slaves update quickly.

5 Likes

You could CNAME the challenge TXT record requests to a zone that uses only that one single NS.

4 Likes