Help with dns challenge and namecheap?


#1

I can’t use the http challenge because my isp blocks port 80. Port 443 is open but certbot no longer supports that challenge.

I heard you can use the DNS challenge but I’m not quite sure how to.

Can someone link me a step by step or post the command to run?

I have the latest certbot running on Ubuntu 16.04 with the apache2 webserver. My domain is through namecheap.


#2

Hi,

Unfortunately, namecheap’s API is not supported in DNS validation, which means you need to enter the DNS records manually. (And renew manually)

Here are the steps. (From certbot.eff.org)
certbot --manual --preferred-challenges dns (and it will output the txt records you need to add)
(Remember, it’s two DNS records instead of one!)

Thank you


#3

It’s only two DNS records of you’re wanting to cover two FQDNs. A single FQDN is a single TXT record; a 10-SAN cert is 10 TXT records.


#4

There’s a somewhat better alternative for DNS challenges if you don’t want to enter it manually every time. Another user developed acme-dns, which is a small, standalone DNS server that’s designed explicitly to serve TXT records to Let’s Encrypt. You’d need to add a CNAME record in your NameCheap DNS for any _acme-challenge records and point them to your acme-dns server, which can be updated automatically.

Alternatively, you could get a free DNS provider like Cloudflare and CNAME your _acme-challenge record to them.


#5

I’ll look into that acme-dns. Thanks for sharing.

Also port 80 at my work isn’t blocked. If I bring my server to my work, update my domain with my work ip, and get the http challenge to work; when it comes time to renew, will I be able to use the 443 challenge?


#6

I found its docs a little confusing, so I posted a topic for some clarification–you may find it helpful:


#7

Namecheap’s API is supported by lexicon via the manual plugin.


#8

Good News/Bad News.

Good news: you can automate DNS validation using lexicon. See this article by @_az https://id-rsa.pub/post/certbot-auto-dns-validation-with-lexicon/

Bad news: you should not automate validation with Namecheap for multiple reasons.

  1. Namecheap requires you to have 20+ domains OR spend $50 within 12 months to use their API.

  2. If you qualify, you will learn that Namecheap’s API is way too powerful to leave the token on a server (it allows for domain transfers/etc), and what you really need to do is create a SECOND namecheap account which is only limited to managing DNS records, and beg their support to give that account API access. (Lexicon will not work with those ‘managed’ domains yet, only ones owned by the account. There is a merged patch, but it has not been released yet)

  3. It sounds like you want to install the certificate on a server from a home machine… which means you don’t have an assigned IP address and it could change. Namecheap’s API is locked down to whitelisted IP Addresses, so you’d likely need to update their system with your IP address when you want to renew.

IMHO your best options are the following:

  1. Use @jared.m’s suggestion of creating a free account with cloudflare. Either use them for all DNS, or do an advanced setup where they only handle the _acme-challenge.
  2. Handle the certificate stuff manually through the Namecheap dashboard.

I like acme-dns, but you’re on a non-static IP with a consumer ISP: if port80 is blocked, port 53 most likely is too.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.