How to deal with multiple domains using acme.sh and acme-dns

unam · March 3, 2021, 10:11am

Hi folks,

I just configured acme-dns with acme.sh for servers that are not directly connected to the internet. Everything seems working fine for a subdomain, I can generate a cert.

Here is how I made it works :

Bind dns server for domain.com delegates auth.domain.com to another nameserver which runs acme-dns.
I register a new host in acme-dns using api
In domain.com zone file, I have _acme-challenge.www.domain.com CNAME 281222f1-ac88-4ee1-94c3-5d764fde1b41.auth.domain.com.

The question is :

I have multiple subdomains (www, ftp etc). Should I have create a new host in acme-dns or use the 2812[...]1b41 existing one and update it on the fly everything I need ? If I create all this entries :

_acme-challenge.ftp.domain.com CNAME 281222f1-ac88-4ee1-94c3-5d764fde1b41.auth.domain.com.
_acme-challenge.www.domain.com CNAME 281222f1-ac88-4ee1-94c3-5d764fde1b41.auth.domain.com.
_acme-challenge.mail.domain.com CNAME 281222f1-ac88-4ee1-94c3-5d764fde1b41.auth.domain.com.

Using this solution seems easiest for me, I will just have to deal with credentials stored in /root/.acme.sh/account.conf and then, not storing every credentials for each subdomains generated.

Is it a good usage for you ? How do you deal with multiple subdomains and acme-dns / acme.sh ?

Regards

JuergenAuer · March 3, 2021, 10:34am

Hi @unam

why?

These services use different ports. So if all subdomains have the same ip address, you don't need different subdomains.

Use your main domain with ftp, mail and webserver -> then you need only one certificate with the non-www and the www version.

unam · March 3, 2021, 10:43am

Hi,
It's an exemple, but not the best i guess

I have multiple subdomains such as :

www
git
webmail etc.
All the services have a dedicated ip address, and they are all listening on tcp/443

danb35 · March 3, 2021, 11:40am

I'm not aware of a good way to do this, unfortunately--acme.sh's support for acme-dns is very rudimentary, in that it only supports one set of credentials account-wide. You could create multiple CNAMEs as you describe, iff you were sure that none of those hostnames would try to renew at the same time--acme-dns will allow no more than two TXT records for a given FQDN. But the way acme-dns is really intended to be used is that each hostname will have its own alias.

Consequently, though I really don't like certbot, that's what I use if an instance needs to handle more than one hostname. Its integration script manages all the credentials behind the scenes.

OTOH, if all the services are on their own hosts with their own IP addresses, why not obtain each cert on its own host?

unam · March 3, 2021, 12:55pm

Hi @danb35
You described exactly the situation, acme-sh's support for acme-dns does not store every credentials for each subdomains.
Sorry, it was not clear in my first messages but I prefer to centralize cert management on a single host and I made all my tests with acme.sh and acme-dns. I think I'll keep acme-dns thanks to the ease of use and it "fall in works!".
I just discovered certifytheweb which can used acme-dns under the hood and it just works. Disadvantage is Windows only.

I'll check acme-dns-certbot you pointed out.

Finally it's more clear for me. For now my setup is ok with certifytheweb but I would prefer to make it works on linux with my own scripts for custom deployements per server and usages (postfix, apache, nginx etc).

JuergenAuer · March 3, 2021, 1:20pm

That

doesn't match that:

If you want an easy centralized solution, create one wildcard via dns validation and deploy it.

If you want a "per server solution", use one client / server with http validation.

system · April 2, 2021, 1:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.