Just one _acme-challenge value for all domains in same DNS validation

I'm trying to create a certificate for 13 domains on a mail server with no web server. Port 80 is directed to another server that I don't have direct access to.

With wildcard certbot generates 26 _acme-challenge values that must be inserted into DNS.

On my DNS service this shouldn't be a big problem as they allow use of a template where all 26 can be inserted, except certbot only can handle 10 _acme-challenge values on the same domain.

If I didn't use the template I should insert the 26 values in 13 different DNS records. There is a high risk for cut/paste errors.

If it was the same _acme-challenge value set for all the domains in the same validation it would be much simpler, and I can't see how it would be less safe.

In my case with the DNS template I would only have to insert a single value to one DNS entry, and without template feature, you would have to update 13 records, but with the same _acme-challenge value i.e. smaller risk for cut/paste errors.

best regards
Ulrik

1 Like

I am not addressing any security implications in the following:

LetsEncrypt currently reuses non-triggered authorizations across account orders as a resource optimization. To get the flow you want, Boulder would either have to expire all non-triggered authorizations and no longer have the re-use optimization, or there would be a potential mixture of validations that would be a constant source of complaints and confusion. Because of that, I don't realistically see this feature implemented.

For your situation, I suggest using acme-dns. After setting up an acme-dns server, you can create an account for each of the 13 domains and update the main DNS once to delegate their _acme-challenge to a specific acme-dns account. A certbot plugin will handle automating the DNS challenge updates when you obtain and renew certificates. You will only update the main DNS records once - everything else happens on acme-dns and automatically.

How do you mean? I'm not aware of any limitation of 10 for the DNS challenges in certbot.

Let's Encrypt strongly promotes automation for their service, which also applies to certbot. With DNS this can be tricky, as not every DNS provider has an API to automate the DNS challenge. But as @jvanasco already pointed out there are solutions for this.

1 Like

See also:

When using the DNS template all the DNS validation TXT values are put into the same place resulting in a lookop like this for one of the 13 domains:

Here is only 10 because I split it up to make it work. If there are more than 10 certbot will give this output:
Domain: odds-on.dk
Type: unauthorized
Detail: Incorrect TXT record
"cO5tDqemdlCNTmmLvgyk-CU4hVdQNuPPQj3_fWa3-CQ" (and 9 more) found at
_acme-challenge.odds-on.dk

So there is a maximum of 10 _acme-challenge values in one DNS lookup in certbot.

I think that's not correct: the error you've shown with the "and 9 more" text is produced by the Let's Encrypt validation server and not certbot. Certbot is just showing you the error from the validation server, but does not generate it.
And the Let's Encrypt validation server just tells you what it found when it queried for the TXT records: it found 10 TXT records.
Therefore, I'm stil enclined to think it has something to do with your DNS provider: the screenshot you're showing also shows just 10 TXT records and not 13.

Also, I've shown in your other thread about the max. 10 issue certbot works perfectly with 20 DNS challenges :wink:

My suggestion to you is to try to automate the DNS challenge somehow as stated earlier and not to try to add the TXT records manually for two reasons:

  • I think your DNS service provider is the issue here, automation through e.g. acme-dns might resolve this issue;
  • renewing so much DNS challenges every 60 days is very cumbersome, so automation is also in your own best interest :wink:

Also, I'm very puzzled: why would there be a need for 10+ TXT records for the same hostname? (Earlier I missed that it all were records for the exact same hostname..) Usually, this is maxed to just two similar hostnames:

  • One for the "bare" apex domain example.com;
  • and one for the wildcard *.example.com.

I don't see the need for more than two TXT records for the same hostname.

1 Like

As I mentioned there are only 10 in the image. To make it work I split the DNS template into two.. you can see the remaining 3 here.

Now everything works. Except I have to maintain two DNS templates. And I still think a single value for all 13 would be nice :wink:

It could be a validation error from the server and not the certbot client... the result is the same for me :slight_smile:

I'm still puzzled why you would need 13 values for exactly the same hostname? It should only be two TXT records max. per (sub)domain (not counting the wildcard, as that's included in the 'two' here).

If it's a bug in the client, we can try to bughunt it and try to fix it :wink: But if it's an issue on the Let's Encrypt validation side, that's way more difficult. That's why I like the distinction :slight_smile:

Maybe you could present us with the entire certbot command and entire certbot output?

1 Like

Because it is a DNS template where each TXT record looks somewhat like this:

Each domain attached to the template will get all the TXT records in the DNS lookup.
And yes it would be nice if the DNS provider could make dedicated TXT records.

Aha, I see. I think. I'm not very familiar with "DNS templates" unfortunately, but as I'm understanding you correctly, it goes something like this:

  • You're requesting a wildcard certificate for 13 domains, which are in effect 26 domains, 13x the apex domain and 13x the wildcard "sub"domain;
  • Certbot is requesting you to add 26 _acme-challenge TXT records, 2 for every domain (one for the apex, one for the wildcard), lets call them challenges A through Z for hostnames 1 to 13;
  • Your DNS service providers zone editor only lets you add TXT records through a "template";
  • If you add TXT record A for hostname 1 the template will not only add the TXT record for hostname 1, but also to hostnames 2 through 13;
  • If you add TXT record C for hostname 2, that TXT record will also end up at the hostnames 1 and 3 through 13?

Am I getting this right?

command:

:/home/dell# certbot certonly --manual --preferred-challenges=dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): ezida.dk cybersite.dk furehus.dk guilds.dk kofod.me odds-on.dk oddsetligaen.dk periconsult.com periconsult.dk ring.gl same-game.dk samegame.dk xn--sbakken2800-ggb.dk
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cybersite.dk
dns-01 challenge for ezida.dk
dns-01 challenge for furehus.dk
dns-01 challenge for guilds.dk
dns-01 challenge for kofod.me
dns-01 challenge for odds-on.dk
dns-01 challenge for oddsetligaen.dk
dns-01 challenge for periconsult.com
dns-01 challenge for periconsult.dk
dns-01 challenge for ring.gl
dns-01 challenge for same-game.dk
dns-01 challenge for samegame.dk
dns-01 challenge for xn--sbakken2800-ggb.dk
....

output:

Cleaning up challenges
Failed authorization procedure. samegame.dk (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "37aetltdGOaYf77iA0KmHnJoiaJeKLk5HMjdrmpPmZc" (and 9 more) found at _acme-challenge.samegame.dk, xn--sbakken2800-ggb.dk (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "k5r9RBAIotXUvS5ySVL9owGK8_zZdm9j0CHAZKOqgBY" (and 9 more) found at _acme-challenge.xn--sbakken2800-ggb.dk

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: samegame.dk
   Type:   unauthorized
   Detail: Incorrect TXT record
   "37aetltdGOaYf77iA0KmHnJoiaJeKLk5HMjdrmpPmZc" (and 9 more) found at
   _acme-challenge.samegame.dk

   Domain: xn--sbakken2800-ggb.dk
   Type:   unauthorized
   Detail: Incorrect TXT record
   "k5r9RBAIotXUvS5ySVL9owGK8_zZdm9j0CHAZKOqgBY" (and 9 more) found at
   _acme-challenge.xn--sbakken2800-ggb.dk

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

yes, all TXT records is applied to every domain attached to the DNS template, and somewhere there is a limit of 10 in the validation process.

I could stop using the template and just have normal DNS setup for each domain, but I really like only having to maintain the template.

Solving the problem with the maximum of 10 TXT records in one DNS lookup would be nice but a bit off topic.

I just think it would make sense to have a single validation value, and not 26+ different values, for a single validation request. It is a lot of work with high risk of errors, to get it validated. It would be a lot easier if the same value could be reused on all 26 domains, using a DNS template or not.

If you're doing a request for X wildcard hostnames, including the apex domain, you'll have to deal with X*2 amount of TXT records. That's not a choice of Let's Encrypt, but mandated by the CA/Browser Forum baseline requirements, the rules to which every CA and browser have to adhere.

It wouldn't make much sense to allow you to get a certificate for example.com when you only succesfully proved ownership over example.net: you'll need to prove ownership of all domains.

Sure, but I can't see it makes any difference if you prove it with one and the same key value for all 13 domains. If you have access to put the key into all 13 then the value of the key doesn't really matter.

Every single domain requires a random token, so re-using a token for multiple domains is not allowed either. That's just the rules I'm afraid.

Exactly it just a rule, that doesn't do much except making the validation more complex :slight_smile: The random token would work just as well for all 13 domains.

Adding more domains would of cause need a new random token. But in the exact validation process it should not make a difference.

I think you are creating a CNAME to a shared TXT record, then stuffing that TXT record with all the challenge response values you need, then hitting a limit on how many values your DNS provider supports. If this isn't automated this would be very difficult to manage for all your renewals.

acme-dns is a good solution for this and is automated once you setup the initial CNAMEs for each domain. If not hosting it yourself, see also Certify DNS (certifydns | Certify The Web Docs) which does the same thing. There are security caveats to not hosting your own service however (as noted in the docs).

Some acme clients also support using an alias domain (so updates can be automated against a surrogate domain which supports API automation, and instead of updating _acme-challenge.yourdomain.com it updates _acme-challenge.yourdomain.com.myotherdomain.com). This means you don't need an acme-dns style service but your primary domains just need to support a CNAME pointing to your automated DNS records.

The option --single-validation-token would be nice :), but I guess there is no real chance of having a single validation token for a single validation process.

It is just hassel having to update 26+ different validation tokens in DNS for a new certificate. Having a single random token value would make it easier and less prone for errors, and it would still prove you have update access to the DNS.

There is actually a acme-dns plugin for my DNS provider, so I think I will try that out.

You'd probably have to convince the entire CA/Browser forum for that to happen I'm afraid.