Multiple _acme-challenge and CNAMEs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: la-z-boy.com

I am trying to use cert-manager under kubernetes to get certificates. I can get individual names through DNS-01 challenge just fine, no problems at all. Now I am attempting to retrieve a wildcard certificate and it keeps coming back with the message "there is already a challenge processing with this domain". So I went to our DNS records and found someone had already CNAME'd _acme-challenge at the root of the domain to be able to use it with a Lets Encrypt instance of their own, which is valid and in use. Looks like they followed these instructions: Onboarding Your Customers with Let's Encrypt and ACME - Let's Encrypt

The problem is that since that is CNAME'd already, I am unable to use Lets Encrypt to get a wildcard of my own. I can't give them access to our DNS nor are they willing to give me access to theirs, nor can I change or remove the CNAME. This is a wildcard so HTTP01 challenge won't work. Is there any workaround for this type of situation? Or am I just out of luck?

1 Like

Hi @skreien, and welcome to the LE community forum :slight_smile:

That sounds like you really don't have control of that DNS zone.
Without which, yes:

There is only one way to validate a wildcard and they hold that single key.

3 Likes

I have full control of the DNS zone. The problem is that I can't give them access to update our DNS zone, nor do they want to give me access to update the DNS zone that ours is CNAMEd to.

I am not seeing any DNS CNAME here: DNS Lookup - Check DNS Records

2 Likes

It appears your domain uses Cloudflare for its primary DNS, but the CNAME is pointing to the Fastly CDN which would make sense if they're terminating TLS for your existing website.

Technically, that CNAME only has to exist while Fastly is doing a renewal. So if you have control over the DNS zone at Cloudflare, you could potentially delete the CNAME, create the TXT records necessary for your own cert, complete the authorization, remove the TXT records, and restore the CNAME.

But realistically, that's pretty hacky, and might be hard to coordinate the steps with cert-manager. Does Fastly have an HTTP based validation option instead? Then, they wouldn't need the CNAME.

4 Likes

The CNAME isn't for the domain apex (which can't exist), it's for _acme-challenge.la-z-boy.com.

>dig _acme-challenge.la-z-boy.com ns @jimmy.ns.cloudflare.com +norecurse +noall +answer
_acme-challenge.la-z-boy.com. 300 IN    CNAME   v8vz5m8tkonejcigvq.fastly-validations.com.
4 Likes

Unfortunately I already know without asking what the answers to those questions will be... it needs to stay how it is. Andi, it seems to me that if the acme challenge is hardcoded then it's going to run into a collision at some point. That's why I was asking if there's other options.

1 Like

Yeah it does exist here: DNS Lookup - Check DNS Records

2 Likes

Then:
#1: remove the CNAME:
_acme-challenge.la-z-boy.com canonical name = v8vz5m8tkonejcigvq.fastly-validations.com

#2: get your wildcard

#3: put CNAME back in:
_acme-challenge.la-z-boy.com canonical name = v8vz5m8tkonejcigvq.fastly-validations.com

3 Likes

This is something that will have to happen every 2-3 months. Not an option I'm willing to live with.

1 Like

Then can you live without the wildcard cert?

And why does fastly need that CNAME?

3 Likes

Yeah, the _acme-challenge label is part of the RFC8555 ACME spec. And for getting a wildcard cert, DNS validation is your only option. Technically, other CA's exist that use different DNS validation labels though. But they also don't use ACME and I'm guessing wouldn't work with cert-manager.

3 Likes

Can you instead use a wildcard for a subdomain?
*.really.la-z-boy.com

3 Likes

Living without the wildcard cert is plan C. I was hoping there was a way to get around the collision. As with anything hard-coded, a collision is inevitable at some point.

1 Like

Fastly does appear to support HTTP validation as long as you don't need a wildcard there as well:

4 Likes

What would break if fastly lost that CNAME?

Looks like they were given waaaaay more than they actually need.

3 Likes

I had considered a different CA. That would require a corporate paid account for some of them, etc. The quickest option for me was to see if there's a way around it. Sounds like it's time to work on plan B/C then. Thanks for the quick answers, I much appreciate it.

2 Likes

Somehow I thought that DNS Lookup - Check DNS Records did a full DNS Records lookup for the domain, not just the hostname.domain.tld. I learned something new.
I thought it was more like this:

2 Likes

If Fastly lost that CNAME it would stop them from using Let's Encrypt for our domain.

1 Like

Read the post from @rmbolger
It looks like they can also use HTTP authentication - DNS auth is NOT required.

3 Likes