Multiple Domains/Zones with Acme-DNS - follow-up


#1

I know this has been addressed here: Multiple domains/zones with acme-dns

I had an additional question. I have Acme-DNS up and running fine with my one domain acme.cooby.online. In the article above it indicates that all I need to do is CNAME a new domain to the Acme-DNS server I’ve setup. My question is - do I need to do anything else with my new CNAME’d domain? i.e. Do I need to create a certificate for it and place it on my Acme-DNS server anywhere? or do I just CNAME and done…

Cheers, Dave


#2

Nope. For any $FQDN you want to use acme-dns for, set a CNAME for _acme-challenge.$FQDN to the relevant random hostname. That’s all you need.


#3

That is awesome! Great work guys…


#4

Thanks, quick question - if my $FQDN is used in nginx and nginx.conf has all the ssl stuff setup does any of that need to change? Currently there are ssl entries in my nginx.conf file pointing to a wildcard certificate. So I assume this domain certificate should remain the same in nginx.

Cheers,

Dave


#5

I don’t clearly understand the question/problem, but I will take a stab at it:
If the wildcard cert is all you need, then you have all that you need.
The CNAME is just a way to pass the authentication.


#6

Hi Rudy:

Good stab - exactly what I was looking for.

Cheers,

Dave


#7

Also, I assume it will auto-renew now that I’m Acme-DNS’ing…


#8

Auto renew is not automatically implied.
Can you show your cron job or task called?


#9

Actually I don’t have an auto-renew cron script. If you have any examples for auto-renewing a wildcard cert, I’m in. Auto-renewing was the reason I got into tinkering with Acme-DNS in the first place.
I have a bunch of .tlds (.com. .tech, .online etc…) on various servers and I would like to automate the auto-new for the whole lot

Cheers, Dave


#10

What ACME client are you using? If certbot, the command would be something like certbot renew -q, run once or twice a day, assuming you were using a proper acme-DNS integration script.


#11

Wildcard certs require DNS authentication which requires a DNS plugin.
Many DNS service providers are supported - but not all.
So there are unknown factors that need to be worked out before a proper working command can be recommended.
Like:
Which is your ACME client: _____
Which is your DNS service provider: _____


#12

Depending on your OS, ACME client, and how you installed it, there may already be a systemd timer or cron job to automatically renew your certificates. If everything else is already set up (like acme-dns, and automatically reloading your web server), everything may already be working correctly.


#13

He said above he’s using acme-dns, so that’s answered. There’s a hook script for certbot that handles the DNS validation using acme-dns, and I’d assume @gridworkz would have used that script if he used certbot to get the cert in the first place. acme.sh supports acme-dns natively. For anything else, well, it depends on the client.


#14

Half way there!


#15

Living on a prayer? filler filler filler


#16

Take my hand - We’ll make it!
I swear…


#17

Perfect, thanks. Yes, I’m using certbot to create the certs. I generally create the certs on one server (the Acme-DNS server) and distribute the certs to the servers that need them. So do I run the ‘certbot renew -q’ cron on the Acme-DNS server? I would guess so since the /etc/letsencrypt/… directory is there. I’m getting the feeling I should be generating the certs locally on the servers that they’re being used on and run the cron on those servers.


#18

That’s generally the recommended way to do it. For now, if you’re generating the certs on the acme-dns server, that’s where you’d run the cron job, but it’d be worth shifting your process, if possible, to request the certs directly on the systems that will be using them. And then you’d run the cron job there.


#19

I was running this with TXT record entries:

Letsencrypt Wildcard /w TXT DNS Entry


#20

Cool - do I run the cron as root?