Must run DNS challenge with the Dynamic DNS provider you use?


#1

Quick question about the DNS Challenge for wildcard certs, since I’m a little confused. Does the challenge allow you to use any DNS provider to complete it, or must it run with a dynamic DNS provider specifically managing your domain? For example, I don’t use google cloud DNS for dynamic DNS updating, but can I use the google cloud DNS certbot plugin to complete the challenge anyway?


#2

To validate the wildcard *.example.com (or the non-wildcard example.com), you have to create a TXT record called _acme-challenge.example.com.

You could just put it in the example.com zone using its DNS provider, or you can use CNAME or NS records to point it to a different DNS provider (such as another DNS company, or acme-dns).

So, in theory, you can do basically anything. Some ACME clients or some DNS services may make it easy, hard or impossible to do a specific thing, though. (For example, some DNS services might restrict you from creating NS records with _ in the name.)

It should be easy to use the Google Cloud DNS Certbot plugin in your situation, but I’m not certain what your situation is.


#3

The acme-dns solution looks promising. I appreciate that they also provide an auth hook for certbot. I have multiple domains, so can I just create one account (if you can call it that) on acme-dns and point the appropriate records for all my domains to that one acme-dns? Or would that require multiple sets of credentials?


#4

It would require multiple sets of credentials, but the certbot plugin handles all those behind the scenes. The only thing you’d need to do manually is set the CNAME records the first time for each of your domains.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.