Proof of domain and use of 2 certs on subdomain

My domain is: micwit.com

I ran this command: sudo certbot --apache -d idp.micwit.com --debug-challenges --staging

It produced this output:
Detail: Invalid response from
http://idp.micwit.com/.well-known/acme-challenge/80EdOi_q6VVOg1ZNQyc1DzwOIy_tCnywODRCVC_WAlw:
"

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 18.04.1

My hosting provider, if applicable, is: Panthur

I can login to a root shell on my machine (yes or no, or I don’t know): yes (for local one)

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cpanel (for online) and none for local

So I will start by explaining the setup I have. There are 2 servers, one local and one on shared hosting (cpanel). The local one is what I want to use when anyone is on the LAN (that our local dns server points to), and the online one is what I want to use when not onsite. For the one onsite, it uses an auto SSL solution that does the certs for me. I want to have my local one do the same.

So I run the command:
sudo certbot --apache -d idp.micwit.com --debug-challenges --staging
but of course I get the message back to say the file in .well-known/acme-challenge/ can not be found, because of course it is looking to my online server.

I was thinking of using something like inotifywatch (inotify-tools) to watch that directory for new files, and do a copy up to the online server when one appears (that way it would validate the domain and set up the cert on my local server), however, no file ever actually appears there.

So how can I make it so that I can have a cert both online and local for the same subdomain?

Hi @MicWit

there are different options:

• you can copy the online certificate local, so you can use the same certificate
• you can create 5 certificates per week with the same domain name set. So (without errors) it's not a limit to have two certificates
• to create the second, you may use dns-01 - validation (not the file under /.well-known/acme-challenge - this is http-01 - validation). You have to create a dns-entry _acme-challenge.example.com
• if you want to automate that, your dns-provider should support an api. Then you can check, if certbot or acme.sh supports this api.

@JuergenAuer, thanks for that.

I Have seen in cpanel where to get the keys etc, but that is a lot of manual work to do, and would need to be done for every subdomain every 3 months, I won't have the time to do that!

Thats cool, and I believe as many renewals as you want, so if I'm looking at 10 sub domains or so, I will just have to spread them out (or is that not per domain, is that per request ie. per sub domain?)

Now this is something that may work! Where can I find info on this? I can create a dns entry on the online server if required.

I spoke to my hosting provider (which is where the dns is for the domain) and they said they don't have an api for the cert system.

Read

to see the differences between http-01 and dns-01 - challenges.

You have to change the value of the txt entry _acme-challenge.example.com every time you order a new certificate. So you don't want to do that manual.

It's not an api for the cert system. It's an api for the dns-system.

But it's possible that you create a CNAME _acme-challenge.example.com which points to a public dns-provider with an api-support.

Check

https://certbot.eff.org/docs/using.html

there are a lot of dns-providers (--dns-cloudflare, --dns-cloudxns etc.). And acme.sh

has 52 api-supports. I am using inwx for my own domains, so I could create the client api directly. So I don't use one of these public apis with CNAME.

OK, so in researching, it basically uses another subdomain to put the text file into.

So in my case, the actual site I want (one of them anyhow) is https://sso.micwit.com, so I should create a dns entry of _acme-challenge.sso.micwit.com and the text file needs to go in there. A few questions:

1. Would it be possible for _acme-challenge.micwit.com to be used for any of my subdomains (so a different cert for each, not a wildcard)? If not I just have to create more dns entries.
2. I can point _acme-challenge.sso.micwit.com to the local machine that sso.micwit.com is on, will this help? Just trying to work out if I can do that and then just have certbot create the text file automatically in a virtual host just for this validation? Is this possible? I don’t want to manually renew every time (this should be a cron job) and I’m not really getting why having that dns entry there permanently is a security risk.

You don't need a text file. You need a dns txt entry. You can create an A-entry (ipv4), an AAAA-entry (ipv6) and txt-entries. You don't need an A-record with _acme-challenge.sso.micwit.com, you don't need a webserver with webspace, you don't need an open port.

First - no. _acme-challenge.micwit.com works to confirm micwit.com and *.micwit.com. If you want a lot of subdomains, you need a lot of entries _acme-challenge.subdomain1.micwit.com ...

(2) is irrelevant, you don't need an a record.

OK, that's why I could not see the files and folders, its actually just done in a dns entry. I have never heard of dns txt entries before.

Well, I could still use an a record on the online server that will point to my local machine. That way when certbot does the verification, could a script make the required txt entry etc (its my own ubuntu machine, so I have control over it not like the cpanel online servers) and delete it once validated? Then I can leave all the _acme-challenge a records on the online server and a script with certbot can deal with all the txt entries locally? Or am I still not getting it?

Sorry, never done this stuff before so trying to get my head around it.

No _acme-challenge a record is required or used. You may create such a record, but to validate your domain ownership, it's completely irrelevant.

That one wouldn't be for the validation, it would just be to forward that address to my local machine and then set the validation there. So on Ubuntu using certbot, can I get it to set up the dns validation on that machine as required? Or certbot can't do this at all?

There is no "forwarding" with a txt entry to a webserver. A txt entry has no A-record, it's a standalone information. You can "forward" that per CNAME to another dns server. That's all.

nslookup _acme-challenge.server-daten.de.
Name: _acme-challenge.server-daten.de

No A-record.

Explicit query the txt record:

nslookup -type=txt _acme-challenge.server-daten.de.

_acme-challenge.server-daten.de text =

    "d0xivWiWzkAOK5osbODQw6JDUsygUE3bEMTfNvdp4Cc"

Last entry used with the stage system.

I have asked my provider if they have an API for the dns system, but I doubt they will. So is there any way I can forward this request from the server online to my local server and set up the txt entry on my local server?

If you have the ability to receive inbound connections on port 53 on your local server, you could use a CNAME record and run acme-dns on the local server:

It’s important to understand that the TXT record is provided within the DNS system itself, using the DNS protocol, and its content does not refer to a specific IP address. If you use acme-dns this way, you would be running your own DNS server.

This I can do and is what I was looking for. I can just forward port 53 in the router the same way 80 and 443 are sent to the web server.

OK, so running my own (mini) dns server on the web server is fine with me. But what I am now trying to understand (which I have read the link you send me and will continue looking further into and experimenting) is how I can get my online DNS server to point to my local server, there has to be an IP involved with that. So from what I understand, it would work like this:
Subdomain that has both online and local servers: sso.micwit.com
CNAME on the online server: _acme-challenge.sso.micwit.com to auth.sso.micwit.com
A record on the online server: auth.sso.micwit.com to 1.1.1.1 (my WAN IP)

And then the client would set up on my local server the correct txt entry?

OK, MAJOR update, after a bunch of support ticket talk and phone calls, I DO have access to the cpanel WHM API that will allow me to edit DNS records! Then, I have used https://github.com/Pugasus/cpanel-ddns-client and added another .py that uses the client module and have successfully created a python script that added a txt entry in the DNS zone on my online server.

So now I just need to work out how to get certbot to call my python script and pass in the txt string required to be uploaded (and the domain and sub domain details) and I should be right to go. I want to also create a script where once the authentication has taken place I can remove the dns record for security purposes (I believe this is the correct way to do it?) Once authenticated and certificate is issued that dns record is no longer needed is it?

I was also reading that when using this DNS-01 challenge, I can’t renew the domain this way? Also, I think I saw that with the DNS-01 challenge the cert is only valid 1 month?

Hi @MicWit,

This is the Certbot option --manual-auth-hook.

https://certbot.eff.org/docs/using.html#hooks

That's right, and this is the Certbot option --manual-cleanup-hook.

certbot renew doesn't work for certificates that were obtained with certbot --manual without --manual-auth-hook, because without the authorization hook script, Certbot pauses to allow you to create the TXT record and then interactively confirm when you've done so. The certbot renew command is designed to be run from crontab and so it doesn't allow for authenticators to require user interaction; therefore --manual doesn't work, unless you tell it via a --manual-auth-hook script how to perform the necessary action non-interactively. Under this condition, certbot renew will work as normal because the renewal steps will be non-interactive.

Since this is what you're proposing to do, you should be able to run certbot renew from crontab and have it work properly with your process.

Nope, all Let's Encrypt certificates are valid for 90 days, regardless of how they were obtained. You might have been reading about how you can usually reissue certificates without revalidating during a one-month period after you first performed the validation. This fact isn't very relevant to most users or use cases.

@schoen,
Thankyou for that, its coming together now, this is how I want to do it! And will cleanup after by removing the dns entry.

So in the crontab, do I just do certbot renew, or do I need to put in the hook options again as well (or does it remember these from when you first got the certificate)?

It will remember them, so you just need to do certbot renew (which is meant to be run frequently; it will check whether a certificate is near expiry and only attempt the renewal at that point).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.