Renew using dns-01 challenge


#1

Hi,

I created some certificates the dns-01 challenges.

But when I renew the certificate, the value for the DNS TXT record is updated.
Is this normal?

I have +20 certificates and updating all these TXT records is not that easy :frowning:

Stef


#2

Yes, it’s perfectly normal.

That’s why DNS validation is really only practical if your DNS host has an API that allows your client to automatically update those records.


#3

Our main DNS provider has an API, but I also maintain the certificates for a few domains that I don’t manage myself :frowning:
The sites itself are for internal use only so I can only use the DNS challenge.

I suppose I can not force the value of the TXT record to be the same for a renew?

Stef


#4

No, that would defeat the purpose of the validation.


#5

If you can create a CNAME record pointing to your main DNS provider, you might be able to use the method described here:


#6

We are going to create sub-domain for certificates and host a public DNS server that holds the required TXT records.
For the few domains we don’t control the domains we are either going to buy a certificates or renew it manually.

Stef


#7

Personally I think it’s much easier to ask for those domain owners to create the txt record. (As it would save time and money) so you could automated the process.

(What I did is, switch a domain deal with all auth and report to an api-supported DNS provider, map all domains I need to control under this domian then do the automation work)

A public DNS server is only necessary if you hold lots of domains( since you would need to update it regularly and ensure speed and reliable, it’s a crazy thing if you just wants to hold required text records)


#8

Hi @StefCoene,

For those domains you don’t control, you can ask the owner to create a CNAME record pointing to a domain you control so you could automate the process.

Example:

You want to issue a certificate for external.tld domain and you don’t control it but you have the domain own.tld and you control it, you have a DNS API to create records etc.

1.- Ask external.tld owner to create the following CNAME record:

_acme-challenge.external.tld IN CNAME external.tld.own.tld

2.- When issuing a certificate with your client for external.tld, create a TXT record on your own DNS server pointing to the right token for external.tld

external.tld.own.tld IN TXT "here the token to validate external.tld"

3.- You are done ;). Let’s Encrypt will try to get the token checking the txt record for _acme-challenge.external.tld and will follow the CNAME so it will try to get the TXT record checking the domain you control external.tld.own.tld.

The step 1 needs to be done just once so you can renew the certificate whenever you want without the need to ask the owner to create the TXT record or doing it manually.

Of course, for every domain they want to issue a cert, they need to create a CNAME and you a TXT record.

_acme-challenge.external.tld IN CNAME external.tld.own.tld
_acme-challenge.www.external.tld IN CNAME www.external.tld.own.tld
_acme-challenge.admin.external.tld IN CNAME admin.external.tld.own.tld
and so on...

Edit: Sorry, I just read @jmorahan post pointing to use this method…

Cheers,
sahsanu


Wildcard via manual DNS editing
Certbot dns validation specify different domain
CNAME config and rfc2136 authenticator config
CNAME config and rfc2136 authenticator config
DNS-01 challenge and rfc_dns_2136 authenticator and BIND issue
#9

I have around 50 certificates for internal hosted websites for which I control the domain.
Updating 50 TXT records every 3 months via API or hosting a DNS server I control? I prefer the DNS server (bind + some 20 lines perl magic) :slight_smile:

1 or 2 websites also need an extra domain that I don’t control. For those, I will have to contact the customer for the TXT record.

Stef


#10

this seems unnecessary, you could just add all txt records to the same cname destination.

_acme-challenge.external.tld. IN CNAME acme-challenge.example.com.
_acme-challenge.www.external.tld. IN CNAME acme-challenge.example.com.
_acme-challenge.admin.external.tld. IN CNAME acme-challenge.example.com.

#11

Hi @jacobdevans,

Of course, you can do that but keep in mind that depending on how many challenges you will serve for a certificate (or several certificates issued at the same time) you should avoid the limit of 4096 bytes per DNS response or Let’s Encrypt won’t manage that respponse and will fail to validate the domain.

Note: Until a month ago, if you were serving aprox. 6 TXT records for the same domain, Let’s Encrypt failed to validate it… but as I said, they have raised the size of the DNS response to 4096 bytes which is pretty good but keep that in mind just in case ;).

Cheers,
sahsanu


#12

That is good to know! I’d be curious since there is already a 100 SAN limit, and we know how long the challenge is, why the dns txt limit wouldn’t slightly exceed the size of the challange*100


#13

A response from DNS for 100 challenges for the same domain has no sense from an efficience perspective.


#14

one dns lookup vs 100? total data transferred is the same. define “efficience perspective”


#15

Hi @jacobdevans,

Large DNS responses should be answered using TCP (it is not the fast protocol), “normal” DNS responses are answered using UDP, UDP was designed to be as fast as possible and this is the reason DNS uses it (max 512 bytes per response), if you want to put 100 TXT records in your domain it is up to you but you should not expect the rest of the world to seem like a good idea if every time one need to resolve your domain must use TCP instead of UDP.

Cheers,
sahsanu


#16

excellent point!

doesn’t work anyway:

{"message":"Records may contain a maximum of 50 answers per record.Please contact support@ns1.com if you need the limit raised."}

#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.