Status of CNAME alias support in Certbot?

Anyone,

I reviewed the Certbot repository and open issues last night because I was trying to set up a domain to use a CNAME alias for DNS verification. I would prefer to use the RFC 2136 plugin to automatically update a delegated zone and keep my root zone isolated.

It appears that this feature was added to Certbot some time ago and more recently removed due to a bug. Am I reading the status of this feature correctly or does the current version support this kind of setup again? There appear to be several issues related to this. Several closed and at least one open.

I realize that acme.sh and some other clients do support this feature but I would prefer to use Certbot unless it will not support my use case. I realize this may seem a bit arbitrary but I prefer to use official clients when possible and I also have an interest in Python as a programming language.

Thanks in advance for all replies,

Josh

2 Likes

Don’t forget that whether or not the RFC2136 plugin follows CNAMEs (it doesn’t look like it to me right now, but I’m not 100% sure), you can always perform the same task with a simple Certbot authentication hook.

For example:

/root/auth.sh

#!/usr/bin/env bash

RFC2136_SERVER="127.0.0.1"
RECORD_TO_UPDATE="_acme-challenge.cname-example.com"

case "$1" in
  auth)
    echo -e "server ${RFC2136_SERVER}\nupdate add ${RECORD_TO_UPDATE}. 1 TXT ${CERTBOT_VALIDATION}\n\n"  | nsupdate
    sleep 10
    ;;
  cleanup)
    echo -e "server ${RFC2136_SERVER}\nupdate delete ${RECORD_TO_UPDATE}. TXT\n\n"  | nsupdate
    ;;
esac

may be combined with:

certbot certonly --manual --manual-auth-hook "/root/auth.sh auth" \
--manual-cleanup-hook "/root/auth.sh cleanup" --preferred-challenges dns \
-d points-to-cname.com -d also.points-to-cname.com
2 Likes

Thanks. I’ll give that a try and reply back.

1 Like

Manual mode worked like a charm. I had to adjust the sleep time a bit due to DNS propagation delay but after that it worked fine.

Thanks

Josh

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.