Subdomain Wildcard Cert Under Delegated NS Server

dacrud · April 26, 2023, 5:36pm

Hi,

I have this setup with two separate machines:

Machine1 - DNS server - DNS server for fangfree.com that delegates Machine2 to be NS server for customer2.fangfree.com
Machine2 - DNS server - DNS server for customer2.fangfree.com

Im trying to get a wildcard subdomain certificate for customer2.fangfree.com generated from Machine2. Under Machine1 I have a DNS zone for subdomain customer2.fangfree.com which only defines the NS servers for that domain pointed to Machine2.

I have the proper acme CNAME record set on the DNS config for Machine2 but it fails to grab it. I may be hitting something else here but not sure.

Is this even possible, to delegate a subdomain to another NS server and grab that wildcard from there? Or can this only be done from Machine1? Thanks for any help.

My domain is: fangfree.com

I ran this command: certbot certonly --manual --manual-auth-hook /root/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.customer2.fangfree.com -d customer2.fangfree.com --agree-t
os --email hostmaster@customer2.fangfree.com -n

certbot 1.32.0

rg305 · April 26, 2023, 5:48pm

Hi @dacrud, and welcome to the LE community forum

Request for

would require two TXT records.
Both of which would be handled by the [single] DNS server for the customer2.fangfree.com zone.

Please show that record to confirm.

Please show the log file it created.

Osiris · April 26, 2023, 5:50pm

Could you please provide the actual hostname? Because customer2 does not provide any NS RRs.

And to answer your other question: yes, this is perfectly possible.

Note that when you're using acme-dns, it really doesn't matter much from which server you try to get the certificate, as long as that host has the proper acme-dns credentials.

rg305 · April 26, 2023, 5:57pm

hmm...
I get two nameservers [with same IP]:

nslookup -q=ns customer2.fangfree.com ns1.fangfree.com
Server:  computer.fangfree.com
Address:  5.161.57.22
customer2.fangfree.com  nameserver = ns1.customer2.fangfree.com
customer2.fangfree.com  nameserver = ns2.customer2.fangfree.com
ns1.customer2.fangfree.com      internet address = 164.92.112.207
ns2.customer2.fangfree.com      internet address = 164.92.112.207

Ohhh!

nslookup -q=ns customer2.fangfree.com 164.92.112.207
Server:  UnKnown
Address:  164.92.112.207
*** UnKnown can't find customer2.fangfree.com: No response from server

Customer2 doesn't know it is authoritative for that zone - I missed that.

Osiris · April 26, 2023, 6:01pm

Hmm, it also seems that if you do a simple dig +trace ... it does not reply with the NS RRs, only the SOA RR. Might be a dig thingy tho.

Hmm, or not.. DNSViz also has some issues: _acme-challenge.customer2.fangfree.com | DNSViz

rg305 · April 26, 2023, 6:04pm

A says B is responsible for that zone.
B says ... I don't know who is responsible!

Osiris · April 26, 2023, 6:06pm

But only when directly requested for an NS RR. However, the idea is that the delegating NS replies with the appropriate NS records even when requested e.g. a TXT RR.

For example, you just requested with -q=ns for NS RR directly. Try again with -q=txt and you'll get different results.

rg305 · April 26, 2023, 6:10pm

Same result:

nslookup -q=txt customer2.fangfree.com 164.92.112.207 <<< IP of customer2
Server:  UnKnown
Address:  164.92.112.207
*** UnKnown can't find customer2.fangfree.com: No response from server

Osiris · April 26, 2023, 6:12pm

Yeah true, but I actually meant the first example you tried

The fact that the second DNS server doesn't actually recognise the hostname it's supposed to be serving RRs for is also a problem, but I was more concerned about the delegation part first.

dacrud · April 26, 2023, 7:04pm

The CNAME record looks like this:

_acme-challenge.customer2 IN CNAME 1e979b4b-a053-4400-99da-34283206a75e.auth.acme-dns.io.

Here's the letsencrypt.log:

HTTP 200
Server: nginx
Date: Wed, 26 Apr 2023 18:57:51 GMT
Content-Type: application/json
Content-Length: 667
Connection: keep-alive
Boulder-Requester: 1080977797
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: A5FEDw-kb7_QvtmHE1-J7U2pNyNSzD2ZygzGCrkD157--Ow
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "customer2.fangfree.com"
},
"status": "invalid",
"expires": "2023-05-03T18:57:46Z",
"challenges": [
{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.customer2.fangfree.com - check that a DNS record exists for this domain",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/222745380507/_Nh_HQ",
"token": "bOgzvDu5hhAJnLCpDonqXZk3cHz1j_qbHchHDF6Le4w",
"validated": "2023-04-26T18:57:50Z"
}
]
}
2023-04-26 18:57:51,099:DEBUG:acme.client:Storing nonce: A5FEDw-kb7_QvtmHE1-J7U2pNyNSzD2ZygzGCrkD157--Ow
2023-04-26 18:57:51,100:INFO:certbot._internal.auth_handler:Challenge failed for domain customer2.fangfree.com
2023-04-26 18:57:51,100:INFO:certbot._internal.auth_handler:Challenge failed for domain customer2.fangfree.com
2023-04-26 18:57:51,100:INFO:certbot._internal.auth_handler:dns-01 challenge for customer2.fangfree.com
2023-04-26 18:57:51,100:INFO:certbot._internal.auth_handler:dns-01 challenge for customer2.fangfree.com
2023-04-26 18:57:51,100:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: customer2.fangfree.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.customer2.fangfree.com - check that a DNS record exists for this domain

Domain: customer2.fangfree.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.customer2.fangfree.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

2023-04-26 18:57:51,100:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3.10/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

dacrud · April 26, 2023, 7:05pm

If you want to do any queries against the DNS on customer2.fangfree.com it is now up and running. Thanks for the help

Osiris · April 26, 2023, 7:09pm

Yeah, your NS redirect doesn't work. As mentioned above.

rg305 · April 26, 2023, 8:06pm

In which DNS server was that set?

Osiris · April 26, 2023, 8:25pm

Not at ns1.customer2.fangfree.com. or ns2.customer2.fangfree.com. it seems.

system · May 26, 2023, 8:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.