Subdomain without DNS wildcard

Hi

We have an Nginx frontend. I want certbot to automatically create subdomains.

A DNS wildcard is not a preferred option. I belive that would create more unnecessary traffic to our frontend. The current process is to log in at the DNS-provider and add the new subdomains manually.

I would like certbot to automatically create a record from at the DNS-providers API.
https://www.proisp.no/api/dns

Can certbot or certbot-auto do this?

My domain is:
crm.lts.no

I ran this command:

certbot -d crm.lts.no -d www.crm.lts.no

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for crm.lts.no and www.crm.lts.no

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: crm.lts.no
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for crm.lts.no - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for crm.lts.no - check that a DNS record exists for this domain

Domain: www.crm.lts.no
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for www.crm.lts.no - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.crm.lts.no - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

nginx version: nginx/1.22.1

The operating system my web server runs on is (include version):

Debian GNU/Linux 12 (bookworm)

My hosting provider, if applicable, is:

Proisp (owned by one.com)

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.1.0

You mean, you would not first add the subdomain yourself into the DNS zone, but request a certificate using Certbot for a new subdomain and Certbot somehow manages to add the A record into the DNS zone just before it tries to get a certificate?

Yes! that is exactly what I was thinking.

I don't see any DNS plugin for ProISP/Syse for Certbot, nor do I see any such integration into well known ACME clients that support a ton of DNS providers (lego and acme.sh). Not that those plugins would be helpful directly, as those would be used for adding and removing TXT RR for the dns-01 challenge, not adding A/AAAA RRs. But it would perhaps be a good start.

So you'd need to program your own script interfacing with the DNS API. Which you then could use in the Certbot --pre-hook command line option, if necessary. You'd need to supply the script with the subdomain you wish to add though, as Certbot apparently doesn't provide environment variables for the --pre-hook scripts. You probably also want to make sure your script doesn't keep adding subdomains that already exist Unless the API would ignore such requests I guess..

Also:

There's no such thing as certbot-auto any more for many, many years now.

OK! Thanks for your valuable input @Osiris

Spinning up a new subdomain also involve other tasks. I now believe that a tool outside of certbot would be the most effective option.

Might you be looking for a front-end like Caddy, maybe with a DNS wildcard (though not a certificate wildcard) to just point all the subdomains to that server? Caddy can just create certificates for subdomains as needed.