Test certificates before changing DNS records


#1

Hello,
I have little experience with nameservers, so I don’t know if what I’m asking is actually possible. Anyway:

Sometimes I have to migrate websites from other servers to my own (Linux Apache). I work “locally” (/etc/hosts is my friend) until I’m sure everything is in order and only then I edit the A record on the DNS zone of the original server, making it point to my address.

Problem: I can’t do any check on HTTPS (“acme.sh --issue” fails) before such editing. So, isn’t there any way to make SSL work on my local server BEFORE those DNS changes?

(I have a DNS managment tool - PowerDNS - and I can create authoritative zones)


#2

You can definitely do it.

If your domain’s using PowerDNS, you can use acme.sh’s dns_pdns plugin, which makes automated DNS changes using PowerDNS’s API.

You could also use the dns_nsupdate plugin to make changes using the standard dynamic update protocol. (You’d have to install the nsupdate client, which is from BIND. It’s probably in the same package as dig and nslookup and so forth.)

Even if your domain doesn’t primarily use PowerDNS, you could set up a separate zone, CNAME records, and use acme.sh’s DNS alias mode.

If you can’t or don’t want to set anything up, you can still use acme.sh’s manual DNS support, where you’d have to copy and paste the TXT records by hand. It would mean that certificates would have to be manually renewed, but that’s not a huge problem for local development environments.


#3

Thank you for the explanation!

For the time being, I’m trying to use manual DNS. I have added (to the actual registar’s DNS Zone) the TXT record generated by acme.sh, but when I give the renew command it says:

Challenge error: {“type”:“urn:acme:error:malformed”,“detail”:“Unable to perform validation for challenge :: authorization must be pending”,“status”: 400}

But maybe I just have to wait for DNS caching?


#4

Can you show the command and its output?

And maybe run it with --debug?

That error message shouldn’t happen. It’s not about your DNS or timing, it’s that you’re trying to validate the same challenge twice, which isn’t possible. (If it fails, you have to get a new one.)

I don’t know if acme.sh has any corner cases where it’s not so unexpected, though.