Trouble Validating Wildcard certificates


#1

I’m trying to validate that I’m using the correct procedure here. I have multiple wildcard domains that I’d like to secure. I’ve registered an acmedns user at https://auth.acme-dns.io; created _acme-challenge CNAMEs for each of the domain names in question and set environment variables holding the ACMEDNS_USERNAME, PASSWORD, SUBDOMAIN and UPDATE_URL. I’m using acme.sh and it appears that the issue operation only succeeds for one or two domains at a time. By repeatedly running the issue command with the domain names in different orders I got to the stage where I’ve now run into rate limits so I’m a bit stuck.

My domain is: Multiple domains including *.pantherwin.co.uk

I ran this command:
acme.sh --debug --issue -d pantherwin.co.uk --dns dns_acmedns --challenge-alias pantherwin.co.uk -d *.pantherwin.co.uk -d domain2.co.uk -d *.domain2.co.uk -d domain3.co.uk -d *.domain3.co.uk -d domain4.co.uk -d *.domain4.co.uk -d domain5.co.uk -d *.domain5.co.uk -d domain6.co.uk -d *.domain6.co.uk -d domain7.co.uk -d *.domain7.co.uk -d domain8.co.uk -d *.domain8.co.uk

It produced this output: Too much to include but, essentially it is failing to issue a certificate.

My web server is (include version): Apache 2.2.15

The operating system my web server runs on is (include version): CentOS 6.9

My hosting provider, if applicable, is: 1&1

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Hi @edspess,

Details are really important :wink: , the same as write the real unedited command you have used :stuck_out_tongue:

You missed to write the --dns param used but I suppose you are using acme-dns plugin. Well, acme-dns (in this case you used auth.acme-dns.io) only holds 2 TXT records per registration. As DNS challenges are created at the same time and once created they are validated by LE, that is the reason that just 2 domains can be validated at the same time. The acme-dns plugin should be able to work with multiple registrations to avoid this issue.

Cheers,
sahsanu


#3

Sorry, I was a bit over zealous when tidying up the command!

I am attempting to use the acme-dns plugin. On the face of it it has appeared to work on another similar server but it might be that on that occasion I actually ran the command multiple times. It seems that each time I run it it will verify the last domain in the list.


#4

No worries :wink:

It should validate the last 2 domains because of the only 2 TXT records allowed per registration (if there are already 2 TXT records and acme-dns receive a new one, it replaces the oldest TXT record). If you ran the command multiple times you finally got the cert but keep in mind that it works because LE caches validations for 30 days but when you try to renew the cert in 60-90 days you will have the same issue.

Cheers,
sahsanu


#5

Thank you @sahsanu I think that’s the conclusion I reached too. I couldn’t see any sensible way to set different acme-dns credentials for each domain in the request (although that was my original intention.)

I do have yet another server to do the same thing on and we have at least as many domains as this one again.

If the whole process has to be repeated every time the certificates are due for renewal then it doesn’t really scale well enough for me. Hopefully we can come up with a workaround where we don’t need wildcards.


#6

You are welcome. I’m working in a hook script for certbot client that should solve this situation, once finished I will try to make it compatible to acme.sh client but I’ve not too much time to work on it now.


#7

There currently is a Certbot hook written in Python that handles this behind the scenes, check: https://github.com/joohoi/acme-dns-certbot-joohoi

However, @edspess I see that you are using my test instance of acme-dns for the validation. I’m not planning to take it offline any time soon, but it should be noted that by using this instance (pointing your CNAME records towards it) you are effectively giving me, the domain owner the power to validate certificates for your domains.

Acme-dns was designed to be run as a self hosted service, but you are of course free to use the testing instance as well but I think the issue with the trust chain needs to be acknowledged.


Convert manual to Webroot renewal
#8

Hi @joohoi and thank you for your reply. I am indeed pointing at your test instance and I’m very grateful that you’ve made it available.

I did embark on the road to self-hosting but Needed to get moving a bit more quickly and that was just another new thing that I didn’t have time to do. Each step I take though leads me closer to understanding how all of this stuff works :wink:


#9

This is all fine, and I’m going to keep it running, the trust issue should just be noted. There’s also the fact that the instance is intended for testing, so I give no guarantees about database integrity etc.

There will be some changes coming in along down the line that require me to nuke the existing database too. This means that the automation you set up against the test instance will fail.

Yeah, despite acme-dns being rather simple implementation, there’s a lot of configuration around it to make it actually do what it does. It’s not too simple task to get it up and running.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.