Trouble with dns-rfc2136 plugin

gturchi · May 26, 2026, 2:22pm

Hi all. I'm testing certbot+dns-rfc2136 container (version certbot 5.6.0) in a on-premises kubernetes. Also in kubernetes I have a bind9 configured to handle dynamic updates on a specific domain (_acme-challenge.l39a.space), and many domains with _acme-challenge as a CNAME pointing to _acme-challenge.l39a.space.

The most strange thing is that for some domains the certificates are released without any problem (l39a.space, l39a.com as two examples), but for other domains there is the error:

"Encountered exception during recovery: certbot.errors.PluginError: Unable to determine base domain for _acme-challenge.vsforme.com using names: ['_acme-challenge.vsforme.com', 'vsforme.com', 'com']."

vsforme.com is one of the failing domains, of course. But the domain configuration is, or should be, exactly the same of the working domains... I directly hosts the dns for some of the domains, others are on different providers, but I can't see any correlation between the working domains and the non working ones.

All of these domains where handled, correctly, with certbot with --manual option and some self-made script to handle the dns update.

Osiris · May 26, 2026, 2:38pm

I don't think Certbot likes CNAMEs with the dns-01 challenge. This has been a feature request since 2015 already:

github.com/certbot/certbot

Allow updating domain pointed to by CNAME in DNS plugins

opened 08:00PM - 06 Dec 18 UTC

bmw

feature request area: security has pr area: dns

Say you have the domain `important.example.org` and want to obtain a wildcard ce…rtificate. One way you could do that is make a CNAME record at `_acme-challenge.important.example.org` that points to `dnsprovider.example.com`. This approach allows you to only put the DNS credentials for `dnsprovider.example.com` on your server for use with Certbot while keeping your credentials for `important.example.org` secure. This is a better approach from a security perspective and one we even recommended in https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation. Unfortunately, Certbot doesn't let you do this because it tries to modify the domain you requested the certificate for instead of the domain pointed to by the CNAME. We cannot just always modify the domain pointed to by a CNAME, but giving the users the option to do this seems valuable to me. There was some progress made on this in https://github.com/certbot/certbot/pull/5350 which is now closed, but the work is preserved in the branch [quinot/topic/dns-follow-cnames](https://github.com/certbot/certbot/tree/quinot/topic/dns-follow-cnames).

Unfortunately I'm not sure if this feature is going to land very soon. There are PR requests on the Certbot GH repo like

But it has not seen updates for over a year now and there were some issues raised by the Certbot devs.

gturchi · May 26, 2026, 2:41pm

Yes, but... why some, could be the majority, of the domains are working and some not??

Osiris · May 26, 2026, 2:43pm

Hm, yes, that's curious. I read l39a.space as a working domain and that would make sense, as that's the "destination" of the CNAME. But l39a.com shouldn't work. I dunno TBH

Topic		Replies	Views
Certbot 1.32 dns challenge with CNAME to acme/dynamic zone allowing updates Help	35	1420	January 13, 2023
Problems with certbot dns challenge - Unable to determine base domain Server	8	9906	April 14, 2018
Domain authentication fails with dns-rfc2136 plugin Help	15	1594	July 27, 2022
Unable to determine base domain for _acme-challenge.ess.eu using names Help	3	1343	July 2, 2023
Problem certbot and dns-rfc2136 plugin Help	14	1308	October 19, 2023

Trouble with dns-rfc2136 plugin

Related topics