Unable to use DNS-Challenge on domain

My domain is: ariatwofive.de

Hello. I'm hosting a domain at strato.de. It includes several subdomains, which have a CNAME pointing to the root domain (all setup on strato.de). The root domain is updated with DDNS on my router. I added the domain to cloudflare, I didn't change the nameserver on strato though. I created an API Token, installed the Let's Encrpyt addon and added everythinng to my config.

I'm running the Let's Encrypt addon in Home Assistant. This is the config:

certfile: fullchain.pem
challenge: dns
  provider: dns-cloudflare
  cloudflare_email: xxx@xxx.com
  cloudflare_api_token: xxxxxxxxxxxxxxxxxxx
  - ariatwofive.de
  - '*.ariatwofive.de'
email: xxx@xxx.com
keyfile: privkey.pem

This is the error log from Let's Encrypt:

Requesting a certificate for ariatwofive.de and *.ariatwofive.de
Waiting 60 seconds for DNS changes to propagate
Certbot failed to authenticate some domains (authenticator: dns-cloudflare). The Certificate Authority reported these problems:
  Domain: ariatwofive.de
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.ariatwofive.de
  Domain: ariatwofive.de
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.ariatwofive.de
Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-cloudflare. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-cloudflare-propagation-seconds (currently 60 seconds).
Some challenges have failed.

I fear that I missed a step in adding my Website to Cloudflare, right? I followed a bunch of tutorials and one (I think on Cloudflare itself) specifically said not to add the nameserver, but I don't remember the context.

How would the world know to look at the Cloudflare DNS servers then?


I don't know :stuck_out_tongue_winking_eye: So what's the step I need to do here? Add the name servers of CF to Strato?

Let's begin with the beginning:

  • Do you actually require a wildcard certificate?
  • If not, do you actually require the dns-01 challenge?

Well I am using multiple subdomains, so it would be easier to just use a wildcard certification over x individual certificates, right?

And for that, I need the dns-01-challenge as far as I understand.

It depends on the situation. If the amount of subdomains is not extraordinary and not dynamic, I don't see a reason why you would need a wildcard certificate. Sometimes you might not want to include a subdomain in the certificate due to privacy reasons or something, but purely the fact you have "multiple subdomains" wouldn't be a definitive argument for a wildcard IMHO.

Let's Encrypt certificates can contain up to 100 hostnames, so including the apex domain you can include 99 subdomains.

Yes, for a wildcard you'd need that. That's why I'm asking if you really require a wildcard to begin with. If you could just use the http-01 challenge, it would probably be way more easy than using the dns-01 challenge.


Well it's not that many, just 5 or 6 so far. The overall IP is dynamic, but I've set up DDNS for that reason.

I would just save the the time to open and close port 80. I don't need it otherwise since everything is over SSL. Even if I didn't use wildcard certificates, I would solve this "problem" .

What would be the solution to this? I changed the NS at Strato to the ones of CF. It failed in the last because I didn't know I had to add a "." at the end. The strato documentation doesn't say so specifically, so I didn't know before.

Why would you close port 80 anyway.....

I would recommend keeping port 80 open (because there really is no justification for closing it to begin with) and use the http-01 challenge.

That's common DNS practice. Proper FQDN end with a dot for the root domain. If you leave out the dot for the root domain you're entering a (multi-label) subdomain for your zone origin. I.e., www.example.com instead of www.example.com. would actually be www.example.com.example.com.


Should I leave it open even if the server is running at my home? Feels unsafe tbh. Nothing except Let's Encrypt used that port anyway, so no need to leave it open if I use it once every three months.

Is changing the name server the solution to my problem?

Why would port 80 be any unsafer than the same application accessible on port 443?

If you want to continu using the dns-01 challenge with the Cloudflare plugin, then yes, your nameservers should point to Cloudflares nameservers.


I don't know, maybe I should read up on it. Since port 443 is used for SSL it feels safer :stuck_out_tongue_winking_eye:

Thank you very much for your help! I need to wait a few hours for the NS to be updated, then can check if it works or not.

The only thing TLS on port 443 adds towards protection against hackers is that hackers can hack your server without anyone else listening in on the connection knowing what the hacker is doing.


Well it worked!

Added question: Can I use CNAMEs that I have setup on Strato when I add my domain to CF and change the NS to the ones of CF? My subdomains aren't reachable anymore and creating CNAMEs in CF is a business plan feature. I do have ability to add stuff in the DNS Management in CF; but I'm not sure what the proper ways is.

I'm not quite sure I understand what CFs job in all this is. Is the DNS Management even the right section to do these settings?

I don't understand. When you set the NS to CF, it really doesn't matter what you setup on Strato.. They'll be ignored.

What is also a possibility is to keep almost all your stuff on Strato, but add a NS delegation purely for the _acme-challenge subdomain.


www IN A
    IN MX mail.example.com.
_acme-challenge IN NS foo.cloudflare.com
_acme-challenge IN NS bar.cloudflare.com

That way only the _acme-challenge subdomain is delegated to CF.


Hm there is lot of weird stuff going on that I don't understand, so I'll just go back to good-old http-01 challenges and running everything via Strato. Thanks for your help!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.