Hello. I'm hosting a domain at strato.de. It includes several subdomains, which have a CNAME pointing to the root domain (all setup on strato.de). The root domain is updated with DDNS on my router. I added the domain to cloudflare, I didn't change the nameserver on strato though. I created an API Token, installed the Let's Encrpyt addon and added everythinng to my config.
I'm running the Let's Encrypt addon in Home Assistant. This is the config:
Requesting a certificate for ariatwofive.de and *.ariatwofive.de
Waiting 60 seconds for DNS changes to propagate
Certbot failed to authenticate some domains (authenticator: dns-cloudflare). The Certificate Authority reported these problems:
Domain: ariatwofive.de
Type: unauthorized
Detail: No TXT record found at _acme-challenge.ariatwofive.de
Domain: ariatwofive.de
Type: unauthorized
Detail: No TXT record found at _acme-challenge.ariatwofive.de
Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-cloudflare. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-cloudflare-propagation-seconds (currently 60 seconds).
Some challenges have failed.
I fear that I missed a step in adding my Website to Cloudflare, right? I followed a bunch of tutorials and one (I think on Cloudflare itself) specifically said not to add the nameserver, but I don't remember the context.
It depends on the situation. If the amount of subdomains is not extraordinary and not dynamic, I don't see a reason why you would need a wildcard certificate. Sometimes you might not want to include a subdomain in the certificate due to privacy reasons or something, but purely the fact you have "multiple subdomains" wouldn't be a definitive argument for a wildcard IMHO.
Let's Encrypt certificates can contain up to 100 hostnames, so including the apex domain you can include 99 subdomains.
Yes, for a wildcard you'd need that. That's why I'm asking if you really require a wildcard to begin with. If you could just use the http-01 challenge, it would probably be way more easy than using the dns-01 challenge.
Well it's not that many, just 5 or 6 so far. The overall IP is dynamic, but I've set up DDNS for that reason.
I would just save the the time to open and close port 80. I don't need it otherwise since everything is over SSL. Even if I didn't use wildcard certificates, I would solve this "problem" .
What would be the solution to this? I changed the NS at Strato to the ones of CF. It failed in the last because I didn't know I had to add a "." at the end. The strato documentation doesn't say so specifically, so I didn't know before.
I would recommend keeping port 80 open (because there really is no justification for closing it to begin with) and use the http-01 challenge.
That's common DNS practice. Proper FQDN end with a dot for the root domain. If you leave out the dot for the root domain you're entering a (multi-label) subdomain for your zone origin. I.e., www.example.com instead of www.example.com. would actually be www.example.com.example.com.
Should I leave it open even if the server is running at my home? Feels unsafe tbh. Nothing except Let's Encrypt used that port anyway, so no need to leave it open if I use it once every three months.
Is changing the name server the solution to my problem?
The only thing TLS on port 443 adds towards protection against hackers is that hackers can hack your server without anyone else listening in on the connection knowing what the hacker is doing.
Added question: Can I use CNAMEs that I have setup on Strato when I add my domain to CF and change the NS to the ones of CF? My subdomains aren't reachable anymore and creating CNAMEs in CF is a business plan feature. I do have ability to add stuff in the DNS Management in CF; but I'm not sure what the proper ways is.
I'm not quite sure I understand what CFs job in all this is. Is the DNS Management even the right section to do these settings?
Hm there is lot of weird stuff going on that I don't understand, so I'll just go back to good-old http-01 challenges and running everything via Strato. Thanks for your help!