I've been using the dns-nsone plugin for some domains and it works fine. However, I recently bought an IDN domain that I want to have the same DNS settings and a shared certificate with the main domain, so I figured it would be smart to add the IDN domain as a linked domain to the main domain through the NS1 portal.
However, Certbot didn't really like this and it seems like it tries to write a TXT field to the new domain's zone instead of the one it's linked to and fails with this error:
If I add the new domain as its own zone, it works fine.
The NS1 API does support reading the zone settings and there's a "link" field that points to the other domain. So, would it be possible to add a check before adding the TXT fields to see if the zone is a linked zone, and if so follow that link and add the TXT field to the main zone instead?
Let's Encrypt is run by ISRG. The EFF develop Certbot. We often help people use Certbot on this forum as well as with many other ACME Clients and problems related to getting Let's Encrypt certs.
But, for specific feature requests for Certbot you should post on the EFF's github
That said, there may be other ways to resolve your problem. If you want help could you explain more what your goal was for this "linked" domain? For example, was it just to redirect from your IDN domain to your other?
Alright, I see, thanks. The goal was to have two domains share their DNS settings without having to duplicate all the DNS posts, at the same time as they could use the same certificate. It's not a plain redirect as the website content might be slightly different and some parts will use one domain and some will use the other one, but that is handled by the webserver later on. I think the solution for now is to duplicate the DNS posts, and that is a working solution even though it's a bit of extra work.
If NS One has an option to export and import zone data, it may greatly reduce the amount of work involved in the initial population of the additional zone.
Yes, there are some record cloning features in the web console, but I mostly use an API tool so it was quicker to just add new copies in this case and it did what was needed in this case. For now, it's mostly about being able to repeat it in the future if I get other domains, so I've made a feature request on the certbot Github to see if something could be implemented.
Did you try your request using the Punycode version of your domain or did you feed it the IDN version? If using IDN try the Punycode version (e.g. https://www.punycoder.com/)
Certbot didn't really like this, however, as it will create different records on both domains and in this case these would be overwritten, as it's the same DNS zone:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example1.tld and 3 more domains
Waiting 30 seconds for DNS changes to propagate
Certbot failed to authenticate some domains (authenticator: dns-nsone). The Certificate Authority reported these problems:
Domain: example2.tld
Type: unauthorized
Detail: Incorrect TXT record "vwe...Po8" (and 1 more) found at _acme-challenge.example2.tld
Domain: example2.tld
Type: unauthorized
Detail: Incorrect TXT record "vwe...Po8" (and 1 more) found at _acme-challenge.example2.tld
Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-nsone. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-nsone-propagation-seconds (currently 30 seconds).
Is there any workaround for this without changes to the certbot code? I guess it wouldn't be permitted to use the same challenge data for more than one domain? Would it be possible to do it in a sequence instead of doing both domains at the same time?