Using linked records with NS1

I've been using the dns-nsone plugin for some domains and it works fine. However, I recently bought an IDN domain that I want to have the same DNS settings and a shared certificate with the main domain, so I figured it would be smart to add the IDN domain as a linked domain to the main domain through the NS1 portal.

However, Certbot didn't really like this and it seems like it tries to write a TXT field to the new domain's zone instead of the one it's linked to and fails with this error:

Error adding TXT record: 403 Client Error: Forbidden for url: https://api.nsone.net/v1/zones/xn--removed/_acme-challenge.xn--removed/TXT

If I add the new domain as its own zone, it works fine.

The NS1 API does support reading the zone settings and there's a "link" field that points to the other domain. So, would it be possible to add a check before adding the TXT fields to see if the zone is a linked zone, and if so follow that link and add the TXT field to the main zone instead?

Welcome @dittnamn

Let's Encrypt is run by ISRG. The EFF develop Certbot. We often help people use Certbot on this forum as well as with many other ACME Clients and problems related to getting Let's Encrypt certs.

But, for specific feature requests for Certbot you should post on the EFF's github

That said, there may be other ways to resolve your problem. If you want help could you explain more what your goal was for this "linked" domain? For example, was it just to redirect from your IDN domain to your other?

4 Likes

Alright, I see, thanks. The goal was to have two domains share their DNS settings without having to duplicate all the DNS posts, at the same time as they could use the same certificate. It's not a plain redirect as the website content might be slightly different and some parts will use one domain and some will use the other one, but that is handled by the webserver later on. I think the solution for now is to duplicate the DNS posts, and that is a working solution even though it's a bit of extra work.

2 Likes

If NS One has an option to export and import zone data, it may greatly reduce the amount of work involved in the initial population of the additional zone.

4 Likes

Yes, there are some record cloning features in the web console, but I mostly use an API tool so it was quicker to just add new copies in this case and it did what was needed in this case. For now, it's mostly about being able to repeat it in the future if I get other domains, so I've made a feature request on the certbot Github to see if something could be implemented.

2 Likes

Did you try your request using the Punycode version of your domain or did you feed it the IDN version? If using IDN try the Punycode version (e.g. https://www.punycoder.com/)

3 Likes

Yes, this was the Punycode version. Using the UTF-8 version would fail much earlier.

1 Like

I created a report here: Adding support for using certbot-dns-nsone with linked zones · Issue #9987 · certbot/certbot · GitHub

Then, I managed to track down part of the problem to Lexicon and created a patch to work with linked zones, see: Using linked zones with nsone won't resolve to the main zone · Issue #1990 · AnalogJ/lexicon · GitHub

Certbot didn't really like this, however, as it will create different records on both domains and in this case these would be overwritten, as it's the same DNS zone:

certbot certonly --dns-nsone --dns-nsone-credentials /etc/letsencrypt/nsone.conf -d example1.tld -d \*.example1.tld -d example2.tld -d \*.example2.tld

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example1.tld and 3 more domains
Waiting 30 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-nsone). The Certificate Authority reported these problems:
  Domain: example2.tld
  Type:   unauthorized
  Detail: Incorrect TXT record "vwe...Po8" (and 1 more) found at _acme-challenge.example2.tld

  Domain: example2.tld
  Type:   unauthorized
  Detail: Incorrect TXT record "vwe...Po8" (and 1 more) found at _acme-challenge.example2.tld

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-nsone. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-nsone-propagation-seconds (currently 30 seconds).

Is there any workaround for this without changes to the certbot code? I guess it wouldn't be permitted to use the same challenge data for more than one domain? Would it be possible to do it in a sequence instead of doing both domains at the same time?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.