We need better Architecture

Hi there,

I think it will be necessary to make something with validation different way.
Lets imagine my situation which do very very very often:

I have new customer which currently uses third party shared hosting - with absolutely no access to command line, they could provide access only to FTP, single snapshot of mysql DB and DNS, but…!
DNS change is only possible when whole site is transferred to my own hosting and working BEFORE DNS change!!!
(validation with changed host files). In this point SSL / HTTPS, SMTPS, IMAPS …etc have to be working.
I’m always using CloudFlare for all my customers and you can make any change to it’s DNS AFTER you have made DNS change. Some of my customers have websites which was hacked, or are under attack so its very very important to NOT release NEW IP address even for single second, but mask them in CloudFlare network. There are more conditions - like correct SPF record, mailserver and webserver musn’t share same public IP. Apache2 should NOT be stopped since more of my customers running monitoring solutions and if I stop it, they are asking for discounts.


  1. I need generate/renew certificate before DNS change
  2. I need solution without webserver stopping
  3. It’s VERY IMPORTANT to have wildcard certificate because it’s necessary to cooperation with ANY CDN, not just CloudFlare, the same is valid for LoadBalancers (I couldn’t imagine generate / renew different 80 certificates and upload them manually to each LB node since each node is on different site)

Please, think about it, because in other way there is very low added value, for now it’s better for me just pay for commercial certificate since my time is more expensive then price for certificate.

Lets do better work.


I’d just use the DNS challenge to produce the cert, which should meet all your requirements ( you can do it before changing DNS, there is zero downtime)

If you want a wildcard cert, then you need to purchase one, LetsEncrypt doesn’t issue those.

No. It’s not possible to generate certificate before DNS change (valid A record).
Without this Letsencrypt script produces TLS error

I’m not sure if one of us is missunderstanding. That exact method works for me though. You simply add the challenge token ( via script) to the DNS record, the ACME server verifies this, and then issue you a certificate.

If I run this command on production server on CloudFlare:
./letsencrypt-auto certonly -d somesite . tld -d www . somesite . tld

then I have two options - if I choose second, it fails because port 80 is in use, if I choose first option, I got this error:

Failed authorization procedure. www . somesite . tld (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to host for DVSNI challenge, somesite . tld (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to host for DVSNI challenge


  • The following errors were reported by the server:

    Domain: www . somesite . tld
    Type: tls
    Detail: Failed to connect to host for DVSNI challenge

    Domain: somesite . tld
    Type: tls
    Detail: Failed to connect to host for DVSNI challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    you have an up-to-date TLS configuration that allows the server to
    communicate with the Let’s Encrypt client.

That isn’t using the DNS challenge.

I don’t use the official client, as I wanted one to be able to script better ( to automatically upload certs to remote servers etc) so can’t comment in detail on that. You can have a look at the thread on the DNS Challenge though for general info.

OK, but it looks like unfinished product which need developing. I have no spare time to play with it. If it need ANY change in DNS than is not suitable for me, since it needs huge time to explain new customer how to make correct change in DNS.

It sounds to me as if you don’t want to put any effort in, so probably best if you do just purchase a wild card cert from elsewhere then.

I could make some testing but only if I have access to DNS or other system, not over e-mail request to new customer which is usually seller without IT knowledge except use of e-mail and office

In short Let’s Encrypt isn’t the product you are looking for.

What I am getting from this post is that you want something entirely different to what Let’s Encrypt offers, or you have an excuse for why it doesn’t work for you. It’s a bit like saying you want a bicycle but going to McDonald’s to buy it and then demanding they change what they offer to suit you.

That's correct: Let's Encrypt is in its public beta phase..

To add to what others have said, you should look into the webroot or manual plugin.

This allows you to verify your site without any downtime, as long as you can host a file at http://example.com/.well-known/acme-challenge/{random}.

Excelent ! THIS is exactly what I looking for. Thanks!