I have three servers which all do pipe acme/well-known through SSH-Tunnels/HTTP-to-HTTPS-Backend routing and lots of weird stuff. I have about 5 domains on them with a couple of Subdomains on each, which somehow have their DNS entries not assigned to a specific server, but one subdomain goes here and another one there.
The verification system was working great, until today, when I noticed that it isn’t working anymore, lots of 404’s and stuff.
I really, really need Wildcard Certs and I know that they are coming on the 27th.
My DNS-provider, Namecheap, has the worst API which I will never automate, because of the security risk involved in this.
Now my question: Will it be possible to perform a DNS verification for Wildcard Certificates by editing the DNS entries manually during the verification process?
Absolutely. You would have to change the DNS every time you renew the certificates, though. So it would be an annoying, manual process every 2-3 months.
What about switching to a different DNS provider?
Or combining two DNS providers? You can use CNAME or NS records to point the _acme-challenge subdomains at a different DNS provider, and automatically update the records there.
I'm confused. Somehow this tells me like this could be an awesome solution, but I'm not sure how.
I'd have no problem setting up a temporary, Python-based DNS-server on one of those three servers, which would start up before certbot, get configured by certbot, and then shut down until the next refresh is up.
How can I tell Namecheap that any DNS-Lookup for that _acme-challenge subdomain should be performed on that server?
In the Namecheap UI I see that I can add a NS Record for a host (which would then be "_acme-challenge", if I understood it correctly) and then in the Nameserver field I add the IP or CNAME of the server which runs my DNS-Server?
This seems to work and will be a really nice solution once wildcard certificates are available.
It ended up being a DNS server consisting of less than 100 lines of Python code, also containing a TCP server so that the validation tokens (and a shutdown command) can be fed to it via TCP.
Certbot is called by a script which first starts the remote DNS server, then uses a hook to send the tokens to the server, then shut down the DNS server, and finally dispatches the certs to the web servers.
I’m using NS records for _acme-challenge, would there be a benefit when using CNAMEs?
Thanks @sahsanu for pointing me to acme-dns as well as your mini-tutorial.
Also thanks @stevenzhu for offering me a temp cert. I have successfully renewed all my certificates yesterday by reverting some changes I made to my infrastructure and using http-01, so now I have enough time to migrate to wildcard certs once they are avaliable.
And thanks to @mnordhoff for pointing out the NS/CNAME modification approach; it has been an annoyance for me for a long time to not be able to use DNS.
In the solution I’m currently using I’m basically using reverse proxying to have all the servers send the challenge to one central server.
So the following needs to be added for every subdomain, once for http and as well as fo https:
