Windows posh-acme DNS Plugin and DNS Challenge alias

skwieste · November 16, 2023, 2:06am

Hi , I'm having an issue using the Windows DNS plugin in conjunction with a DNS Challenge Alias and I haven't found much documentation around them together.

I've reviewed this

and implemented the CNAME on the domain in question. While I can get the txt record created on the alias DNS server the submit validation always fails - I'm guessing it's querying in the wrong spot.

I'm not entirely sure about my setup though and would appreciate some advice.

While I don't particularly want to share domain names at this point I was hoping to get some feedback on how I have this configured.

In this example I have a authoritive name server for the domain xyz.com called auth.xyz.com and an alias DNSserver called acme.xyz.com

My command to get this to work is to query and do the update on the alias DNS server like so.

$pArgs = @{
WinServer = 'acmedns.xyz.com'
wincred=get-credential
WinUseSSL=$true
}

The run the below with the DNSalias switch

New-PACertificate "x1234.xyz.com" -DNSSleep 300 -AcceptTOS -Contact "my@email.com" -Plugin Windows -dnsalias "_acme-challenge.x1234.xyz.com" -PluginArgs $pArgs -verbose -directory LE_STAGE

I have a CNAME setup on the authoritive name server which looks like this in the x1234.xyz.com domain

_acme-challenge CNAME acmedns.xyz.com.

So providing credentials to the alias DNS server acmedns.xyz.com and using the command above I can see the DNS challenge record being created there - however I always get back an authorization invalid via the submit-challengeValidation command when the new-pacertificate is run.

I'm guessing there is a config issue here with either the CNAME / DNSalias or even the way I'm doing the update via the pArgs with the Alias DNS Server but unsure how to troubleshoot further. If I do a lookup against the authoritive domain I do see the carnoical name populated

_acme-challenge.x1234.xyz.com Canonical name = acmedns.xyz.com

Is there a way to test this further to ensure the cname is being redirected to the right spot and that the query should see the actual text file ?

orangepizza · November 16, 2023, 4:27am

we'd debug better with actual domain name, but one thing i can think of is your client could actually make record on _acme-challenge.acmedns.xxx

webprofusion · November 16, 2023, 5:31am

Your _acme-challenge record on your real domain needs to point directly to a TXT record on your surrogate domain, it should not point to just the zone or a subdomain, it has to point to the name of the actual TXT record that will be created/updated.

So _acme-challenge.yourdomain.com CNAME _acme-challenge.something.surrogatedomain.com

Your DnsAlias argument would be acme-challenge.something.surrogatedomain.com e.g. the fully qualified TXT record name in your surrogate dns zone.

Osiris · November 16, 2023, 7:13am

Is this thread different than DNS Alias with POSH-ACME? Why not continu there?

skwieste · November 16, 2023, 8:01am

Different problem so I thought I'd start a new thread.

rg305 · November 16, 2023, 8:25am

CNAMEs are a basic DNS function.
Testing if they redirect or not is a simple task [it either does OR it doesn't]
When you query:

nslookup -q=cname FQDN1

Do you see?:

FQDN1 canonical name = FQDN2

If that fails, stop and fix it.
If that works, then does the TXT record update process work?
Does it create TXT records at FQDN2?
If not, stop and fix that.
If that also works, then check the process.
Maybe there is a logic problem ...
OR a TYPO ...
OR something else that is keeping it from doing what you expect.

I'm no expert on Posh-ACME; So, I can't help with specific troubleshooting steps there

skwieste · November 16, 2023, 8:39am

So does that mean I need to purchase another domain and make the alias DNS server authoritive for _acme-challenge.something.surrogatedomain.com ?

My current setup is one authoritive DNS server and one Alias - I was just using the exact same domain name in the DNSAlias command to create it on the Alias DNS server which works but then I'm confused as to what the CNAME should be.

rg305 · November 16, 2023, 8:42am

No.
Both names can be from the same domain.
FQDN = Fully Qualified Domain Name.

example.com = FQDN1
www.example.com = FQDN2
_acme-challenge.example.com = FQDN3
SomeOtherName.example.com = FQDN4

In that "example", four FQDNs are shown and all from the same domain.

webprofusion · November 16, 2023, 8:57am

Just checking, you know you don't need a CNAME at all, yes? You can just use your actual domain (which is what most people do) and skip the DnsAlias things, that's really for when you don't want to make frequent TXT record updates to your primary domain/zone so you nominate a "sacrifical" zone that you're happy to make updates to.

If you are intentionally using a CNAME to another domain/subdomain you can just make it a subdomain like acme-auth.yourdomain.com and so the TXT record being updated would be under that subdomain. So for instance to get a cert for www.yourdomain.com you could have a CNAME pointing _acme-challenge.www.yourdomain.com to _acme-challenge.www.acme-auth.yourdomain.com. No particular need to buy a new domain, but I'm curious why you are opting for a cname or subdomain at all.

rg305 · November 16, 2023, 9:05am

What do you mean by "Alias"?

skwieste · November 16, 2023, 9:20am

Primarily the reason to use the CNAME / DNSAlias is to seperate the Authoritive DNS server credentials I am using via the Windows DNS Posh plugin to an expendable DNS server with different credentials.

I've actually used the process without the CNAME to the authoritve DNS server fine - it's just this last seperation I'm after.

rg305 · November 16, 2023, 9:28am

If the alias is not authoritative for that zone, how can you update that zone there?
How will DNS requests return values that aren't being stored in the authoritative DNS server?

skwieste · November 16, 2023, 9:32am

In my example I've created a sacrificial DNS server here

acmedns.xyz.com

This server is my alias DNS server for the plugin if that makes sense.

skwieste · November 16, 2023, 9:32am

I thought that is what the CNAME entry did ?

rg305 · November 16, 2023, 9:33am

It sounds like you may need two domains/zones.

one authoritative in the main DNS server
one authoritative in the alias DNS server.

Then you CNAME from zone1 to zone2.
And update zone2 without touching zone1.

rg305 · November 16, 2023, 9:34am

You haven't provided enough information to know [for sure].

I can't tell if you are only using one domain OR two.

rg305 · November 16, 2023, 9:36am

That looks like the same domain to me: xyz.com

That still looks like the same domain to me: xyz.com

skwieste · November 16, 2023, 9:53am

Indeed it is - the DNSalias switch uses the DNS server in the pArgs to create the txt record there.

$pArgs = @{
WinServer = 'acmedns.xyz.com'
wincred=get-credential
WinUseSSL=$true
}

acmedns.xyz.com -> which is the sacrificial DNS server.

The txt record challenge does get created on the sacrificial DNS Server ( acmedns.xyz.com ) but the cname redirection from authoritative to sacrificial I think is the issue.

webprofusion · November 16, 2023, 11:56am

To test the resolution of a record feed your _acme-challenge record name into https://unboundtest.com/ (select TXT)

rmbolger · November 16, 2023, 5:39pm

skwieste:

New-PACertificate "x1234.xyz.com" -DNSSleep 300 -AcceptTOS -Contact "my@email.com" `
-Plugin Windows -dnsalias "_acme-challenge.x1234.xyz.com" -PluginArgs $pArgs `
-verbose -directory LE_STAGE
I have a CNAME setup on the authoritive name server which looks like this in the x1234.xyz.com domain

_acme-challenge CNAME acmedns.xyz.com.

I think I see the problem here. The -DnsAlias param needs to match exactly the CNAME target value rather than _acme-challenge.<target>. So you either need to change your CNAME to point to _acme-challenge.x1234.xyz.com or change your alias param to -DnsAlias 'acmedns.xyz.com'.