Work with two types of verification/authentication

Hi!

I don't know if this is the right place but I'll need to work with two types of verification at once (DNS-01 and HTTP-01).

I currently own an IRC network and I'm using the dns_cloudflare plugin to obtain the certificates for my IRC servers.

The command line command I've used was:

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/.secrets/domain.ini --dns-cloudflare-propagation-seconds 20 --email admin@domain.org --agree-tos -d irc.domain.org,irc1.domain.org,irc6.domain.org --deploy-hook /etc/letsencrypt/scripts/unrealircd.sh

But there's a network that will be "merged" with mine and I need to use the HTTP method to verify the ownership of the irc.* subdomain.

Can I specify two types of verification methods or do I need to request my certificates, the certificate for the other subdomain and then concatenate the files?

I hope I'm clear enough since English is not my native language.

Thanks in advance

Not with Certbot for the same certificate. Other ACME Clients may allow this. But, you can get another certificate for the "new" domain using any method you wish.

Why do you need all the domain names in the same cert?

No, you cannot concatenate cert files.

Because I need IRC clients to be able to validate irc.mydomain.org, irc1.mydomain.com (the actual irc server address as part of the network) and irc.otherdomain.org.
That's because when people connect to irc.otherdomain.com they'll land on irc1.mydomain.com and it should definitely be part of the SAN.

It is possible, but with a hassle.

You could first attempt to get a certificate with challenge A, where the challenge for hostname X would succeed, but fail for hostname Y, so the certificate would fail to issue. Then, attempt to get a certificate with challenge B, where the challenge for hostname X would be skipped due to an cached valid authorization from earlier and the challenge for hostname Y would succeed due to the fact it's now using the correct challenge type for that challenge. Which would get you your certificate.

Automatic renewals though is an entirely different story unfortunately, so I wouldn't advice the above.

@Exterminador Can't you use acme-dns? I assume you cannot use a single challenge/DNS plugin, because the domain names DNS zones are hosted by different DNS service providers. But if you'd run your own acme-dns instance (or use the public one, although security wise that's not entirely recommended) and could use CNAMEs to "point" the DNS challenges for all domain names to that single acme-dns instance, you could use that with Certbot.

You could try the acme.sh ACME Client instead. The below is example of using different challenge types on same cert

See: How to issue a cert · acmesh-official/acme.sh Wiki · GitHub

The ACME Protocol (and LetsEncrypt) supports this, but most clients do not.

IMHO, the easiest way to handle this without changing your client is to partition the domains across two certificates: one for the HTTP-01 domains, and one for the DNS-01 domains. If you need everything on a single certificate, after obtaining those 2 certificates, request a third certificate containing both sets of domains names. LetsEncrypt will cache the valid authorizations against your account for a short amount of time - so requesting the first 2 certificates will prime their cache via performing challenges, and the third certificate will utilize that cache and not need to re-run the challenges.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.