Can't create a CNAME as the program requests, seems malformed.
Closed this issue ยท 19 comments
Assuming "tld" is my domain, like "foo.com", I'm trying to get a wildcard certificate for "*.tld".
sudo acme-dns-client register -d '*.tld' -s https://auth.tld
[W] Acme-dns account already registered for domain *.tld
Do you want acme-dns-client to monitor the CNAME record change? [Y/n]:
To finalize the setup, you need to create a CNAME record pointing from _acme-challenge.*.tld
to the newly created acme-dns domain xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld
A correctly set up CNAME record should look like the following:
_acme-challenge.*.tld. IN CNAME xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld.
Waiting for CNAME record to be set up for domain *.tld
Querying the authoritative nameserver every 15 seconds.
Waiting for 10 seconds... Press Ctrl + C to abort and exit.^C
Is it possible to create a CNAME like "_acme-challenge.*.tld"? I can't input this ("_acme-challenge.*") as CNAME in my registrar.
If you are running your own acme-dns instance in domain acme-dns.foo.com the command for you would look like:
sudo acme-dns-client register -d '*.foo.com' -s https://acme-dns.foo.com
It's what I did above.
I can insert "*._acme-challenge" in the CNAME host box, but not something as requested "_acme-challenge.*". No idea how to proceed from here.
Oh, I see! The help text seems to actually be incorrect. In this it should actually say:
...
A correctly set up CNAME record should look like the following:
_acme-challenge.foo.com. IN CNAME xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld.
Waiting for CNAME record to be set up for domain foo.tld
Querying the authoritative nameserver every 15 seconds.
...
So basically _acme-challenge.$domainname
Sadly, I did that as well, I created such top CNAME record, but the client kept spinning 15s unable to fetch it, even when I was able to query it with nslookup:
nslookup -type=CNAME _acme-challenge.tld
_acme-challenge.tld canonical name = xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld.
So, is it just an issue with the message or the program is also doing wrong requests looking for _acme-challenge.*.foo.com instead of _acme-challenge.foo.com?
Could have been some propagation problem, but I've let it spinning for a while and nothing. Will try it again.
Will try it again.
Tried again, indeed, can't past beyond this.
Waiting for CNAME record to be set up for domain *.tld
Querying the authoritative nameserver every 15 seconds.
Waiting for 15 seconds... Press Ctrl + C to abort and exit.
My registrar (Google domains) indeed allows me to have the wildcard like so: _acme-challenge.*.foo.com
You should be able to lookup mine to see it working:
$ nslookup -type=CNAME _acme-challenge.*.gawrych.us
_acme-challenge.*.gawrych.us canonical name = 091eceec-6b94-4941-bbb0-d30c082ddab4.acme.gawrych.us.
Without the wildcard (_acme-challenge.foo.com) only works for foo.com, not *.foo.com (I've set up both for my DNS). Sorry, but I think you'll have to go to support on your registrar and ask them to allow the wildcard after the _acme-challenge
@JonathanGawrych thanks for your report, interesting. Well, I use namecheap and I don't have high hopes they gonna have this fixed soon ๐ (if ever, but I just reported). TBH, IMO, except for this usecase, having a "_acme-challenge.*" record feels a bit odd, because it's a fixed subdomain ("_acme-challenge") under a wildcard.
Please let me know if there's a way to have this fixed besides having to migrate domains, etc.
Just to report, as of now, the sole answer I got from them is:
Thank you for contacting Namecheap support.
We are deeply sorry that you faced such inconveniences.
You are right, unfortunately, it is not possible to set up such a type of wildcard subdomain like "test.*".
To our regret, the system does not support such types of subdomains currently.
We are looking forward to hearing from you.
So, in current form, this tool can't work with wildcard certificates for domains hosted on Namecheap.
That's no fun. Sorry that Namecheap doesn't support it. I don't know of any workarounds... maybe joohoi knows of a way to have one at the tld that gives you wildcard for *.tld? EFF thinks that _acme-challenge.eff.org should work for *.eff.org:
https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation#:~:text=the%20validation%20subdomain
It's been a while since I looked into letsencrypt, but I recall the documentation on wildcard certificates is a little lacking.
Just a side comment, sorry the confusion on starting using the term "tld" wrongly applied to mean some domain, instead of a TLD (.com, .net, etc).
Reporting another experience. I'm now considering other registrars, and I had interest in Alibaba Cloud. I got a domain there to try and this was the first thing I tested, they also don't allow this kind of CNAME record. This is what they report in the interface when entering a "foo.*": * may be used as the starting character only and followed by "." only. So, just like happened with Namecheap, "*" or "*.foo" is possible, but not "foo.*".
IMO, this should be fixed client side, I suspect this will hit many registrars.
Ok, took a look into this, and it is just a documentation issue on the client side here.
For wildcard certificate for *.foo.com the CNAME record that should get created is exactly the same than for a certificate for foo.com. So for getting a certificate that's valid for *.foo.com AND foo.com (the main domain needs to be added to the certificate separately as *.foo.com does not cover the "naked" main domain), only one CNAME needs to be added, as it covers them both.
So for a wildcard certificate for *.foo.com, the command for acme-dns-client is:
sudo acme-dns-client register -d 'foo.com' -s https://acme-dns.foo.com
Sorry for my previous, confusing reply to this thread.
Thanks for the info @joohoi, can you tell me whether I'll be able to obtain a certificate for my *.foo.com that won't affect foo.com, because I already have a certificate on foo.com, and I wanted to keep it separate, I just want a fallback wildcard certificate for subdomains.
You can have multiple certificates for foo.com as well as *.foo.com. However in case you use DNS validation for both of them, you need to either do that without acme-dns on both occasions, or use acme-dns for both of them (while sharing the acme-dns account credentials between the boxes). It's not possible to do it without manual intervention on every renewal otherwise.
In case you are managing both of the certificates on the same machine (or rather; same filesystem), no action needs to be taken, but in case these are on different environments, you'll need to copy file /etc/acmedns/clientstorage.json (the local acme-dns-client account storage) over to the other box too.
That said, the changes to providing the * on commandline for acme-dns-client have now been fixed in the codebase, and a new release that incorporates this change has been built.
My foo.com certificate is not managed by me at all, it's obtained by a 3rd party (GitLab supports Let's Encrypt certificates on their GitLab Pages by a checkbox option kind of thing), so I completely ignore what challenge they use. Only foo.com gets automatic certificates from them, in the rest of my subdomains I do it myself. I hope there won't be an issue with this.
There won't be any issues in case you haven't manually created a CNAME record for _acme-challenge.foo.com pointing to GitLab services (which I don't think is the way they manage the certificates honestly).
Thanks, I'll close the issue as soon as I get some time to set this up again and verify it works.
All seems OK on this part, thx all for the help. I just got the same doubts as in issue #10 in the end. After updating the client and getting the wildcard certificate, I got one successful one listed (for "foo.com"), but there was one dangling one left in error due to this issue (for "*.foo.com", for which there's no CNAME record). To remove this dangling one, I just edited /etc/acmedns/clientstorage.json and removed it, is it all I have to do? At first I'm not using -allow from specific IP, but I was planning to do it later in the process, also got curious whether that's just a matter of running register again for it to work immediately (same for CAA thing).