Hi all,
How do most organizations handle DCV when their public DNS is managed by an ISP?
For example, can I delegate the _acme-challenge subdomain to an Azure DNS zone (or another API-capable provider) and then request our ISP to add an NS record pointing _acme-challenge.domain.com to that delegated zone in our Azure tenant?
Our Certificate Lifecycle Manager would then perform DNS validation by querying the delegated Azure DNS zone.
Thanks in advance for any guidance or examples!
Steve
Hi Steve,
Which version of the app are you using?
Our suggested strategy for delegation to a zone you control is documented here:
So you CNAME each _acme-challenge record to a record in the delegated zone, then provide a “CNAME Delegation Rule” to tell the app how to map from your original domain to your new surrogate domain e.g. *.originaldomain.com:*.auth.otherdomainexample.org
Each domain or doomain gets it’s own _acme-challenge record so as far as I know there is no way to trick all _acme-challenge.* queries to go to a specific delegated zone without the CNAMEs.
Typically though, if you need DNS automation the best thing to do is to control your own DNS for your domain, so not use your registrar/ISP for DNS, use Azure/AWS Route53/Cloudflare etc instead, unless you don’t own the domain.
Hi webprofusion,
We don’t have the app, we are using a Certificate Lifecycle Manager, would this be a feasible approach:
Configure Azure DNS
Create in Azure DNS 1 x validation subdomain defined as _acme-challenge.mydomain.com.
Request our ISP who own our public DNS to add a Name Server (NS) record for _acme-challenge.mydomain.com which points to the 4 x nameservers provide by Azure DNS.
This means a DNS query for _acme-challenge.mydomain.com will now be answered by Azure’s nameservers, not our ISPs
Configure the CLM
Select Add Connector / Azure DNS as our provider and provide the credentials (e.g. Azure Client ID, Azure Tenant ID, Azure client Certificate path, Azure client secret)
Workflow
CLM generates a DNS token and puts that record in _acme-challenge.mydomain.com
CLM queries DNS for that record, if it finds a match, it proceeds to issue a certificate.
Possibly, you’d have to check with their support, or support community. This forum is for users of Certify The Web branded products,
Ideally we would use Certify The Web without a full-blown CLM
E.G.
certifytheweb Agents on domain/DMZ hosts (running IIS, Apache, Tomcat, CITRIX ADC’s, RHEL linux etc)
Certifytheweb Server performing public CA DCV then deployment of certificates via the agents
I’m assuming that would be viable without attracting 50k/year CLM for 20 or so public Certs with 60+ SANs etc
Yes, it’s likely you can migrate to Certify The Web apps, e.g. Certify Management Hub plus agents (Certify Certificate Manager on Windows hosts, Certify Management Agent on linux etc). You just need to try it out and see.
Certify Management Hub etc is currently in beta and available for you to just try it out. Getting Started | Certify The Web Docs
Regarding the DNS challenge delegation, you can do that with Certify The Web but you don’t need the NS delegation, it’s just CNAMEs for each domain or subdomain, pointing to a target _acme-challenge.whatever.otherdomain.com record in your surrogate zone.
e.g.
*.realdomain.com:
_acme-challenge.realdomain.com CNAME _acmechallenge.auth.otherdomain.com
www.realdomain.com:
_acme-challenge.www.realdomain.com CNAME _acmechallenge.www.auth.otherdomain.com
apps-01.intranet.realdomain.com:
_acme-challenge.apps-01.intranet.realdomain.com CNAME _acmechallenge.apps-01.intranet.auth.otherdomain.com
Then in the app define the CNAME delegation rule (one mapping for each subdomain level, this example covers multiple) as :
*.realdomain.com:*.auth.otherdomain.com;*.intranet.realdomain.com:*.intranet.auth.otherdomain.com
Unfortunately you can’t really avoid having to create all the _acme-challenge because they vary by domain/subdomain name.
You don’t have to actually create the target _acme-challenge records, the app can do that during automated domain validation.
Thank you for the detailed explanation, very keen to see Certify Management Hub go live into PROD by EOY 2025.