Separate domain for TXT hosting

ethancooper · 2019-03-05 17:55:00 UTC

Primary domain: domain1
Secondary domain: domain2

Domain2 hosts our TXT records for Let’s Encrypt purposes. We created a CNAME locally that aliases “_acme-challenge.server.domain1.edu” to “_acme-challenge.server.domain2.net”.

We use DNS Made Easy and provide the API key for domain2.

Certify the Web creates a TXT record with a name of “_acme-challenge.server.domain1.edu.domain2”

The validation fails with the following message:
“Validation of the required challenges did not complete successfully. DNS problem: NXDOMAIN looking up TXT for _acme-challenge.server1.edu”

Let’s Encrypt follows the CNAME we setup and is expecting to validate a TXT record with a name of “_acme-challenge.server.domain2.net” I verified this by modifying the TXT record during the 60 second wait period, and the certificate was issued properly.

Is our configuration supported by the current version of Certify the Web?

Thanks in advance for any assistance.

Ethan A. Cooper

webprofusion · 2019-03-06 03:12:59 UTC

Hi Ethan,
Thanks, no you are correct that this scenario is not currently supported by the DNS API providers because they are all set up to expect the certificate domain instead of a surrogate CNAME domain. I think however that adding an option for a surrogate CNAME domain would relatively simple so I’ll add this of the things to add to the next release (which may be a while away).

In the meantime you could use the acme-dns API to achieve a similar result or script your own with the DNS scripting option.

webprofusion · 2019-03-06 03:14:01 UTC

p.s. this is the issue to track this, it’s been an idea for a while: https://github.com/webprofusion/certify/issues/369

ethancooper · 2019-03-06 14:34:59 UTC

Thank you so much for the rely. I appreciate the clarification, and I’m looking forward to this functionality in the future.