Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS alias mode

    Scheduled Pinned Locked Moved
    ACME
    3
    10
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hakkers
      last edited by

      @jimp : is there by any chance support for 'DNS Alias mode' in the works?

      I'm stuck with a party that maintains our company's website (some fancy CMS) and also provides DNS for our domains. They claim they need control of DNS for their CMS. The decision to work with them is out of my hands, so i can not use an other DNS service with Acme API support.

      I can however have them add any DNS record i want.

      I'm dying to simplify our current setup by using wildcard certificates. I used to maintain a manual install of amce.sh on pfSense, but once i discovered the AMCE package i've been using it ever since.

      I know i can do DNS alias mode with a manual acme.sh install, but really don't want to take that step backwards again.

      .
      Kind regards.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Yes

        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • H
          hakkers
          last edited by

          alt text

          1 Reply Last reply Reply Quote 0
          • U
            un1que
            last edited by

            The DNS-manual method is not supporting automatically certificate renewal, right? Is the auto-renewal possible when using DNS alias mode?

            jimpJ 1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate @un1que
              last edited by

              @un1que said in DNS alias mode:

              The DNS-manual method is not supporting automatically certificate renewal, right? Is the auto-renewal possible when using DNS alias mode?

              Challenge alias is not really a "mode". It's an alternate hostname to use.

              Whether or not it works automatically is up to the DNS update mode being used for the certificate.

              Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 1
              • U
                un1que
                last edited by

                @jimp
                I just tried to renew the certificate via the "Renew" button and it works! Earlier, when using DNS-manual method, it was not possible and I had to renew the certificate via the "Issue" button. Are you sure, that there is no difference?

                I mean, DNS-manual method can only be updated manually because you have to add the challenge TXT entries every time, I think. But when you're using that alias mode and your machine behind the alias is fully automated for the validation process, those entires are added automatically - as a result the whole process (on the pfSense) can be automatized, isn't it?

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  What do you have selected for the Method on that certificate entry?

                  If you manually renewed in the last week, the old authz and such would still be valid, so a renew would succeed even with manual in that timeframe.

                  Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • U
                    un1que
                    last edited by un1que

                    @jimp
                    Method is still DNS-Manual. But when I manually issued my certificate some days ago I used custom TXT records, of course. After I added an alias to a server with auto-renewing LE certificates, I deleted those TXT records.

                    Just tested it one more time and got a new certificate via the "Renew" button on DNS-Manual method + DNS alias mode.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      You most likely "renewed" within the valid authz period so it did not have to re-validate the TXT record. Your change wouldn't have helped anything.

                      Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • U
                        un1que
                        last edited by

                        Ok, now I've got it. Thanks for your help!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post