DNS alias mode



  • @jimp : is there by any chance support for 'DNS Alias mode' in the works?

    I'm stuck with a party that maintains our company's website (some fancy CMS) and also provides DNS for our domains. They claim they need control of DNS for their CMS. The decision to work with them is out of my hands, so i can not use an other DNS service with Acme API support.

    I can however have them add any DNS record i want.

    I'm dying to simplify our current setup by using wildcard certificates. I used to maintain a manual install of amce.sh on pfSense, but once i discovered the AMCE package i've been using it ever since.

    I know i can do DNS alias mode with a manual acme.sh install, but really don't want to take that step backwards again.

    .
    Kind regards.


  • Rebel Alliance Developer Netgate

    Yes



  • alt text



  • The DNS-manual method is not supporting automatically certificate renewal, right? Is the auto-renewal possible when using DNS alias mode?


  • Rebel Alliance Developer Netgate

    @un1que said in DNS alias mode:

    The DNS-manual method is not supporting automatically certificate renewal, right? Is the auto-renewal possible when using DNS alias mode?

    Challenge alias is not really a "mode". It's an alternate hostname to use.

    Whether or not it works automatically is up to the DNS update mode being used for the certificate.



  • @jimp
    I just tried to renew the certificate via the "Renew" button and it works! Earlier, when using DNS-manual method, it was not possible and I had to renew the certificate via the "Issue" button. Are you sure, that there is no difference?

    I mean, DNS-manual method can only be updated manually because you have to add the challenge TXT entries every time, I think. But when you're using that alias mode and your machine behind the alias is fully automated for the validation process, those entires are added automatically - as a result the whole process (on the pfSense) can be automatized, isn't it?


  • Rebel Alliance Developer Netgate

    What do you have selected for the Method on that certificate entry?

    If you manually renewed in the last week, the old authz and such would still be valid, so a renew would succeed even with manual in that timeframe.



  • @jimp
    Method is still DNS-Manual. But when I manually issued my certificate some days ago I used custom TXT records, of course. After I added an alias to a server with auto-renewing LE certificates, I deleted those TXT records.

    Just tested it one more time and got a new certificate via the "Renew" button on DNS-Manual method + DNS alias mode.


  • Rebel Alliance Developer Netgate

    You most likely "renewed" within the valid authz period so it did not have to re-validate the TXT record. Your change wouldn't have helped anything.



  • Ok, now I've got it. Thanks for your help!