ACME for CNAMEs

sgw

I try to add some new certificates to a pfSense-23.09.1 appliance.

The corresponding DNS-Records are CNAMEs, and as far as I remember, this works in other setups I have.
I even cross-checked right now.

At the problematic aplliance I get:

FOUND domainitemwebroot
put token at: /tmp/haproxy_chroot/.well-known/acme-challenge//4ovavh_tOff2mFFvRuMwLr0YLSZQTl_Ye_l5ky4_oJc
[Mon Feb 12 12:38:20 CET 2024] Pending, The CA is processing your order, please just wait. (1/30)
[Mon Feb 12 12:38:23 CET 2024] Found domain http api file: /tmp/acme/grafana/httpapi/pfSenseacme.sh
[Mon Feb 12 12:38:23 CET 2024] grafana.iom.at:Verify error:DNS problem: NXDOMAIN looking up A for grafana.mytld - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for grafana.mytld - check that a DNS record exists for this domain
[Mon Feb 12 12:38:24 CET 2024] Please check log file for more details: /tmp/acme/grafana/acme_issuecert.log

maybe the admin there accidentally added a dot at the end of the IP:

# dig 
grafana.my.tld.		43200	IN	CNAME	85.12.34.59.

I asked him to check.

but my question: ACME should work with CNAMEs, right?

EDIT: solved ... the CNAME-records were wrong .... he set them to an IP instead a FQDN.

Gertjan

@sgw said in ACME for CNAMEs:

dig

grafana.my.tld. 43200 IN CNAME 85.12.34.59.

What dns server was 'dig' using to find that info ?

@sgw said in ACME for CNAMEs:

Verify error:DNS problem: NXDOMAIN looking up A for grafana.mytld - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for grafana.mytld - check that a DNS record exists for this domain

The DNS servers Letsencrypt was using told them "grafana.mytld" is unknown. No A, no AAAA record.

When the ascme.sh script, the DNS method, updates the DNS info, only the master DNS (your domain name master DNS server) is updated.
After a while the (at least) one or more slave domain servers are also updated by the master domain DNS server.
After receiving the instructions to update your zone, it will signal all the slaves involved that a zone (your "grafana.mytld") was updated. It's up to the slave(s) to sync when ever they see fit.
No one can tell how long this takes, we all hope 'immediately' but that's surely not generally never the case.

This is why this option exists :

edit : after some more thinking :
For me, it looks like Letsencrypt could not find your "grafana.mytld", as that one should exists already.
acme.sh just adds a subdomain with a specific name : "_acme-challenge." And then it adds into this sub domain a TXT string with a 'secret' number.
Do you have general DNS domain name issues ?
Use https://www.zonemaster.net/en/run-test : all is fine ?

@sgw said in ACME for CNAMEs:

EDIT: solved ... the CNAME-records were wrong .... he set them to an IP instead a FQDN.

Ah, ok, dns issues then.
Glad you got i solved.

johnpoz

@sgw said in ACME for CNAMEs:

EDIT: solved ... the CNAME-records were wrong .... he set them to an IP instead a FQDN.

That is not solved CNAMEs never should point to an IP.. They are to point to another domain..

That is not the point of cname - if you want a fqdn to point to a IP, that is just a simple A record.

edit: hahaha - oh I read that wrong, hahsh - I thought pointed them to IP to fix the problem, not that they were pointing to an IP and changed to point to domain.. Glad to hear you got it sorted.

sgw

@johnpoz @Gertjan thanks to both of you