CNAME delegation to subdomain not working for DNS challenge with Home Assistant's Let's Encrypt add-on

haencrypt · August 10, 2025, 12:44pm

Dear deSEC community,

Although mentioned by some sources to be generally working, I cannot succeed in making the setup mentioned in the subject run. Anyone able to help out (or confirm)?

Since several days, I have tried numerous approaches for the following setup for solving the ACME DNS-01 challenge for Let’s Encrypt:

Home Assistant OS with Let’s Encrypt add-on
- domain: *.XXX.org
- challenge: dns
- provider: dns-desec
domain XXX.org at DomainFactory
- _acme-challenge.XXX.org with CNAME to _acme-challenge.acme.XXX.org
- XXX.org with NS to ns19.domaincontrol.com
- XXX.org with NS to ns20.domaincontrol.com
- acme.XXX.org with NS to ns1.desec.io
- acme.XXX.org with NS to ns2.desec.org
account at deSEC for ACME challenge via domain acme.XXX.org
- _acme-challenge with TXT as "test"
- valid API token which “can manage tokens”, “can create domains”, and “can delete domains”

After completed DNS propagation, test sites such as https://mxtoolbox.com/, https://dnschecker.org/, https://unboundtest.com/, or https://letsdebug.net/ yield reasonable feedback.

But when starting the Let’s Encrypt add-on on Home Assistant for certificate creation, the add-on issues the following error:

Encountered exception during recovery: certbot.errors.PluginError: Could not find suitable domain in your account (did you create it?): _acme-challenge.XXX.org

The log gives the following additional information:

Performing the following challenges:
dns-01 challenge for XXX.org
Authenticator._perform: XXX.org, _acme-challenge.XXX.org, yyyyyyyyyyyyy
creating _DesecConfigClient
Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/certbot_dns_desec/dns_desec.py", line 131, in get_authoritative_zone
    return data[0]
           ~~~~^^^

Looks like certbot is struggling with the fact that I would like to have a wildcard certificate for the actual domain *.XXX.org while deSEC sees the subdomain acme.XXX.org only. Therefore probably the deSEC API cannot return any matching entries for XXX.org when being asked by certbot but for acme.XXX.org only.

Is the intended setup generally not possible (although being reported here and there to be working, depending on the ACME solution chosen)? What is wrong or missing?

Any kind of help highly appreciated!

GenericUser · August 10, 2025, 12:58pm

Confirmed. It will work when this lands.

haencrypt · August 10, 2025, 2:27pm

That was quick – thanks a lot! Problem fixed before raised …
Hope they’ll integrate it soon, will keep you posted.

GenericUser · August 10, 2025, 2:41pm

Ideally CNAME support would be added to Certbot, IMHO, because then all DNS plugins would benefit from it. Unfortunately this has been a known deficiency since at least 2018, and over the years, several attempts to add support have fizzled out, so I wrote a patch for the certbot-dns-desec plugin instead.

GenericUser · August 20, 2025, 8:57pm

The updated certbot-dns-desec plugin has been released, so I’ve tried to make the HomeAssistant Letsencrypt addon work. Unfortunately the old version 1.2.1 is hardcoded in the addon, so it won’t get the update automatically. You may have to bug the addon maintainer about that. If you want to modify the addon manually, this is possible from the server console, but note that every time you change the addon configuration, the container is recreated without the manual modifications. I also find that increasing the propagation delay is necessary. I used this configuration and successfully got a certificate with a domain that has its _acme-challenge subdomain redirected to deSEC through a CNAME:

provider: dns-desec
propagation_seconds: 120
desec_token: …

Edit: Should have looked first, as there is a pull request for a version bump already.