DNS over deSEC but website host with Strato

My company just changed from Strato to deSEC because we wanted to start using Let’s Encrypt. The problem was Strato not having an API. Now we have almost completed the move to here, but one problem stands. We can’t reach the website that is hosted on Strato. Does anyone know which Record to add for it to work? We tried adding the Strato sftp username to the CNAME WWW, but that didn’t work.

It’s a Joomla installation on the webserver of Strato. The entry on Strato had a redirect to the directory of the website and the cname of the domain. (ex. www cname example.com. | now with deSEC www cname xyz12345.swh.strato-hosting.eu)

Edit: I think I know the what the problem is. Because of the HTTPS certificate you arrive with the wrong name. Instead of the CNAME and SAN (ex. example.com, www.example.com) you arrive at the webserver with xyz12345.swh.strato-hosting.eu.

Had anyone the same problem?

Disclaimer: I don’t use Strato, so I don’t know the details of how their service works.

deSEC provides DNS services not certificates. Let’s Encrypt provides certificates. So this statement makes no sense (unless you left out the fact that you want to use e.g. the DNS-01 ACME challenge to generate a wildcard certificate).

Additionally Strato has many products and they probably have significant differences w.r.t. your issue. I’ll guess from the context that you are using a very cheap shared webserver product, not a dedicated server?

I think most of your issue is off-topic for this forum as it pertains to the services Strato provides, not deSEC or DNS. That said …

For HTTP/HTTPS access you need A or AAAA records pointing to the webserver. Alternatively you could have CNAME records pointing to A or AAAA records that point to the webserver. The new HTTPS DNS record type might also work, but ultimately your clients will need to resolve an IP address.

Strato might reserve the right to change the IP on which the webserver runs at arbitrary times. I don’t know if that is so. If they do then they may have a fixed DNS hostname that always resolves to the correct IPs. You seem to have determined that this might be xyz12345.swh.strato-hosting.eu in your case. I do not know whether that is correct or not. You’d need to ask Strato. But let’s assume for now that this is correct.

If you manage to generate a certificate for your web server, the first problem you would have is installing that certificate so that the webserver will actually use it. You have not mentioned that part at all. If, as you claim, Strato has no API then this step will probably be impossible.

If you can somehow install a certificate for your webserver then three issues remain:
a) Generating the certificate including handling the ACME challenge.
b) Determining which hostnames to include in the certificate.
c) And getting the webserver to actually serve your content for these hostnames.

(a) would normally use the HTTP-01 challenge type. That would require special setup on the webserver to handle http://<your-hostname>/.well-known/acme-challenge/* requests for all of the hostnames included in the certificate. It also requires the ACME client software to write to the directory the above URLs access. But you could use a wildcard certificate which requires the DNS-01 challenge type. In that case you only need write access to your DNS server which can be accomplished using the deSEC API for your own domain. (You will not have access to the Strato DNS server that handles xyz12345.swh.strato-hosting.eu. And that might prevent this method from working.)

(b) you need to include all of the hostnames that serve your HTTPS content in the certificate, either as the Common Name (CN) or as alternate names. So your certificate might have CN: www.example.com and an alternate name: example.com, possibly even xyz12345.swh.strato-hosting.eu.

(c) is generally handled by the HTTP Host: header and in many cases by the Server Name Indication (SNI) in the TLS connection setup. The server needs to know all of the hostnames it is supposed to use to serve your content. It is not sufficient to just point some random name to the server IP using DNS (unless the server exclusively serves only your website). Hosters such as Strato usually host hundreds of websites on the same server (thus the name shared webserver) so the server needs to know about the mapping from hostname → content. It also needs to know which certificate to use which is handled by the SNI → certificate mapping (usually identical to the hostname → content mapping).

The Host: header and SNI will contain the hostname you entered into the browser, not some name that a CNAME redirects to.

That means apart from xyz12345.swh.strato-hosting.eu your webserver also needs to know about www.example.com and any other hostnames you want to use. Does Strato have a way to configure that?

Summary

Most of your questions would be better addressed to Strato:

  • Does Strato support using an external DNS for its shared webserver products?
    • And does the shared webserver allow the configuration of (additional) external hostnames for your website?
  • Does Strato allow setting your own certificate for a shared webserver?

If the answer to any of these is no, then you can not get this to work.

Good luck!
fiwswe

1 Like

I think you understood me wrong.

First. Yes, I know that deSEC isn’t a provider for certificates. But they provide an API so we can automate the DNS-01-Challenge, because we want to have a wildcard certificate.

Second. We switched back to Strato because we couldn’t get it to work. The SSL certificate was from Strato. I don’t think you can add SAN to the certficate after the creation or even before the creation.

But thank you for answering.