Dns01 with CNAME propagation and nginx

Hi,

i try to get a ssl cert for my only via vpn connected homelab. I have a domain without api to do the dns01 challenge so i decides to use CNAME propagation via deSEC.

I have the following config but don’t get it running:

MyDomainProviderMyDomainProvider:

CNAME _acme-challenge.sub1.example.com _acme-challenge.ex@deSECmple.dedyn.io

deSEC:

domain example.dedyn.io with default NS

nginx:

Requesting Lets’s Encrypt via DNS for:

domain names: *.sub1.example.com, sub1.example.com

wait time: 120 sec

→ I get the following error in nginx proxy manager: certbot._internal.error_handler:Encountered exception during recovery: certbot.errors.PluginError: Could not find suitable domain in your account (did you create it?): _acme-challenge.sub1.example.com

letsdebug.net says OK

Any Idea ?

Thanks !

So the domain does not point to the deSEC DNS servers?
Because if it does, you would be able to do the api dns1 challenge.

Do you own example.com?
Or did you just get a subdomain like sub.example.com?

If later is true, why bother with sub.example.com, when you already have example.dedyn.io and could create sub.example.dedyn.io

This won’t work until the NginxProxyManager release version (as of now latest=2.14.0) catches up to a commit that was made to its source code on April 13 which updates the Desec Certbot plugin to version 1.3.1 from 1.2.1. The old version does not include my patch that enables CNAME chaining. The new one does, but has yet to be included in the release version of NginxProxyManager. I would expect an update soon, because some severe security bugs have been revealed in Nginx.

If you’re familiar with your container system, you can execute an update inside the container. With podman, you’d do something like:
podman exec nginxpm pip install certbot-dns-desec==1.3.1
where nginxpm is the name of the container that you want to run pip in.

I wanted to use my existing domain (example.com) within my homelab with ssl *.certs for home.example.com or local.example.com like

• homeassistant.home.example.com
• ha.local.example.com.

But all other subdomains on my external hosted webserver.

OK, so I just need a bit more patience Thanks I will try the certbot-dns-desec update after an backup.

So you have the existing domain example.com, and the registrar unknown_registrar points to unknown_dnsprovider.

And know you want to use homeasistant.home.example.com to have an a record of 1.1.1.2(just an example), which is your NGINX.

and now deSEC domain sub.example.dedyn.io should have a CNAME that points to homeasistant.home.example.com?

That is possible but a little bit complicated. Why not just use either deSEC or unknown_dnsprovider instead of having to deal with two? Or am I totally lost?

The idea is to create a CNAME record for the _acme-challenge subdomain under the domain for which you want a certificate, and have that CNAME record point at a different domain where the ACME client can use an API to place the authentication token in a TXT record. This lets you use domains which are hosted where you don’t have access to an API, or if you do not want to place the API credentials to your domain on the server with the ACME-client. The CNAME means you only “delegate” that particular subdomain to the server where the client has access.

NPM has been updated to 2.15.0, which includes the CNAME chaining patch for the certbot_dns_desec plugin. If you update your container to the “latest” tag, getting a LE certificate with a CNAME for the _acme-challenge subdomain should work now.

While the error is another issue, also note: waiting just 120 seconds (2 minutes) isn’t always enough, set it to 3–4 minutes for now. See Ns1.desec.io replication issues - #17 by bwb.