Subdomain cert for external domain

Hello!

So I’ll try to make it short:

I have a porkbun domain (example.xyz) which is switched to desec with DNSSEC. I’m using caddy with the desec plugin for the dns-01 challenge. That is working. i get the cert for example.xyz and can create handles (test.example.xyz) and it’s working. All that is for my internal stuff, so the domain goes nowhere externally, internally pihole gets it done.

But I can’t figure out how to get a cert for a subdomain. My plan is to get *.external.example.xyz and *.internal.example.xyz. The first will use ddns, the second should go nowhere.

That is how I set it up with cloudflare and my domain I have there. But I want to phase Cloudflare out.

I tried external.example.xyz as an A record going to 0.0.0.0 and as a CNAME, but caddy throws errors for the dns-01 challenge (it’s always DNS :smile:)

What am i missing?

Hi pythoner,

Thanks for your message, and welcome to deSEC! :slight_smile:

Can you post the error?

Stay secure,
Peter

PS: Your post would be easier to read if you fixed the typos :upside_down_face:

1 Like

EDIT: where are my manners? Thank you for the quick reply!

Fixed the typos somewhat :slight_smile:

The error is for an A record with “home” as the subname leading to 0.0.0.0 for testing.

arams:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.example.xyz - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
caddycrowd-1  | {"level":"error","ts":1724311683.8937502,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"*.home.example.xyz","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.example.xyz - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1872230987/298410105386","attempt":1,"max_attempts":3}
caddycrowd-1  | {"level":"error","ts":1724311683.8937669,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.home.example.xyz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.example.xyz - check that a DNS record exists for this domain"}
caddycrowd-1  | {"level":"debug","ts":1724311683.893824,"logger":"events","msg":"event","name":"cert_failed","id":"6f3ba113-8cac-4799-92e8-25d0672a1f53","origin":"tls","data":{"error":{},"identifier":"*.home.example.xyz","issuers":["acme-v02.api.letsencrypt.org-directory"],"renewal":false}}
caddycrowd-1  | {"level":"error","ts":1724311683.8938298,"logger":"tls.obtain","msg":"will retry","error":"[*.home.example.xyz] Obtain: [*.home.example.xyz] solving challenge: *.home.example.xyz: [*.home.example.xyz] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.example.xyz - check that a DNS record exists for this domain (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":77.047391801,"max_duration":2592000}
caddycrowd-1  | {"level":"info","ts":1724311726.386633,"logger":"tls.obtain","msg":"releasing lock","identifier":"*.home.example.xyz"}
caddycrowd-1  | {"level":"error","ts":1724311726.3877282,"msg":"unable to clean up lock in storage backend","signal":"SIGTERM","storage":"FileStorage:/data/caddy","lock_key":"issue_cert_*.home.example.xyz","error":"remove /data/caddy/locks/issue_cert_wildcard_.home.example.xyz.lock: no such file or directory"}
caddycrowd-1  | {"level":"error","ts":1724311726.3877606,"logger":"tls","msg":"job failed","error":"*.home.example.xyz: obtaining certificate: context canceled"}

Is there anything i can test/try to resolve the issue?

Can show us a summary of the example.xyz zone?

Thanks,
Nils

1 Like