Subdomain cert for external domain

pythoner · August 22, 2024, 7:50am

Hello!

So I’ll try to make it short:

I have a porkbun domain (example.xyz) which is switched to desec with DNSSEC. I’m using caddy with the desec plugin for the dns-01 challenge. That is working. i get the cert for example.xyz and can create handles (test.example.xyz) and it’s working. All that is for my internal stuff, so the domain goes nowhere externally, internally pihole gets it done.

But I can’t figure out how to get a cert for a subdomain. My plan is to get *.external.example.xyz and *.internal.example.xyz. The first will use ddns, the second should go nowhere.

That is how I set it up with cloudflare and my domain I have there. But I want to phase Cloudflare out.

I tried external.example.xyz as an A record going to 0.0.0.0 and as a CNAME, but caddy throws errors for the dns-01 challenge (it’s always DNS )

What am i missing?

peter · August 22, 2024, 8:05am

Hi pythoner,

Thanks for your message, and welcome to deSEC!

Can you post the error?

Stay secure,
Peter

PS: Your post would be easier to read if you fixed the typos

pythoner · August 22, 2024, 9:14am

EDIT: where are my manners? Thank you for the quick reply!

Fixed the typos somewhat

The error is for an A record with “home” as the subname leading to 0.0.0.0 for testing.

arams:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.example.xyz - check that a DNS record exists for this domain","instance":"","subproblems":[]}}
caddycrowd-1  | {"level":"error","ts":1724311683.8937502,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"*.home.example.xyz","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.example.xyz - check that a DNS record exists for this domain","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1872230987/298410105386","attempt":1,"max_attempts":3}
caddycrowd-1  | {"level":"error","ts":1724311683.8937669,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.home.example.xyz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.example.xyz - check that a DNS record exists for this domain"}
caddycrowd-1  | {"level":"debug","ts":1724311683.893824,"logger":"events","msg":"event","name":"cert_failed","id":"6f3ba113-8cac-4799-92e8-25d0672a1f53","origin":"tls","data":{"error":{},"identifier":"*.home.example.xyz","issuers":["acme-v02.api.letsencrypt.org-directory"],"renewal":false}}
caddycrowd-1  | {"level":"error","ts":1724311683.8938298,"logger":"tls.obtain","msg":"will retry","error":"[*.home.example.xyz] Obtain: [*.home.example.xyz] solving challenge: *.home.example.xyz: [*.home.example.xyz] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.example.xyz - check that a DNS record exists for this domain (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":77.047391801,"max_duration":2592000}
caddycrowd-1  | {"level":"info","ts":1724311726.386633,"logger":"tls.obtain","msg":"releasing lock","identifier":"*.home.example.xyz"}
caddycrowd-1  | {"level":"error","ts":1724311726.3877282,"msg":"unable to clean up lock in storage backend","signal":"SIGTERM","storage":"FileStorage:/data/caddy","lock_key":"issue_cert_*.home.example.xyz","error":"remove /data/caddy/locks/issue_cert_wildcard_.home.example.xyz.lock: no such file or directory"}
caddycrowd-1  | {"level":"error","ts":1724311726.3877606,"logger":"tls","msg":"job failed","error":"*.home.example.xyz: obtaining certificate: context canceled"}

pythoner · September 19, 2024, 5:04am

Is there anything i can test/try to resolve the issue?

nils · September 19, 2024, 7:12am

Can show us a summary of the example.xyz zone?

Thanks,
Nils

Bruce5051 · September 20, 2024, 12:05am

Hi @pythoner,

You might also check the Caddy community forum as well.

And possibly the Let’s Encrypt community forum too.

pythoner · September 20, 2024, 4:16am

The Setup is really simple:

I have configured it like the docs described. I can get a dns for the domain. Then i added an A record for home (also tried *.home) pointing to 0.0.0.0.

That works when i do it for example.xyz. But it Does not work for home.example.xyz.

When i do the same in porkbun (A record, home., 0.0.0.0) it works also. But porkbun uses cloudflare and i want to avoid that.

peter · September 20, 2024, 6:25am

The error message you posted earlier says NXDOMAIN looking up TXT for _acme-challenge.home.example.xyz, so the problem is with a TXT record at subname _acme-challenge.home.

I’m not sure why the A record for home would be relevant in this case?

Stay secure,
Peter

nils · September 20, 2024, 7:11am

Are there any NS records in your zone? Also, can you show us the Caddy config?

Thanks,
Nils