> Sadly certbot doesn't do (or it didn't) CNAME redirects for ACME. Are you certain? ...

rdevilla • today at 9:03 AM • 1 reply • view on HN

> Sadly certbot doesn't do (or it didn't) CNAME redirects for ACME.

Are you certain? Not at a real machine at the moment so hard for me to dig into the details but CNAMEing the challenge response to another domain is absolutely supported via DNS-01 [0] and certbot is Let's Encrypt's recommended ACME client: [1]

    Since Let’s Encrypt follows the DNS standards when
    looking up TXT records for DNS-01 validation, you can
    use CNAME records or NS records to delegate answering
    the challenge to other DNS zones. This can be used to
    delegate the _acme-challenge subdomain to a validation
    specific server or zone.

... which is a very common pattern I've seen hundreds (thousands?) of times.

The issue you may have run into is that CNAME records are NOT allowed at the zone apex, for RFC 1033 states:

   The CNAME record is used for nicknames. [...] There must not be any other
   RRs associated with a nickname of the same class.

... of course making it impossible to enter NS, SOA, etc. records for the zone root when a CNAME exists there.

P.S. doing literally fucking anything on mobile is like pulling teeth encased in concrete. Since this is how the vast majority of the world interfaces with computing I am totally unsurprised that people are claiming 10x speedups with LLMs.

[0] https://letsencrypt.org/docs/challenge-types/

[1] https://letsencrypt.org/docs/client-options/

Replies

jcalvinowens • today at 3:07 PM

I tried this too a couple months ago, OP is right, certbot doesn't support the CNAME aliases: it lacks logic to add the TXT record to the redirected name, instead of the name in the certificate.

I use acme.sh which does support it: https://news.ycombinator.com/item?id=47066072

➕ show 1 reply

alt Hacker News

Replies