I have the need to issue certbot wildcard certificates for different domain names hosted in different DNS providers.
I have installed acme-dns server on a Digital Ocean droplet and I am having problems generating letsencrypt wildcard certificates.
I have “mydomain.com” DNS managed by Digital Ocean and it is working fine and decided to use it as the domain for my acme-dns server.
What I have done so far:
On Digital Ocean DNS
1 – Registered an A record with the following data:
Name: auth.mydomain.com
Type: A
TTL: 300
IP: MY_DROPLET_PUBLIC_IP
2- Registed a NS record with the following data:
Name: auth.mydomain.com
Type: NS
TTL: 300
DIRECT TO: auth.mydomain.com
It seems to be everything running as expected because after some 15/20 minutes records have finally propagated and when I “dig auth.mydomain.com” I can see a positive answer on command line:
auth.mydomain.com 296 IN A MY_DROPLET_PUBLIC_IP
My setup for acme-dns server:
/etc/acme-dns/config.cfg
listen = 'droplet_local_ip:53'
domain = "auth.mydomain.com"
nsname = "auth.mydomain.com"
nsadmin = "batalhadematos@gmail.com"
records = [
"auth.mydomain.com. A MY_DROPLET_PUBLIC_IP",
"auth.mydomain.com. NS auth.mydomain.com.",
]
ip = "127.0.0.1"
port = "8080"
tls = "none"
Using acme-dns-client I was able to register an account for “mydomain.com” domain:
$ sudo acme-dns-client register -d mydomain.com -s http://localhost:8080
During the process I was asked to register a new DNS entry with the following data:
Name: _acme-challenge.mydomain.com
Type: CNAME
TTL: 300
Key/Value: proposed key from acme-dns-client wizard
Since I had chosen to acme-dns-client to monitor the CNAME record change, after 1/2 minutes the domain was successfully verified and registered.
I get the message “[*] CNAME record is now correctly set up!”
Now the problem begins.
When I try to register a wildcard certificate for mydomain.com, the system fails.
I have used the following command with –test-cert argument to generate the certificate.
$ sudo certbot certonly --manual --test-cert --preferred-challenges dns --manual-auth-hook 'acme-dns-client' -d *.mydomain.com
The error:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: angodoo.cloud
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.angodoo.cloud - check that a DNS record exists for this domain
I have been trying to solve this issue for hours and recreated the droplet several times with no luck.
Are the DNS entries correct?
Do I require any kind of authentication in order to be able to use Digital Ocean DNS from automated scripts?
I know I can use the DigitalOcean dns-plugin for issuing and renewing wildcard certificates but the problem is not all domain names are hosted on DigitalOcean DNS servers.
Thank you very much in advance
EDIT:
I think the problem is related to the NS record.
When I dig “dig +nocmd angodoo.cloud a +noall +answer” it is correctly returning the A record I have registered:
mydomain.com. 1909 IN A MY_PUBLIC_IP
When I “dig +nocmd angodoo.cloud ns +noall +answer”, I am only getting the DigitalOdean NS servers and not the NS record I have registered for “auth.mydomain.com”:
mydomain.com. 1665 IN NS ns1.digitalocean.com.
mydomain.com. 1665 IN NS ns2.digitalocean.com.
mydomain.com. 1665 IN NS ns3.digitalocean.com.
Can you help me correctly setup the NS server on Digital Ocean?
