search

cybercinch / certbot-dns-directadmin

certbot plugin to allow acme dns-01 authentication of a name managed in DirectAdmin
Other
9 stars 5 forks source link

AuthorizationError on wildcard subdomain while TXT record gets created #13

Closed bremme closed 6 months ago

bremme commented 6 months ago

I'm not totally sure if this is a bug, expected behavior or a configuration error on my end. This is what I'm trying to achieve (while following this guide https://www.youtube.com/watch?v=qlcVx-k-02E).

I have added a wildcard sub-sub domain which points to a local ip:

*.local.example.com. A x.x.x.x

I also tried a couple different variations like

# this one
*.local A x.x.x.x

# or this one
local A     x.x.x.x
*     CNAME local

When I use ping something.example.com I get my configured local ip back. So far so good. But the DNS challenge fails with an error:

Certbot failed to authenticate some domains (authenticator: directadmin). The Certificate Authority reported these problems:
  Domain: local.example.com
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.local.example.com

The main issues seems that the record that is created is:

_acme-challenge.local TXT secret

While certbot seems to be looking for _acme-challenge.local.example.com.

How can I solve this issues? Let me know if you need any more information.

guisea commented 6 months ago

Are you adding the sub domain as an actual domain in DirectAdmin?

This I believe is the only way it will work.

bremme commented 6 months ago

I added the subdomain just as a DNS entry on the main domain. You're saying that I need to add local.example.com as a completely separate domain to example.com?

After I posted this issue I changed my nameservers to Cloudfare to see if that solved my issues. But ran into the exact same problem. I did came up with a solution:

_acme-challenge.local.example.com CNAME _acme-challenge.local

Where I use a CNAME to point the name Certbot is looking for to the record Certbot actually creates. I'm pretty sure this would also work when using direct admin. But I guess your solution is probably the right way to go.

I guess we can close this issue for now if its expected behavior right?

guisea commented 6 months ago

Yes, I did suggest adding the subdomain as a domain in directadmin. That will allow things to work fine. Had another user who reported this same situation ages ago.

Nice you found a workaround.

But yes, I think we close this as working as it should.

bremme commented 6 months ago

Sounds good, I'll close this issue. Thanks for you quick responses.