Question about using AcmeDNS with existing registrations

[mkanet]

My apologies, I'm not sure where to ask this question.

I created a CNAME record on my DDNS provider using the AcmeDNS plugin from another Letsencrypt client. I decided to switch to Posh-ACME as my new client shortly after doing that. Is it possible for me to use my existing CNAME record "xxxxxx-xxxxx-xxxxx-xxxxxx-xxxxxxxxxxx.auth.acme-dns.io" I have stored on DNS.. for Posh-ACME's AcmeDNS plugin?

[rmbolger]

Hi @mkanet. Questions are always welcome here. And the answer is yes as long as you still have the registration details for that subdomain from acme-dns. There's a section in the usage guide on pre-registration with the AcmeDns plugin that should help.

But basically, you pass a plugin argument called ACMERegistration which is a hashtable where the key is the _acme-challenge.example.com name that you've created the CNAMEs for and the value is a string array containing the acme-dns registration details in this order: subdomain, username, password, fulldomain. Here's a shortened example from the guide:

$reg = @{
    '_acme-challenge.example.com' = @(
        # the array order of these values is important
        '9aa5ce59-635e-440c-b2ca-12ee3503ddee'                        # subdomain
        '1b5cce3b-255d-4ffb-a81f-a9e27167ac7a'                        # username
        'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'                         # password
        '9aa5ce59-635e-440c-b2ca-12ee3503ddee.acmedns.example.com'    # full domain
    )
}

$pArgs = @{
    ACMEServer = 'acmedns.example.com'
    ACMERegistration = $reg
}

If you want to test whether it works before you actually try to get a certificate, you can use Publish-DnsChallenge like this:

Publish-DnsChallenge example.com (Get-PAAccount) faketoken AcmeDns $pArgs -Verbose
Save-DnsChallenge AcmeDns $pArgs
# with other plugins, you'd want to call Unpublish-DnsChallenge as well to clean up, but AcmeDns doesn't have unpublish functionality.

If you can't find the original registration details, you can also use this method to re-register each name prior to requesting a cert. The registration details should be saved automatically and it'll tell you what to change your CNAME to, so when you get the cert later you only have to use the ACMEServer plugin argument.

[mkanet]

Thank you for your response. I think it might be easier for me to just set up a brand new CNAME challenge using the Posh-AMCE AcmeDNS plugin.

So, do I just use the command-lines below to generate my nginx/apache compatible xxxxx.crt + xxxxx.key wildcard certificate files?

Set-PAServer LE_STAGE

New-PACertificate MYROOTDOMAIN.COM -DnsPlugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'}```

...and, every 3 months run the below command line to create new certificates?

Set-PAOrder example.com
if ($cert = Submit-Renewal) {
    # do stuff with $cert to deploy it
}

Lastly, do I need to specify my subdomain names in Posh-AMCE at any point? Or, is it presumed that the certificate I create above will already support any subdomain name (*.MYROOTDOMAIN.COM) I want to use?

[rmbolger]

If you need wildcard support in the cert, you have to add the wildcard to the list of names. Typically a wildcard cert will contain the wildcard name and the non-wildcard root name (because the former doesn't match the latter). So

New-PACertificate myrootdomain.com,*.myrootdomain.com -DnsPlugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'}

For renewals, typically the code you posted is run daily or twice daily in a scheduled task (ideally not on a :00 hour mark) rather than only once when you need to renew. It won't actually get the new cert and do anything until the suggested renewal window. But when it's run daily, it means

• You don't have to remember to do it yourself
• If there happens to be a problem on the first day it tries to renew, it will keep trying on subsequent days until it works

But yes, you can choose to run it manually as well.

[mkanet]

Thank you @rmbolger. I am getting the warning below when executing the New-PACertificate. I don't if that's important and/or if I'm doing something wrong:

WARNING: Fewer DnsPlugin values than names in the order. Using AcmeDns for the rest.

This is the command I used: New-PACertificate mywebsite.com,*.mywebsite.com -Contact myname@mywebsite.com -DnsPlugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'} -AcceptTOS

Also, is it okay that I've ran the above command more than once? I've had to run it a few times.. I'm hoping it doesnt screw up my account/record for my domain name on the acmedns API server.

PS: I couldn't figure out how to change the CNAME provided to me by the New-PACertificate challenge; since my DNS provider doesn't let me add CNAMEs that start with a: _. In the tutorial, it says, "Where do you point the CNAMEs to? It doesn't really matter.."; however, I still didn't understand what I do to change the CNAME when the challenge clearly tells me to use:

Please create the following CNAME records:

_acme-challenge.mywebsite.com -> .....acme-dns.io

[rmbolger]

The DnsPlugin parameter can be a string array just like the domain names. The warning is just letting you know that because you didn't explicitly specify a plugin for each name, it's going to use the one you did specify for both.

Running the command more than once is fine. But you may start to hit Let's Encrypt rate limits if you're working against the production server rather than the staging server. If you do, you'll get an error message about it and might have to wait a bit before you try again. You can also just switch to the staging server using Set-PAServer LE_STAGE and get everything working there first. Then switch back and get your real cert once you've worked out all the kinks in the process.

If your DNS provider doesn't allow you to add records that start with _, that's going to be a problem for any ACME based certificate authority whether you're using CNAMEs or not. DNS based challenges will always require a TXT record that starts with _acme-challenge. Might I ask who your provider is because that's a really odd limitation in 2020.

The CNAME portion of the tutorial doesn't really apply when you're using the AcmeDns plugin because you don't get to choose where the CNAMEs point to, the AcmeDns server chooses for you when a name is registered. That's the value on the right hand side of that message about creating the CNAMEs.

[mkanet]

Thank you for answering all of my questions. My DNS provider is http://no-ip.org. I originally chose them because they have pretty decent dynamic DNS support. They don't let me add CNAME hostnames. However, they do offer to add the _acme-challenge CNAME for me. It's just a bit of a hassle. I'm still waiting to hear from them,

[rmbolger]

Ok, that makes more sense. I assume you're using the free dynamic DNS plan in which they purposefully prevent you from creating "advanced records"?

If you're interested in an alternative, DuckDNS is another free dynamic DNS provider and Posh-ACME already has a native plugin for them. They have an annoying limitation that you can only create 1 TXT record at a time which makes using the plugin for multiple names in a cert kind of a hassle. But if you're willing to try beta software, there's an option in the beta version of Posh-ACME 4.0 that works around the problem by enabling a serial validation mode.

[mkanet]

I actually pay no-ip.com $29.95/yr to support my custom domain name. It's only free for their pre-selected domain names. I originally chose no-ip.com since it was one of few DDNS providers my Asus router supports natively (using Merlin Firmware).

My router also supports the below providers. The only Posh-ACME DNS provider that is also supported by my router seems to be FreeDNS/Affraid.org. Since the FreeDNS plugin only offers HTML emulation (having to use CAPTCHA and other limitations), I decided I might as well keep using No-IP via an _acme-challenge CNAME.

I do appreciate the recommendation for DuckDNS. I know a lot of people use it. I'm open to suggestions if you feel there is a better solution for me than no-ip.org (that also supports my router).

[rmbolger]

So tunnelbroker.net is Hurricane Electric which has a plugin. But it's another web-scraping style plugin like FreeDNS rather than a real API. Namecheap also has a plugin, but their API access is dependent on either a minimum registered domain count or a minimum monetary spend (like $50 I think).

Is there a "custom" option in that list like described here? If so, you might be able to use someone's existing sample script for another provider with a plugin. DigitalOcean is one of my personal favorites. CloudFlare is another super popular one.

[mkanet]

Thanks. I was able to setup my router for this. However, I have a couple of questions about setting up DNS on DigitialOcean. I have a very basic question to get going... not sure if I should ask here or not.

On DigitalOcean's DNS setup... The first thing I did was set up an apex domain pointing to my router's IP. However, when I try to add the subdomain (www.mywebsite.com),, I can't point it to the apex domain I just created:

I'm guessing it may have something to do with me not setting up nameservers for my domain. I'm still working on that part by reading about it here.

PS: I just noticed their support service. I'm going to ask them any further setup questions. Thank you for all your help and recommendations.. Ill let you know how it turns out.

[rmbolger]

As far as DNS is concerned, A records only point to IP addresses. Typically when the A record for the root of your domain points to the IP address of your site, you would create a CNAME record for the www version that points to that root domain. Digital Ocean might have some custom functionality that lets you point an A record to a Digital Ocean "resource" like a droplet if you're hosting the website on their infrastructure. But if all you're using them for is DNS, you won't likely have that.

[mkanet]

@rmbolger Great news! I was able to setup DDNS on my router with DigitalOcean. I also successfully created the wildcard certificates for my domain by satisfying the CNAME challenges issued by New-PACertificate.

Originally, the certificates created by ACME still weren't trusted. However, that's because I hadn't switched to production yet.

Everything works now! I'll always remember you as the person who helped me all the way through; and, suggesting me to switch to a great DNS provider.

Mission accomplished.

[webprofusion-chrisc]

As an aside regarding dynamic DNS, you can use cloudflare for dynamic dns as long as you provide your own way to update the IP. https://github.com/drittich/DnsTube

[mkanet]

Thanks. I just did this with digitalocean using my Asus router.

[v-karbovnichy]

What a wonderful story 🥇