lego allows using subdomain DNS to obtain Let's Encrypt wildcard certificates #2196

aaro-n · 2024-05-29T13:40:02Z

aaro-n
May 29, 2024

Welcome

Yes, I've searched similar issues on GitHub and didn't find any.

How do you use lego?

Docker image

Detailed Description

Problem description

My domain name resolution service uses Huawei Cloud. lego does not support Huawei Cloud DNS now, but I want to use lego to obtain and manage Let's Encrypt certificates. When I was looking for Let's Encrypt documents, I noticed that Let's Encrypt's DNS-01 challenge allows the use of other DNS services. I want to host _acme-challenge to a domain name resolution service provider supported by lego through a subdomain NS. I did not find any description of this when I looked for lego documents and lego's GitHub repository. Maybe my search method is wrong or it is not possible at all.

Solved requirements

lego allows wildcard certificates to be obtained through the _acme-challenge subdomain, and lego does not need to support the DNS resolution service provider's API.
The obtained Let's Encrypt certificate is the same, even if the domain name and DNS resolution service provider are not the same.

Expected method

Huawei Cloud hosts the domain names 1213.xyz and 999.info, Tencent Cloud hosts the domain name 897.com, lego supports Alibaba Cloud's DNS resolution API, so the _acme-challenge subdomain is resolved to Alibaba Cloud via CNAME, and finally lego operates Alibaba Cloud's API to obtain the Let's Encrypt wildcard certificate. The specific steps are as follows:

Huawei Cloud creates the letsencrypt.1213.xy subdomain, Alibaba Cloud adds the domain name letsencrypt.1213.xy, and finally Huawei Cloud hands over the letsencrypt.1213.xy subdomain to Alibaba Cloud via NS.
Huawei Cloud creates CNAME records _acme-challenge.1213.xyz CNAME all.letsencrypt.1213.xy and _acme-challenge.999.info CNAME all.letsencrypt.1213.xy, and Tencent Cloud creates _acme-challenge.897.com CNAME all.letsencrypt.1213.xy
Lego configures Alibaba Cloud's API, and obtains wildcard certificates for 1213.xyz, 999.info, and 897.com by operating the TXT record of all.letsencrypt.1213.xy, and there is only one wildcard certificate.

I don't know if my idea can be realized.

Reference Documents

Let's Encrypt Documentation: Challenge Types
jinhucheung/letscertbot

Answered by aaro-n

May 30, 2024

@ldez lego can now handle the issues I raised.

Subdomain issues required for Let's Encrypt DNS verification

Let's Encrypt can use _acme-challenge.example.com for verification, as well as _acme-challenge.letsencrypt.example.com and all.letsencrypt.example.com for verification. There are no special requirements for subdomains. Both _acme-challenge.letsencrypt and all.letsencrypt subdomains successfully obtained wildcard certificates.

Run lego with docker-compose

docker-compose.yaml

version: '3'
services:
    lego:
        image: goacme/lego
        restart: always
        container_name: lego
        working_dir: /home/www/letsencrypt
        environment:
        - LEGO_ACCOUNT_EMAIL=xxx@gm…

View full answer

ldez · 2024-05-29T13:49:28Z

ldez
May 29, 2024
Maintainer

Hello,

By default, lego already follows CNAME.

You can read the Let's Encrypt articles about that: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname

About Huawei Cloud support, you can follow issue #1543.

0 replies

aaro-n · 2024-05-29T14:10:40Z

aaro-n
May 29, 2024
Author

I did not find this implementation method in the lego document. The lego document has instructions for using the Alibaba Cloud API. The code is as follows:

# Setup using instance RAM role
ALICLOUD_RAM_ROLE=lego \
lego --email [email protected] --dns alidns --domains my.example.org run

# Or, using credentials
ALICLOUD_ACCESS_KEY=abcdefghijklmnopqrstuvwx \
ALICLOUD_SECRET_KEY=your-secret-key \
ALICLOUD_SECURITY_TOKEN=your-sts-token \
lego --email [email protected] --dns alidns --domains my.example.org run

According to my problem description, it should be modified as follows:

# Or, using credentials
ALICLOUD_ACCESS_KEY=abcdefghijklmnopqrstuvwx \
ALICLOUD_SECRET_KEY=your-secret-key \
ALICLOUD_SECURITY_TOKEN=your-sts-token \
lego --email [email protected] --dns alidns --domains 1213.xyz,*.1213.xyz,999.info*.999.info,897.com,*.897.com run

How can I tell lego to add TXT records to all.letsencrypt.1213.xy instead of adding TXT records to the three subdomains _acme-challenge.1213.xyz, _acme-challenge.999.info and _acme-challenge.897.com? Because these three domains are not all hosted to Alibaba Cloud.

1 reply

ldez May 29, 2024
Maintainer

Please read this article: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname

There is no specific lego implementation, we just follow ACME RFCs.

ldez · 2024-05-29T14:21:55Z

ldez
May 29, 2024
Maintainer

You should use a dedicated domain (ex: _acme-challenge.example.com), this domain should be owned by Alibaba Cloud.

1213.xyz, 999.info, 897.com, etc. should be owned by Huawei Cloud.

You should create a CNAME on _acme-challenge.1213.xyz to redirect to _acme-challenge.example.com, this allow to create certificates for 1213.xyz and *.1213.xyz (but not for *.*.1213.xyz because the ACME RFC doesn't allow it)

You should create a CNAME on _acme-challenge.999.info to redirect to _acme-challenge.example.com, this allow to create certificates for 999.info and *.999.info (but not for *.*.999.info because the ACME RFC doesn't allow it)

You should create a CNAME on _acme-challenge.897.com to redirect to _acme-challenge.example.com, this allow to create certificates for 897.com and *.897.com (but not for *.*.897.com because the ACME RFC doesn't allow it)

As explain in the article: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname

1 reply

ldez May 29, 2024
Maintainer

@aaro-n any news?

aaro-n · 2024-05-30T14:03:33Z

aaro-n
May 30, 2024
Author

@ldez lego can now handle the issues I raised.

Subdomain issues required for Let's Encrypt DNS verification

Let's Encrypt can use _acme-challenge.example.com for verification, as well as _acme-challenge.letsencrypt.example.com and all.letsencrypt.example.com for verification. There are no special requirements for subdomains. Both _acme-challenge.letsencrypt and all.letsencrypt subdomains successfully obtained wildcard certificates.

Run lego with docker-compose

docker-compose.yaml

version: '3'
services:
    lego:
        image: goacme/lego
        restart: always
        container_name: lego
        working_dir: /home/www/letsencrypt
        environment:
        - [email protected]
        - LEGO_CERT_DOMAIN=cft12.eu.org,*.cfty12.eu.org,4837be12.eu.org,*.4837be12.eu.org,876312.xyz,*.876312.xyz
        - LEGO_CERT_PATH=/home/www/letsencrypt/lego.crt
        - LEGO_CERT_KEY_PATH=/home/www/letsencrypt/lego.key
        - LEGO_CERT_PEM_PATH=/home/www/letsencrypt/lego.pem
        - ALICLOUD_ACCESS_KEY=LTAI5tBE1zzzz
        - ALICLOUD_SECRET_KEY=lGjRXdPFbuneFzzzz
volumes:
  - /home/www/lego/letsencrypt:/home/www/letsencrypt

LEGO_ACCOUNT_EMAIL, LEGO_CERT_DOMAIN, LEGO_CERT_PATH, LEGO_CERT_KEY_PATH, LEGO_CERT_PEM_PATH, these variables are invalid. I thought that I could apply for a certificate by directly running docker-compose run --rm lego --dns alidns run with the above environment variables, and I could rename the certificate and save it somewhere else, but I found that this method did not work after practice. I had to execute docker-compose run --rm lego --email [email protected] --dns alidns -domains cft12.eu.org,*.cfty12.eu.org,4837be12.eu.org,*.4837be12.eu.org,876312.xyz,*.876312.xyz run to apply for a certificate.

Domain name introduction

cft12.eu.org and 4837be12.eu.org are hosted on Huawei Cloud, and 876312.xyz is hosted on another Alibaba Cloud account.

CNAME configuration

Huawei Cloud:
_acme-challenge.cft12.eu.org CNAME _acme-challenge.letsencrypt.it123.info
_acme-challenge.4837be12.eu.org CNAME _acme-challenge.letsencrypt.it123.info
Alibaba Cloud
_acme-challenge.876312.xyz CNAME _acme-challenge.letsencrypt.it123.info

This method can be used to apply for a wildcard certificate.

Huawei Cloud:
_acme-challenge.cft12.eu.org CNAME all.letsencrypt.it123.info
_acme-challenge.4837be12.eu.org CNAME all.letsencrypt.it123.info
Alibaba Cloud
_acme-challenge.876312.xyz CNAME all.letsencrypt.it123.info

You can also apply for a wildcard certificate in this way.

Run log

Apply for a single domain wildcard certificate

www@debian:~/lego$ docker-compose run --rm lego --email [email protected] --dns alidns --domains cfty12.eu.org,*.cfty12.eu.org run
Creating network "lego_default" with the default driver
Creating lego_lego_run ... done
2024/05/30 12:09:08 No key found for account [email protected]. Generating a P256 key.
2024/05/30 12:09:08 Saved key to /home/www/letsencrypt/.lego/accounts/acme-v02.api.letsencrypt.org/[email protected]/keys/[email protected]
2024/05/30 12:09:08 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf
Do you accept the TOS? Y/n
y
2024/05/30 12:09:23 [INFO] acme: Registering account for [email protected]
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/home/www/letsencrypt/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/05/30 12:09:23 [INFO] [cfty12.eu.org, *.cfty12.eu.org] acme: Obtaining bundled SAN certificate
2024/05/30 12:09:24 [INFO] [*.cfty12.eu.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357410151082
2024/05/30 12:09:24 [INFO] [cfty12.eu.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357410151092
2024/05/30 12:09:24 [INFO] [*.cfty12.eu.org] acme: use dns-01 solver
2024/05/30 12:09:24 [INFO] [cfty12.eu.org] acme: Could not find solver for: tls-alpn-01
2024/05/30 12:09:24 [INFO] [cfty12.eu.org] acme: Could not find solver for: http-01
2024/05/30 12:09:24 [INFO] [cfty12.eu.org] acme: use dns-01 solver
2024/05/30 12:09:24 [INFO] [*.cfty12.eu.org] acme: Preparing to solve DNS-01
2024/05/30 12:09:24 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:09:26 [INFO] [cfty12.eu.org] acme: Preparing to solve DNS-01
2024/05/30 12:09:26 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:09:27 [INFO] [*.cfty12.eu.org] acme: Trying to solve DNS-01
2024/05/30 12:09:27 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:09:27 [INFO] [*.cfty12.eu.org] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 12:09:29 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 12:09:40 [INFO] [*.cfty12.eu.org] The server validated our request
2024/05/30 12:09:40 [INFO] [cfty12.eu.org] acme: Trying to solve DNS-01
2024/05/30 12:09:40 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:09:40 [INFO] [cfty12.eu.org] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 12:09:42 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 12:09:55 [INFO] [cfty12.eu.org] The server validated our request
2024/05/30 12:09:55 [INFO] [*.cfty12.eu.org] acme: Cleaning DNS-01 challenge
2024/05/30 12:09:55 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:09:57 [INFO] [cfty12.eu.org] acme: Cleaning DNS-01 challenge
2024/05/30 12:09:57 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:09:58 [INFO] [cfty12.eu.org, *.cfty12.eu.org] acme: Validations succeeded; requesting certificates
2024/05/30 12:09:59 [INFO] [cfty12.eu.org] Server responded with a certificate.

Apply for a multi-domain wildcard certificate, subdomain is `_acme-challenge.letsencrypt`

www@debian:~/lego$ docker-compose run --rm lego --email [email protected] --dns alidns -domains cfty12.eu.org,*.cfty12.eu.org,4837be12.eu.org,*.4837be12.eu.org,876312.xyz,*.876312.xyz run
Creating lego_lego_run ... done
2024/05/30 12:53:28 No key found for account [email protected]. Generating a P256 key.
2024/05/30 12:53:28 Saved key to /home/www/letsencrypt/.lego/accounts/acme-v02.api.letsencrypt.org/[email protected]/keys/[email protected]
2024/05/30 12:53:28 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf
Do you accept the TOS? Y/n
y
2024/05/30 12:53:31 [INFO] acme: Registering account for [email protected]
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/home/www/letsencrypt/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/05/30 12:53:31 [INFO] [cfty12.eu.org, *.cfty12.eu.org, 4837be12.eu.org, *.4837be12.eu.org, 876312.xyz, *.876312.xyz] acme: Obtaining bundled SAN certificate
2024/05/30 12:53:32 [INFO] [*.4837be12.eu.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357422483162
2024/05/30 12:53:32 [INFO] [*.876312.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357422483172
2024/05/30 12:53:32 [INFO] [*.cfty12.eu.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357422483182
2024/05/30 12:53:32 [INFO] [4837be12.eu.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357422483192
2024/05/30 12:53:32 [INFO] [876312.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357422483202
2024/05/30 12:53:32 [INFO] [cfty12.eu.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357422483212
2024/05/30 12:53:32 [INFO] [*.4837be12.eu.org] acme: use dns-01 solver
2024/05/30 12:53:32 [INFO] [*.cfty12.eu.org] acme: use dns-01 solver
2024/05/30 12:53:32 [INFO] [*.876312.xyz] acme: use dns-01 solver
2024/05/30 12:53:32 [INFO] [4837be12.eu.org] acme: Could not find solver for: tls-alpn-01
2024/05/30 12:53:32 [INFO] [4837be12.eu.org] acme: Could not find solver for: http-01
2024/05/30 12:53:32 [INFO] [4837be12.eu.org] acme: use dns-01 solver
2024/05/30 12:53:32 [INFO] [876312.xyz] acme: Could not find solver for: tls-alpn-01
2024/05/30 12:53:32 [INFO] [876312.xyz] acme: Could not find solver for: http-01
2024/05/30 12:53:32 [INFO] [876312.xyz] acme: use dns-01 solver
2024/05/30 12:53:32 [INFO] [cfty12.eu.org] acme: Could not find solver for: tls-alpn-01
2024/05/30 12:53:32 [INFO] [cfty12.eu.org] acme: Could not find solver for: http-01
2024/05/30 12:53:32 [INFO] [cfty12.eu.org] acme: use dns-01 solver
2024/05/30 12:53:32 [INFO] [*.4837be12.eu.org] acme: Preparing to solve DNS-01
2024/05/30 12:53:32 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:53:35 [INFO] [*.cfty12.eu.org] acme: Preparing to solve DNS-01
2024/05/30 12:53:35 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:53:36 [INFO] [*.876312.xyz] acme: Preparing to solve DNS-01
2024/05/30 12:53:36 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:53:37 [INFO] [4837be12.eu.org] acme: Preparing to solve DNS-01
2024/05/30 12:53:38 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:53:39 [INFO] [876312.xyz] acme: Preparing to solve DNS-01
2024/05/30 12:53:39 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:53:40 [INFO] [cfty12.eu.org] acme: Preparing to solve DNS-01
2024/05/30 12:53:40 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:53:41 [INFO] [*.4837be12.eu.org] acme: Trying to solve DNS-01
2024/05/30 12:53:41 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:53:41 [INFO] [*.4837be12.eu.org] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 12:53:43 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 12:53:54 [INFO] [*.4837be12.eu.org] acme: Waiting for DNS record propagation.
2024/05/30 12:54:03 [INFO] [*.4837be12.eu.org] The server validated our request
2024/05/30 12:54:03 [INFO] [*.cfty12.eu.org] acme: Trying to solve DNS-01
2024/05/30 12:54:04 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:54:04 [INFO] [*.cfty12.eu.org] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 12:54:06 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 12:54:16 [INFO] [*.cfty12.eu.org] acme: Waiting for DNS record propagation.
2024/05/30 12:54:28 [INFO] [*.cfty12.eu.org] acme: Waiting for DNS record propagation.
2024/05/30 12:54:40 [INFO] [*.cfty12.eu.org] acme: Waiting for DNS record propagation.
2024/05/30 12:54:50 [INFO] [*.cfty12.eu.org] The server validated our request
2024/05/30 12:54:50 [INFO] [*.876312.xyz] acme: Trying to solve DNS-01
2024/05/30 12:54:50 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:54:50 [INFO] [*.876312.xyz] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 12:54:52 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 12:54:57 [INFO] [*.876312.xyz] The server validated our request
2024/05/30 12:54:57 [INFO] [4837be12.eu.org] acme: Trying to solve DNS-01
2024/05/30 12:54:57 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:54:57 [INFO] [4837be12.eu.org] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 12:54:59 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 12:55:13 [INFO] [4837be12.eu.org] The server validated our request
2024/05/30 12:55:13 [INFO] [876312.xyz] acme: Trying to solve DNS-01
2024/05/30 12:55:13 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:55:13 [INFO] [876312.xyz] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 12:55:15 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 12:55:20 [INFO] [876312.xyz] The server validated our request
2024/05/30 12:55:20 [INFO] [cfty12.eu.org] acme: Trying to solve DNS-01
2024/05/30 12:55:20 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:55:20 [INFO] [cfty12.eu.org] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 12:55:22 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 12:55:27 [INFO] [cfty12.eu.org] The server validated our request
2024/05/30 12:55:27 [INFO] [*.4837be12.eu.org] acme: Cleaning DNS-01 challenge
2024/05/30 12:55:27 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:55:32 [INFO] [*.cfty12.eu.org] acme: Cleaning DNS-01 challenge
2024/05/30 12:55:32 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:55:33 [INFO] [*.876312.xyz] acme: Cleaning DNS-01 challenge
2024/05/30 12:55:33 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:55:35 [INFO] [4837be12.eu.org] acme: Cleaning DNS-01 challenge
2024/05/30 12:55:35 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:55:36 [INFO] [876312.xyz] acme: Cleaning DNS-01 challenge
2024/05/30 12:55:36 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:55:37 [INFO] [cfty12.eu.org] acme: Cleaning DNS-01 challenge
2024/05/30 12:55:37 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "_acme-challenge.letsencrypt.it123.info."
2024/05/30 12:55:39 [INFO] [cfty12.eu.org, *.cfty12.eu.org, 4837be12.eu.org, *.4837be12.eu.org, 876312.xyz, *.876312.xyz] acme: Validations succeeded; requesting certificates
2024/05/30 12:55:39 [INFO] [cfty12.eu.org] Server responded with a certificate.

Apply for a multi-domain wildcard certificate, subdomain is `all.letsencrypt`

www@debian:~/lego$ docker-compose run --rm lego --email [email protected] --dns alidns -domains cfty12.eu.org,*.cfty12.eu.org,4837be12.eu.org,*.4837be12.eu.org,876312.xyz,*.876312.xyz run
Creating lego_lego_run ... done
2024/05/30 13:13:30 No key found for account [email protected]. Generating a P256 key.
2024/05/30 13:13:30 Saved key to /home/www/letsencrypt/.lego/accounts/acme-v02.api.letsencrypt.org/[email protected]/keys/[email protected]
2024/05/30 13:13:30 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf
Do you accept the TOS? Y/n
y
2024/05/30 13:13:32 [INFO] acme: Registering account for [email protected]
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/home/www/letsencrypt/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/05/30 13:13:33 [INFO] [cfty12.eu.org, *.cfty12.eu.org, 4837be12.eu.org, *.4837be12.eu.org, 876312.xyz, *.876312.xyz] acme: Obtaining bundled SAN certificate
2024/05/30 13:13:33 [INFO] [*.4837be12.eu.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357428162492
2024/05/30 13:13:33 [INFO] [*.876312.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357428162502
2024/05/30 13:13:33 [INFO] [*.cfty12.eu.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357428162512
2024/05/30 13:13:33 [INFO] [4837be12.eu.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357428162522
2024/05/30 13:13:33 [INFO] [876312.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357428162532
2024/05/30 13:13:33 [INFO] [cfty12.eu.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/357428162542
2024/05/30 13:13:33 [INFO] [*.4837be12.eu.org] acme: use dns-01 solver
2024/05/30 13:13:33 [INFO] [4837be12.eu.org] acme: Could not find solver for: tls-alpn-01
2024/05/30 13:13:33 [INFO] [4837be12.eu.org] acme: Could not find solver for: http-01
2024/05/30 13:13:33 [INFO] [4837be12.eu.org] acme: Use dns-01 solver
2024/05/30 13:13:33 [INFO] [*.cfty12.eu.org] acme: Use dns-01 solver
2024/05/30 13:13:33 [INFO] [*.876312.xyz] acme: use dns-01 solver
2024/05/30 13:13:33 [INFO] [cfty12.eu.org] acme: Could not find solver for: tls-alpn-01
2024/05/30 13:13:33 [INFO] [cfty12.eu.org] acme: Could not find solver for: http-01
2024/05/30 13:13:33 [INFO] [cfty12.eu.org] acme: use dns-01 solver
2024/05/30 13:13:33 [INFO] [876312.xyz] acme: Could not find solver for: tls-alpn-01
2024/05/30 13:13:33 [INFO] [876312.xyz] acme: Could not find solver for: http-01
2024/05/30 13:13:33 [INFO] [876312.xyz] acme: use dns-01 solver
2024/05/30 13:13:33 [INFO] [*.4837be12.eu.org] acme: Preparing to solve DNS-01
2024/05/30 13:13:34 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:13:36 [INFO] [4837be12.eu.org] acme: Preparing to solve DNS-01
2024/05/30 13:13:36 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:13:37 [INFO] [*.cfty12.eu.org] acme: Preparing to solve DNS-01
2024/05/30 13:13:37 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:13:38 [INFO] [*.876312.xyz] acme: Preparing to solve DNS-01
2024/05/30 13:13:39 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "all.letsencrypt.it123.info."
2024/05/30 13:13:39 [INFO] [cfty12.eu.org] acme: Preparing to solve DNS-01
2024/05/30 13:13:39 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:13:40 [INFO] [876312.xyz] acme: Preparing to solve DNS-01
2024/05/30 13:13:40 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "all.letsencrypt.it123.info."
2024/05/30 13:13:41 [INFO] [*.4837be12.eu.org] acme: Trying to solve DNS-01
2024/05/30 13:13:41 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:13:41 [INFO] [*.4837be12.eu.org] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 13:13:43 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 13:13:57 [INFO] [*.4837be12.eu.org] The server validated our request
2024/05/30 13:13:57 [INFO] [4837be12.eu.org] acme: Trying to solve DNS-01
2024/05/30 13:13:57 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:13:57 [INFO] [4837be12.eu.org] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 13:13:59 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 13:14:09 [INFO] [4837be12.eu.org] acme: Waiting for DNS record propagation.
2024/05/30 13:14:18 [INFO] [4837be12.eu.org] The server validated our request
2024/05/30 13:14:18 [INFO] [*.cfty12.eu.org] acme: Trying to solve DNS-01
2024/05/30 13:14:18 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:14:18 [INFO] [*.cfty12.eu.org] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 13:14:20 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 13:14:28 [INFO] [*.cfty12.eu.org] The server validated our request
2024/05/30 13:14:28 [INFO] [*.876312.xyz] acme: Trying to solve DNS-01
2024/05/30 13:14:28 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "all.letsencrypt.it123.info."
2024/05/30 13:14:28 [INFO] [*.876312.xyz] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 13:14:30 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 13:14:40 [INFO] [*.876312.xyz] acme: Waiting for DNS record propagation.
2024/05/30 13:14:52 [INFO] [*.876312.xyz] acme: Waiting for DNS record propagation.
2024/05/30 13:15:02 [INFO] [*.876312.xyz] The server validated our request
2024/05/30 13:15:02 [INFO] [cfty12.eu.org] acme: Trying to solve DNS-01
2024/05/30 13:15:02 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:15:02 [INFO] [cfty12.eu.org] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 13:15:04 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 13:15:14 [INFO] [cfty12.eu.org] acme: Waiting for DNS record propagation.
2024/05/30 13:15:26 [INFO] [cfty12.eu.org] acme: Waiting for DNS record propagation.
2024/05/30 13:15:38 [INFO] [cfty12.eu.org] The server validated our request
2024/05/30 13:15:38 [INFO] [876312.xyz] acme: Trying to solve DNS-01
2024/05/30 13:15:38 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "all.letsencrypt.it123.info."
2024/05/30 13:15:38 [INFO] [876312.xyz] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/05/30 13:15:40 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/05/30 13:15:47 [INFO] [876312.xyz] The server validated our request
2024/05/30 13:15:47 [INFO] [*.4837be12.eu.org] acme: Cleaning DNS-01 challenge
2024/05/30 13:15:47 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:15:51 [INFO] [4837be12.eu.org] acme: Cleaning DNS-01 challenge
2024/05/30 13:15:51 [INFO] Found CNAME entry for "_acme-challenge.4837be12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:15:53 [INFO] [*.cfty12.eu.org] acme: Cleaning DNS-01 challenge
2024/05/30 13:15:53 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:15:54 [INFO] [*.876312.xyz] acme: Cleaning DNS-01 challenge
2024/05/30 13:15:54 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "all.letsencrypt.it123.info."
2024/05/30 13:15:55 [INFO] [cfty12.eu.org] acme: Cleaning DNS-01 challenge
2024/05/30 13:15:55 [INFO] Found CNAME entry for "_acme-challenge.cfty12.eu.org.": "all.letsencrypt.it123.info."
2024/05/30 13:15:56 [INFO] [876312.xyz] acme: Cleaning DNS-01 challenge
2024/05/30 13:15:56 [INFO] Found CNAME entry for "_acme-challenge.876312.xyz.": "all.letsencrypt.it123.info."
2024/05/30 13:15:57 [INFO] [cfty12.eu.org, *.cfty12.eu.org, 4837be12.eu.org, *.4837be12.eu.org, 876312.xyz, *.876312.xyz] acme: Validations succeeded; requesting certificates
2024/05/30 13:15:58 [INFO] [cfty12.eu.org] Server responded with a certificate.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

lego allows using subdomain DNS to obtain Let's Encrypt wildcard certificates #2196

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 4 comments 2 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

lego allows using subdomain DNS to obtain Let's Encrypt wildcard certificates #2196

aaro-n May 29, 2024

Welcome

How do you use lego?

Detailed Description

Problem description

Solved requirements

Expected method

Reference Documents

Subdomain issues required for Let's Encrypt DNS verification

Run lego with docker-compose

Replies: 4 comments · 2 replies

ldez May 29, 2024 Maintainer

aaro-n May 29, 2024 Author

ldez May 29, 2024 Maintainer

ldez May 29, 2024 Maintainer

ldez May 29, 2024 Maintainer

aaro-n May 30, 2024 Author

Subdomain issues required for Let's Encrypt DNS verification

Run lego with docker-compose

Domain name introduction

CNAME configuration

Run log

aaro-n
May 29, 2024

Replies: 4 comments 2 replies

ldez
May 29, 2024
Maintainer

aaro-n
May 29, 2024
Author

ldez May 29, 2024
Maintainer

ldez
May 29, 2024
Maintainer

ldez May 29, 2024
Maintainer

aaro-n
May 30, 2024
Author