[BlueOnyx:27211] Re: Subdomain delegation

Colin Jack colin at mainline.co.uk
Thu Aug 22 13:37:32 -05 2024 

Hi. Michael,





>> Following my earlier email regarding adding an NS record shown here as an example on Cloudflare

>>

>> https://smarthelpguides.com/how-to-auto-renew-and-issue-plesk-lets-encrypt-ssl-certificate-with-cloudflare-dns/ <https://smarthelpguides.com/how-to-auto-renew-and-issue-plesk-lets-encrypt-ssl-certificate-with-cloudflare-dns/>

>>

>> Would adding _acme-challenge as a subdomain delegation in BX achieve this?



> Generally speaking: What you're trying to do there won't work as it's

> only one half of the issue.



This is a web developer requesting this.

He says he uses this method for all his clients but where they don't handle the DNS they need the 3rd party (in this case us) to create an NS record for the ACME acme challenge to route to their Plesk server:



“Okay, the site is in place for you to add the A records whenever you have the time. I also need you to add one NS record for the purposes of validating an auto-renewing SSL certificate.



Type

Name

Data

A

*

93.229.69.20

A

@

93.229.69.20

NS

_acme-challenge

domain.co.uk



Thanks for taking the time to do this.”



> There are other forms of checks possible and one of them is DNS based.

> In that case during the cert request the ACME client interfaces with

> your DNS server and it creates a temporary TXT record for the domain(s)

> in question WITH the signature as a payload.



> LE then checks if the TXT DNS record exists and that it has the expected

> signature.



Maybe this is what they are trying to do?



>My suggestion: Ask the client to use web based authentication via the

/>.well-known/.acme/ directory instead and save yourself a lot of headache.



They won’t change and said maybe we should move the DNS to them which I don’t want to do.



I figured that I could just put the following into the include file?



_acme-challenge.  IN  NS   domain.co.uk.



Taco kindly suggested:
_acme-challenge.example.com.  IN  NS  XXXXXX.



What do you think? Would this be the easiest way out of this?



Thanks



Colin




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20240822/31cc73c2/attachment.html>

More information about the Blueonyx mailing list