[GH-ISSUE #13] Can't create a CNAME as the program requests, seems malformed.

kerem commented

2026-03-13 16:24:27 +03:00

Owner

Originally created by @oblitum on GitHub (Jan 25, 2022).
Original GitHub issue: https://github.com/acme-dns/acme-dns-client/issues/13

Assuming "tld" is my domain, like "foo.com", I'm trying to get a wildcard certificate for "*.tld".

sudo acme-dns-client register -d '*.tld' -s https://auth.tld

[W] Acme-dns account already registered for domain *.tld
Do you want acme-dns-client to monitor the CNAME record change? [Y/n]:  

To finalize the setup, you need to create a CNAME record pointing from _acme-challenge.*.tld 
to the newly created acme-dns domain xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld

A correctly set up CNAME record should look like the following:

_acme-challenge.*.tld.     IN      CNAME   xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld.

Waiting for CNAME record to be set up for domain *.tld
Querying the authoritative nameserver every 15 seconds.

Waiting for 10 seconds... Press Ctrl + C to abort and exit.^C

Is it possible to create a CNAME like "_acme-challenge.*.tld"? I can't input this ("_acme-challenge.*") as CNAME in my registrar.

Originally created by @oblitum on GitHub (Jan 25, 2022). Original GitHub issue: https://github.com/acme-dns/acme-dns-client/issues/13 Assuming "tld" is my domain, like "foo.com", I'm trying to get a wildcard certificate for "*.tld". ``` sudo acme-dns-client register -d '*.tld' -s https://auth.tld [W] Acme-dns account already registered for domain *.tld Do you want acme-dns-client to monitor the CNAME record change? [Y/n]: To finalize the setup, you need to create a CNAME record pointing from _acme-challenge.*.tld to the newly created acme-dns domain xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld A correctly set up CNAME record should look like the following: _acme-challenge.*.tld. IN CNAME xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld. Waiting for CNAME record to be set up for domain *.tld Querying the authoritative nameserver every 15 seconds. Waiting for 10 seconds... Press Ctrl + C to abort and exit.^C ``` Is it possible to create a CNAME like "_acme-challenge.\*.tld"? I can't input this ("_acme-challenge.*") as CNAME in my registrar.

kerem closed this issue

2026-03-13 16:24:32 +03:00

kerem commented

2026-03-13 16:24:38 +03:00

Author

Owner

@joohoi commented on GitHub (Jan 25, 2022):

If you are running your own acme-dns instance in domain acme-dns.foo.com the command for you would look like:

sudo acme-dns-client register -d '*.foo.com' -s https://acme-dns.foo.com

@joohoi commented on GitHub (Jan 25, 2022): If you are running your own acme-dns instance in domain `acme-dns.foo.com` the command for you would look like: ``` sudo acme-dns-client register -d '*.foo.com' -s https://acme-dns.foo.com ```

kerem commented

2026-03-13 16:24:43 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 25, 2022):

It's what I did above.

@oblitum commented on GitHub (Jan 25, 2022): It's what I did above.

kerem commented

2026-03-13 16:24:48 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 25, 2022):

I can insert "*._acme-challenge" in the CNAME host box, but not something as requested "_acme-challenge.*". No idea how to proceed from here.

@oblitum commented on GitHub (Jan 25, 2022): I can insert "\*._acme-challenge" in the CNAME host box, but not something as requested "_acme-challenge.\*". No idea how to proceed from here.

kerem commented

2026-03-13 16:24:53 +03:00

Author

Owner

@joohoi commented on GitHub (Jan 25, 2022):

Oh, I see! The help text seems to actually be incorrect. In this it should actually say:

...
A correctly set up CNAME record should look like the following:

_acme-challenge.foo.com.     IN      CNAME   xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld.

Waiting for CNAME record to be set up for domain foo.tld
Querying the authoritative nameserver every 15 seconds.
...

So basically _acme-challenge.$domainname

@joohoi commented on GitHub (Jan 25, 2022): Oh, I see! The help text seems to actually be incorrect. In this it should actually say: ``` ... A correctly set up CNAME record should look like the following: _acme-challenge.foo.com. IN CNAME xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld. Waiting for CNAME record to be set up for domain foo.tld Querying the authoritative nameserver every 15 seconds. ... ``` So basically _acme-challenge.$domainname

kerem commented

2026-03-13 16:24:58 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 25, 2022):

Sadly, I did that as well, I created such top CNAME record, but the client kept spinning 15s unable to fetch it, even when I was able to query it with nslookup:

nslookup -type=CNAME _acme-challenge.tld
_acme-challenge.tld  canonical name = xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld.

So, is it just an issue with the message or the program is also doing wrong requests looking for _acme-challenge.*.foo.com instead of _acme-challenge.foo.com?

Could have been some propagation problem, but I've let it spinning for a while and nothing. Will try it again.

@oblitum commented on GitHub (Jan 25, 2022): Sadly, I did that as well, I created such top CNAME record, but the client kept spinning 15s unable to fetch it, even when I was able to query it with `nslookup`: ``` nslookup -type=CNAME _acme-challenge.tld _acme-challenge.tld canonical name = xxx3ce0f-xxxx-xxxx-xxxx-7xxd9xxxxbbd.auth.tld. ``` So, is it just an issue with the message or the program is also doing wrong requests looking for `_acme-challenge.*.foo.com` instead of `_acme-challenge.foo.com`? Could have been some propagation problem, but I've let it spinning for a while and nothing. Will try it again.

kerem commented

2026-03-13 16:25:03 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 25, 2022):

Will try it again.

Tried again, indeed, can't past beyond this.

Waiting for CNAME record to be set up for domain *.tld
Querying the authoritative nameserver every 15 seconds.

Waiting for 15 seconds... Press Ctrl + C to abort and exit.

@oblitum commented on GitHub (Jan 25, 2022): > Will try it again. Tried again, indeed, can't past beyond this. ``` Waiting for CNAME record to be set up for domain *.tld Querying the authoritative nameserver every 15 seconds. Waiting for 15 seconds... Press Ctrl + C to abort and exit. ```

kerem commented

2026-03-13 16:25:08 +03:00

Author

Owner

@JonathanGawrych commented on GitHub (Jan 26, 2022):

My registrar (Google domains) indeed allows me to have the wildcard like so: _acme-challenge.*.foo.com

You should be able to lookup mine to see it working:

$ nslookup -type=CNAME _acme-challenge.*.gawrych.us
_acme-challenge.*.gawrych.us	canonical name = 091eceec-6b94-4941-bbb0-d30c082ddab4.acme.gawrych.us.

Without the wildcard (_acme-challenge.foo.com) only works for foo.com, not *.foo.com (I've set up both for my DNS). Sorry, but I think you'll have to go to support on your registrar and ask them to allow the wildcard after the _acme-challenge

@JonathanGawrych commented on GitHub (Jan 26, 2022): My registrar (Google domains) indeed allows me to have the wildcard like so: `_acme-challenge.*.foo.com` You should be able to lookup mine to see it working: ``` $ nslookup -type=CNAME _acme-challenge.*.gawrych.us _acme-challenge.*.gawrych.us canonical name = 091eceec-6b94-4941-bbb0-d30c082ddab4.acme.gawrych.us. ``` Without the wildcard (`_acme-challenge.foo.com`) only works for `foo.com`, not `*.foo.com` (I've set up both for my DNS). Sorry, but I think you'll have to go to support on your registrar and ask them to allow the wildcard after the _acme-challenge

kerem commented

2026-03-13 16:25:13 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 26, 2022):

@JonathanGawrych thanks for your report, interesting. Well, I use namecheap and I don't have high hopes they gonna have this fixed soon 😞 (if ever, but I just reported). TBH, IMO, except for this usecase, having a "_acme-challenge.*" record feels a bit odd, because it's a fixed subdomain ("_acme-challenge") under a wildcard.

Please let me know if there's a way to have this fixed besides having to migrate domains, etc.

@oblitum commented on GitHub (Jan 26, 2022): @JonathanGawrych thanks for your report, interesting. Well, I use namecheap and I don't have high hopes they gonna have this fixed soon 😞 (if ever, but I just reported). TBH, IMO, except for this usecase, having a "_acme-challenge.*" record feels a bit odd, because it's a fixed subdomain ("_acme-challenge") under a wildcard. Please let me know if there's a way to have this fixed besides having to migrate domains, etc.

kerem commented

2026-03-13 16:25:19 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 27, 2022):

Just to report, as of now, the sole answer I got from them is:

Thank you for contacting Namecheap support.
We are deeply sorry that you faced such inconveniences.
You are right, unfortunately, it is not possible to set up such a type of wildcard subdomain like "test.*".
To our regret, the system does not support such types of subdomains currently.
We are looking forward to hearing from you.

So, in current form, this tool can't work with wildcard certificates for domains hosted on Namecheap.

@oblitum commented on GitHub (Jan 27, 2022): Just to report, as of now, the sole answer I got from them is: > Thank you for contacting Namecheap support. > We are deeply sorry that you faced such inconveniences. > You are right, unfortunately, it is not possible to set up such a type of wildcard subdomain like "test.*". > To our regret, the system does not support such types of subdomains currently. > We are looking forward to hearing from you. So, in current form, this tool can't work with wildcard certificates for domains hosted on Namecheap.

kerem commented

2026-03-13 16:25:24 +03:00

Author

Owner

@JonathanGawrych commented on GitHub (Jan 27, 2022):

That's no fun. Sorry that Namecheap doesn't support it. I don't know of any workarounds... maybe joohoi knows of a way to have one at the tld that gives you wildcard for *.tld? EFF thinks that _acme-challenge.eff.org should work for *.eff.org:
https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation#:~:text=the%20validation%20subdomain
It's been a while since I looked into letsencrypt, but I recall the documentation on wildcard certificates is a little lacking.

@JonathanGawrych commented on GitHub (Jan 27, 2022): That's no fun. Sorry that Namecheap doesn't support it. I don't know of any workarounds... maybe joohoi knows of a way to have one at the tld that gives you wildcard for *.tld? EFF thinks that `_acme-challenge.eff.org` should work for `*.eff.org`: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation#:~:text=the%20validation%20subdomain It's been a while since I looked into letsencrypt, but I recall the documentation on wildcard certificates is a little lacking.

kerem commented

2026-03-13 16:25:29 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 27, 2022):

Just a side comment, sorry the confusion on starting using the term "tld" wrongly applied to mean some domain, instead of a TLD (.com, .net, etc).

@oblitum commented on GitHub (Jan 27, 2022): Just a side comment, sorry the confusion on starting using the term "tld" wrongly applied to mean some domain, instead of a TLD (.com, .net, etc).

kerem commented

2026-03-13 16:25:34 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 27, 2022):

Reporting another experience. I'm now considering other registrars, and I had interest in Alibaba Cloud. I got a domain there to try and this was the first thing I tested, they also don't allow this kind of CNAME record. This is what they report in the interface when entering a "foo.*": * may be used as the starting character only and followed by "." only. So, just like happened with Namecheap, "*" or "*.foo" is possible, but not "foo.*".

IMO, this should be fixed client side, I suspect this will hit many registrars.

@oblitum commented on GitHub (Jan 27, 2022): Reporting another experience. I'm now considering other registrars, and I had interest in Alibaba Cloud. I got a domain there to try and this was the first thing I tested, they also don't allow this kind of CNAME record. This is what they report in the interface when entering a "foo.\*": `* may be used as the starting character only and followed by "." only`. So, just like happened with Namecheap, "\*" or "\*.foo" is possible, but not "foo.\*". IMO, this should be fixed client side, I suspect this will hit many registrars.

kerem commented

2026-03-13 16:25:39 +03:00

Author

Owner

@joohoi commented on GitHub (Jan 28, 2022):

Ok, took a look into this, and it is just a documentation issue on the client side here.

For wildcard certificate for *.foo.com the CNAME record that should get created is exactly the same than for a certificate for foo.com. So for getting a certificate that's valid for *.foo.com AND foo.com (the main domain needs to be added to the certificate separately as *.foo.com does not cover the "naked" main domain), only one CNAME needs to be added, as it covers them both.

So for a wildcard certificate for *.foo.com, the command for acme-dns-client is:

sudo acme-dns-client register -d 'foo.com' -s https://acme-dns.foo.com

Sorry for my previous, confusing reply to this thread.

@joohoi commented on GitHub (Jan 28, 2022): Ok, took a look into this, and it is just a documentation issue on the client side here. For wildcard certificate for `*.foo.com` the CNAME record that should get created is exactly the same than for a certificate for `foo.com`. So for getting a certificate that's valid for *.foo.com AND foo.com (the main domain needs to be added to the certificate separately as `*.foo.com` does not cover the "naked" main domain), only one CNAME needs to be added, as it covers them both. So for a wildcard certificate for `*.foo.com`, the command for `acme-dns-client` is: ``` sudo acme-dns-client register -d 'foo.com' -s https://acme-dns.foo.com ``` Sorry for my previous, confusing reply to this thread.

kerem commented

2026-03-13 16:25:44 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 28, 2022):

Thanks for the info @joohoi, can you tell me whether I'll be able to obtain a certificate for my *.foo.com that won't affect foo.com, because I already have a certificate on foo.com, and I wanted to keep it separate, I just want a fallback wildcard certificate for subdomains.

@oblitum commented on GitHub (Jan 28, 2022): Thanks for the info @joohoi, can you tell me whether I'll be able to obtain a certificate for my \*.foo.com that won't affect foo.com, because I already have a certificate on foo.com, and I wanted to keep it separate, I just want a fallback wildcard certificate for subdomains.

kerem commented

2026-03-13 16:25:49 +03:00

Author

Owner

@joohoi commented on GitHub (Jan 28, 2022):

You can have multiple certificates for foo.com as well as *.foo.com. However in case you use DNS validation for both of them, you need to either do that without acme-dns on both occasions, or use acme-dns for both of them (while sharing the acme-dns account credentials between the boxes). It's not possible to do it without manual intervention on every renewal otherwise.

In case you are managing both of the certificates on the same machine (or rather; same filesystem), no action needs to be taken, but in case these are on different environments, you'll need to copy file /etc/acmedns/clientstorage.json (the local acme-dns-client account storage) over to the other box too.

That said, the changes to providing the * on commandline for acme-dns-client have now been fixed in the codebase, and a new release that incorporates this change has been built.

@joohoi commented on GitHub (Jan 28, 2022): You can have multiple certificates for foo.com as well as *.foo.com. However in case you use DNS validation for both of them, you need to either do that without acme-dns on both occasions, or use acme-dns for both of them (while sharing the acme-dns account credentials between the boxes). It's not possible to do it without manual intervention on every renewal otherwise. In case you are managing both of the certificates on the same machine (or rather; same filesystem), no action needs to be taken, but in case these are on different environments, you'll need to copy file `/etc/acmedns/clientstorage.json` (the local acme-dns-client account storage) over to the other box too. That said, the changes to providing the `*` on commandline for `acme-dns-client` have now been fixed in the codebase, and a new release that incorporates this change has been built.

kerem commented

2026-03-13 16:25:54 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 28, 2022):

My foo.com certificate is not managed by me at all, it's obtained by a 3rd party (GitLab supports Let's Encrypt certificates on their GitLab Pages by a checkbox option kind of thing), so I completely ignore what challenge they use. Only foo.com gets automatic certificates from them, in the rest of my subdomains I do it myself. I hope there won't be an issue with this.

@oblitum commented on GitHub (Jan 28, 2022): My foo.com certificate is not managed by me at all, it's obtained by a 3rd party (GitLab supports Let's Encrypt certificates on their GitLab Pages by [a checkbox option kind of thing](https://docs.gitlab.com/ee/user/project/pages/custom_domains_ssl_tls_certification/lets_encrypt_integration.html)), so I completely ignore what challenge they use. Only foo.com gets automatic certificates from them, in the rest of my subdomains I do it myself. I hope there won't be an issue with this.

kerem commented

2026-03-13 16:25:59 +03:00

Author

Owner

@joohoi commented on GitHub (Jan 28, 2022):

There won't be any issues in case you haven't manually created a CNAME record for _acme-challenge.foo.com pointing to GitLab services (which I don't think is the way they manage the certificates honestly).

@joohoi commented on GitHub (Jan 28, 2022): There won't be any issues in case you haven't manually created a CNAME record for `_acme-challenge.foo.com` pointing to GitLab services (which I don't think is the way they manage the certificates honestly).

kerem commented

2026-03-13 16:26:04 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 28, 2022):

Thanks, I'll close the issue as soon as I get some time to set this up again and verify it works.

@oblitum commented on GitHub (Jan 28, 2022): Thanks, I'll close the issue as soon as I get some time to set this up again and verify it works.

kerem commented

2026-03-13 16:26:09 +03:00

Author

Owner

@oblitum commented on GitHub (Jan 29, 2022):

All seems OK on this part, thx all for the help. I just got the same doubts as in issue #10 in the end. After updating the client and getting the wildcard certificate, I got one successful one listed (for "foo.com"), but there was one dangling one left in error due to this issue (for "*.foo.com", for which there's no CNAME record). To remove this dangling one, I just edited /etc/acmedns/clientstorage.json and removed it, is it all I have to do? At first I'm not using -allow from specific IP, but I was planning to do it later in the process, also got curious whether that's just a matter of running register again for it to work immediately (same for CAA thing).

@oblitum commented on GitHub (Jan 29, 2022): All seems OK on this part, thx all for the help. I just got the same doubts as in issue #10 in the end. After updating the client and getting the wildcard certificate, I got one successful one listed (for "foo.com"), but there was one dangling one left in error due to this issue (for "*.foo.com", for which there's no CNAME record). To remove this dangling one, I just edited `/etc/acmedns/clientstorage.json` and removed it, is it all I have to do? At first I'm not using `-allow` from specific IP, but I was planning to do it later in the process, also got curious whether that's just a matter of running `register` again for it to work immediately (same for CAA thing).

kerem referenced this issue

2026-03-13 16:27:08 +03:00

[PR #7] Add docker containers! #20

Rows
Columns

[GH-ISSUE #13] Can't create a CNAME as the program requests, seems malformed. #7