[GH-ISSUE #256] can i use acme-dna for the entire domain including example.org instead of auth.example.org? #127

New issue

Open

opened 2026-03-13 15:51:39 +03:00 by kerem · 1 comment

kerem commented

2026-03-13 15:51:39 +03:00

Owner

Originally created by @krouter on GitHub (Feb 13, 2021).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/256

i would like to setup one _acme-challenge CNAME record at the domain level e.g. "_acme-challenge.example.org CNAME d53gsf-gn67e-rogm98cd.auth.acme-dns.io." and use acme-dns-client to additionally setup CAA record.

From there on, i can install acme.sh and continue to get new ssl certs issued and renewed for various subdomains without having to manually mess with the TXT records on google dns anymore.

Is this a correct understanding of how this acme-dns works?

Originally created by @krouter on GitHub (Feb 13, 2021). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/256 i would like to setup one _acme-challenge CNAME record at the domain level e.g. "_acme-challenge.example.org CNAME d53gsf-gn67e-rogm98cd.auth.acme-dns.io." and use acme-dns-client to additionally setup CAA record. From there on, i can install acme.sh and continue to get new ssl certs issued and renewed for various subdomains without having to manually mess with the TXT records on google dns anymore. Is this a correct understanding of how this acme-dns works?

kerem commented

2026-03-13 15:51:44 +03:00

Author

Owner

@CaptiveCreeper commented on GitHub (Jun 19, 2021):

Yes you can create certs for your entire domain. The only catch is you need to make a CNAME record that points to the txt record under your auth.acme-dns.io.

So if you wanted a cert for "test.example.org" your client would make a unique id for a txt record on auth.acme-dns.io lets call it d53gsf-gn67e-rogm98cd.auth.acme-dns.io. You now need to make a CNAME record that points _acme-challenge.test.example.org to d53gsf-gn67e-rogm98cd.auth.acme-dns.io. You will need a CNAME for each cert that is created.

If you don't want to have to handle that many CNAME's you can do a * (wildcard) cert with the DNS challenge. (I haven't set one of these up yet so don't have any input on how the CNAME will work. Although your client will likely tell you what CNAME to make when you use it).

@CaptiveCreeper commented on GitHub (Jun 19, 2021): Yes you can create certs for your entire domain. The only catch is you need to make a CNAME record that points to the txt record under your auth.acme-dns.io. So if you wanted a cert for "test.example.org" your client would make a unique id for a txt record on auth.acme-dns.io lets call it d53gsf-gn67e-rogm98cd.auth.acme-dns.io. You now need to make a CNAME record that points _acme-challenge.test.example.org to d53gsf-gn67e-rogm98cd.auth.acme-dns.io. You will need a CNAME for each cert that is created. If you don't want to have to handle that many CNAME's you can do a * (wildcard) cert with the DNS challenge. (I haven't set one of these up yet so don't have any input on how the CNAME will work. Although your client will likely tell you what CNAME to make when you use it).