[GH-ISSUE #281] Solving ACME challenge without exposing subdomain names in DNS #142

New issue

Closed

opened 2026-03-13 15:55:57 +03:00 by kerem · 3 comments

kerem commented

2026-03-13 15:55:57 +03:00

Owner

Originally created by @shalak on GitHub (Sep 20, 2021).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/281

When I want to obtain LE certificate for foo.example.com, I need to add a _acme-challange.foo.example.com CNAME to my DNS. But this exposes the information that I'm running a server named foo in my infrastructure.

Is there a way for me to obtain multiple LE certificates, each for different subdomain, but only add the _acme-challange.example.com?

When I tried to do this, the acme-dns-client-driven certbot returns error:

Hook '--manual-auth-hook' for foo.example.com reported error code 1
Hook '--manual-auth-hook' for foo.example.com ran with output:
 [!] Domain foo.example.com does not have acme-dns account registered for it. Validation failed.
 acme-dns-client - v0.2

Originally created by @shalak on GitHub (Sep 20, 2021). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/281 When I want to obtain LE certificate for foo.example.com, I need to add a `_acme-challange.foo.example.com` CNAME to my DNS. But this exposes the information that I'm running a server named `foo` in my infrastructure. Is there a way for me to obtain multiple LE certificates, each for different subdomain, but only add the `_acme-challange.example.com`? When I tried to do this, the `acme-dns-client`-driven certbot returns error: ``` Hook '--manual-auth-hook' for foo.example.com reported error code 1 Hook '--manual-auth-hook' for foo.example.com ran with output: [!] Domain foo.example.com does not have acme-dns account registered for it. Validation failed. acme-dns-client - v0.2 ```

kerem closed this issue

2026-03-13 15:56:03 +03:00

kerem commented

2026-03-13 15:56:09 +03:00

Author

Owner

@Zetanova commented on GitHub (Oct 27, 2021):

Your problem has nothing to do with acme-dns.

You need to generate a wildcard cert *.example.com and use it for foo.example.com service.

@Zetanova commented on GitHub (Oct 27, 2021): Your problem has nothing to do with acme-dns. You need to generate a wildcard cert `*.example.com` and use it for `foo.example.com` service.

kerem commented

2026-03-13 15:56:14 +03:00

Author

Owner

@joohoi commented on GitHub (Jan 25, 2022):

There should not be any issues for having multiple wildcard certificates generated using acme-dns. Wildcard certificates are your only option for hiding the subdomain names though, as all names registered for certificates get published in Certificate Transparency logs.

@joohoi commented on GitHub (Jan 25, 2022): There should not be any issues for having multiple wildcard certificates generated using acme-dns. Wildcard certificates are your only option for hiding the subdomain names though, as all names registered for certificates get published in Certificate Transparency logs.

kerem commented

2026-03-13 15:56:19 +03:00

Author

Owner

@shalak commented on GitHub (Jan 26, 2022):

Thank you for the answers, I'll close the ticket.

@shalak commented on GitHub (Jan 26, 2022): Thank you for the answers, I'll close the ticket.

kerem referenced this issue

2026-03-13 16:17:24 +03:00

[PR #143] [MERGED] Fix the default configuration SQLite db path #318