[GH-ISSUE #335] Configuration questions #182

New issue

Open

opened 2026-03-13 16:04:29 +03:00 by kerem · 1 comment

kerem commented

2026-03-13 16:04:29 +03:00

Owner

Originally created by @etfz on GitHub (Mar 15, 2023).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/335

Hi,

Don't know whether this is the appropriate place for questions, but I could not find any other support channel.

Trying to get started with this, and I've read the readme, but I am not clear on a few configuration parameters. I'd like to think I understand how things work conceptually, having previously set up different DNS servers for the same purpose.

I intend to get certificates for a few subdomains of my domain example.com, such as *.system.example.com and *.intra.example.com. I have set up DNS records in my "real" DNS server:

acme-ns.example.com A <acme-dns-public-ip>
system.example.com NS acme-ns.example.com
intra.example.com NS acme-ns.example.com

My confusion lies with some of the configuration parameters. In the example configuration the same domain is used pretty much for all parameters. I feel like my nsname would be acme-ns.example.com, but I don't know what domain refers to.

The *.intra subdomains are resolvable only internally, and I have that sorted out already, but *.system subdomains need to be globally resolvable. Do I then need to define those in acme-dns in the records parameter, or can I delegate those requests elsewhere, or can I manage those in some way other than having to edit the configuration file?

Also, for the nsadmin, is the substituted @ just for the sake of the example, or how would it work where multiple dots are involved? Is this the address that would get used for Let's Encrypt notifications?

Originally created by @etfz on GitHub (Mar 15, 2023). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/335 Hi, Don't know whether this is the appropriate place for questions, but I could not find any other support channel. Trying to get started with this, and I've read the readme, but I am not clear on a few configuration parameters. I'd like to think I understand how things work conceptually, having previously set up different DNS servers for the same purpose. I intend to get certificates for a few subdomains of my domain `example.com`, such as `*.system.example.com` and `*.intra.example.com`. I have set up DNS records in my "real" DNS server: - `acme-ns.example.com A <acme-dns-public-ip>` - ` system.example.com NS acme-ns.example.com` - ` intra.example.com NS acme-ns.example.com` My confusion lies with some of the configuration parameters. In the example configuration the same domain is used pretty much for all parameters. I feel like my `nsname` would be `acme-ns.example.com`, but I don't know what `domain` refers to. The `*.intra` subdomains are resolvable only internally, and I have that sorted out already, but `*.system` subdomains need to be globally resolvable. Do I then need to define those in acme-dns in the `records` parameter, or can I delegate those requests elsewhere, or can I manage those in some way other than having to edit the configuration file? Also, for the `nsadmin`, is the substituted @ just for the sake of the example, or how would it work where multiple dots are involved? Is this the address that would get used for Let's Encrypt notifications?

kerem commented

2026-03-13 16:04:35 +03:00

Author

Owner

@etfz commented on GitHub (Mar 27, 2023):

I will answer myself partially.

As far as I understand, the issue of having a domain resolvable through your regular DNS provider is solved by creating a permanent _acme-challenge CNAME record pointing to your acme-dns instance and not creating the NS record.

_acme-challenge.system.example.com CNAME acme-ns.example.com

Having looked through the code, it seems like nsname and nsadmin is only used for the SOA record. domain is also used for the SOA record, as well as the hostname of the API server for its Let's Encrypt certificate. (and some more things that I'm not sure what they are)

Double backslash should be used to escape dots in nsadmin, as I found in https://github.com/joohoi/acme-dns/pull/279.

I am still uncertain of what purpose the records parameter serves, and now I am not even sure whether an acme-dns instance supports acquiring wildcard certificates for multiple domains, or how I would do that.

@etfz commented on GitHub (Mar 27, 2023): I will answer myself partially. As far as I understand, the issue of having a domain resolvable through your regular DNS provider is solved by creating a permanent `_acme-challenge` CNAME record pointing to your acme-dns instance and not creating the NS record. ``` _acme-challenge.system.example.com CNAME acme-ns.example.com ``` Having looked through the code, it seems like `nsname` and `nsadmin` is only used for the SOA record. `domain` is also used for the SOA record, as well as the hostname of the API server for its Let's Encrypt certificate. (and some more things that I'm not sure what they are) Double backslash should be used to escape dots in `nsadmin`, as I found in https://github.com/joohoi/acme-dns/pull/279. I am still uncertain of what purpose the `records` parameter serves, and now I am not even sure whether an acme-dns instance supports acquiring wildcard certificates for multiple domains, or how I would do that.