Hi guys!
It seems cPanel and DirectAdmin(?) creates some _acme-challenge.something TXT records in DNS. I assume they’re used with the Let’s Encrypt module to request/renew SSL certificates.
I’m considering moving from the shared webhost DNS’es to an external DNS. My question is if that would just keep working if I duplicate/transfer those record as is, or if those records might need to be manually changed, or if it in some other way might break?
For what it’s worth I haven’t made any modifications to DA or cPanel to use the old method and it seems to be working fine without being responsible for managing anyone’s DNS.
I think they’re using the TXT records for wildcard certificates? Since that’s one of the requirements in order to get wildcards.
As for cPanel / DirectAdmin and Let’s Encrypt, I can confirm that both panels will work if your DNS is hosted elsewhere. I don’t know whether that is because TXT’s are only used for wildcards or if they use a fallback scenario.
As long as those TXT records doesn’t need to change on every update, it shouldn’t be a problem, then …
(Had to use wildcard cert to get around some bug in DA, it seems. As in this:
Error: http://my-crappy.domain/.well-known/acme-challenge/letsencrypt_1570173301 is not reachable. Aborting the script.
dig output for my-crappy.domain:
Please make sure /.well-known alias is setup in WWW server.
(it was defined as a CNAME, and had a working site)
Wild card cert worked.
That’s odd. I’ve only touched DA once or twice, but didn’t run into a single issue with SSL certificates. Probably best if you give it another shot the regular way and pull your webserver access logs to determine what’s happening.
On the contrary, I’m quite sure I don’t need a wildcard cert. It just happened to be the only workaround I found for that bug at the moment. Will debug that some more …
Well, there was another quite recent Let’s Encrypt bug also recently (as you’ll see in the DA forum). Will definitively check logs and retry, yes. (Currently waiting for some DNS propagation for some other domains I’ll test this on.)
Hopefully will figure out why it ain’t soon enough.
Honestly, ClouDNS’s anycast is a complete shitstorm, so don’t bother paying for that.
It seems they don’t actually have any clue about how to operate one, and it turns out buying servers at random locations doesn’t magically make it work.
I noticed that one, but seems I have to complete some ipv6 something to test it/sign up.
I must admit I never looked in anycast DNS, no idea if/why I want it or not …
My registrar’s DNS solution seems to automate DNSSEC stuff. That might be nice …
Interesting, thanks! Wondering about the free plan limit of “50 Records”, though. Is that per zone, or total? (Zones migrated from old cPanel accounts often has 30-40 records, of which most are not needed anymore.)
Looks like I need to sign up for tunnelbroker or something:
The Open Beta has been expanded and now includes our IPv6 certification or tunnelbroker account holders, Colocation customers and those with Transit services from us.
I happen to find it a Ted bit faster than others. Simple and easy. Nothing fancy like cloudflare of course but Hurricane Electeic is a major player in the industry.