New to CW, a bit of confusion about alias domains

Skeer

So while I'm not new to ACME or TLS in general.. Alias Domains are a new idea that I'm looking at for work. About half the domains and their respective DNS zones are managed by a different team at my company. So I wanted to test this out. Trying to follow the CW docs, as well as what's in the ACME github README as well but somethings not clicking.
So I created a challenge domain and Zone in Route53. I then created two CNAME records, one in each of two domains that I'm using to test with. Let's say it's challenge-dom.net, dom.net, and widgets.net. So in widgets and dom I created the '_acme-challenge.' CNAME records, both of which point to _acme-challenge.challenge-dom.net.
I login to CW, I have a working provider using the dns01goacme that was tested directly against widget.net earlier today, a certificate was generated successfully.
So I create the alias, challenge domain is widget.net, provision is challenge-dom.net.

The validation fails, logs shows:

4/21/2025, 3:12:07 PM, info, orders/fulfilling_do.go:100, orders: fulfilling worker 2: order 2 done
4/21/2025, 3:12:07 PM, error, orders/fulfilling_do.go:99, orders: fulfilling worker 2: fulfill auths error: challenges: cname record test2.widget.net doesn't exist or doesn't point to test2.challenge-dom.net
4/21/2025, 3:12:07 PM, error, authorizations/fulfiller.go:31, auths: failed to fulfill auth https://acme-v02.api.letsencrypt.org/acme/authz/2354375517/509082255527 (challenges: cname record test2.widget.net doesn't exist or doesn't point to test2.challenge-dom.net)
4/21/2025, 3:12:07 PM, info, orders/fulfilling_do.go:24, orders: fulfilling worker 2: ordering order id 2 (certificate name: testing2, subject: test2.widget.net)

I must be doing something very obvious but it's escaping me.

gregtwallace

Are you on the latest version of CW?

Skeer

pretty sure, 0.24.8?

Skeer

Oh, might be worth mentioning that I did go through using the DNS-01 acme.sh provider but got the same errors. Somewhere I read how the lego is better(?)

Skeer

In further testing, today I re-tried both the acme.sh dns as well as the le-go provider. The Role has all the requisite perms, I'm supplying the access id, secret key, region and hosted zone id's, and the underlying host can lookup all these domains correctly. Speaking of which all of them are in Route53.
If I leave out all domain aliases then certs are generated correctly. Adding an alias, immediately fails but what's confusing is there's no mention of _acme-challenge, it seems to jump directly to the CN value instead.

gregtwallace

I am intrigued because as you pointed out the prefix should be there. Your log should have something like

4/22/2025, 3:12:28 AM, error, orders/fulfilling_do.go:99, orders: fulfilling worker 0: fulfill auths error: challenges: cname record _acme-challenge.solo1.alias.test.gtw86.com doesn't exist or doesn't point to _acme-challenge.solo1.alias.dnsspeedmate.com
4/22/2025, 3:12:28 AM, error, authorizations/fulfiller.go:31, auths: failed to fulfill auth https://acme-staging-v02.api.letsencrypt.org/acme/authz/180767004/16929775914 (challenges: cname record _acme-challenge.solo1.alias.test.gtw86.com doesn't exist or doesn't point to _acme-challenge.solo1.alias.dnsspeedmate.com)
4/22/2025, 3:12:28 AM, debug, challenges/solver.go:33, challenges: alias exists for acme identifier `solo1.alias.test.gtw86.com` and will provision to `solo1.alias.dnsspeedmate.com`

How do you have the provider configured for your alias domain? Perhaps the alias is still running on the default http provider? That would explain the domain name missing the dns prefix.

Or maybe more succinctly, without using an alias, have you tried to make a certificate for test2.challenge-dom.net ?

Skeer

Ok I knew I was missing some likely obvious piece of the puzzle. I did not have my challenge domain listed in any provider.. so you were right! It was trying to use the default HTTP one.

So testing earlier I added it to the lego provider along with test domain 2. Then requested a cert for that test domain, which failed in a similar fashion:

4/23/2025, 9:32:59 AM, info, orders/fulfilling_do.go:100, orders: fulfilling worker 0: order 2 done
4/23/2025, 9:32:59 AM, error, orders/fulfilling_do.go:99, orders: fulfilling worker 0: fulfill auths error: challenges: cname record _acme-challenge.test2.schwarz.com doesn't exist or doesn't point to _acme-challenge.test2.acc.net
4/23/2025, 9:32:59 AM, error, authorizations/fulfiller.go:31, auths: failed to fulfill auth https://acme-v02.api.letsencrypt.org/acme/authz/2354375517/509082255527 (challenges: cname record _acme-challenge.test2.schwarz.com doesn't exist or doesn't point to _acme-challenge.test2.acc.net)
4/23/2025, 9:32:59 AM, info, orders/fulfilling_do.go:24, orders: fulfilling worker 0: ordering order id 2 (certificate name: testing2, subject: test2.schwarz.com)

Trying to request a cert in the challenge domain directly resulted in:

4/23/2025, 9:34:59 AM, info, orders/fulfilling_do.go:100, orders: fulfilling worker 2: order 11 done
4/23/2025, 9:34:59 AM, error, orders/fulfilling_do.go:99, orders: fulfilling worker 2: fulfill auths error: route53: failed to change record set: operation error Route 53: ChangeResourceRecordSets, https response error StatusCode: 400, RequestID: d74ec2d6-69cd-4cfc-9106-cea59f3ef3dd, InvalidChangeBatch: [RRSet with DNS name _acme-challenge.test.acc.net. is not permitted in zone schwarz.com.]

I did not remove the aliases between these attempts.. but the challenge domain isn't aliased itself so the mention of schwarz.com seems weird

Skeer

Resolved part of that. Then discovered a DNS issue.. awaiting replication.

![https://media.tenor.com/GatVgJpQVVUAAAAe/spongebob.png](https://)

Skeer

Ok so recapping, I deleted all Domain Aliases, and Providers. Then set the default HTTP provider to use 'example.com'. Created a new provider using the go-acme DNS for my challenge domain. Then successfully generated a cert for host1.challenge_domain.net.

Created a second Provide using acme.sh DNS for prod_dom.net. (Again with no aliases), submitted a cert request for host1.prod_dom.net which immediately failed with.. a lot. But after re-tweaking the IAM users Permission Policy it seemed to work.
The perms are pretty.. sensitive so far. I have a user w/multiple policies that worked for Ansible to get in and create _acme-challenge records but failed being used by CertWarden.

So that's two successes against two different domains, using the acme and go-acme providers.

So now I added an alias for the test domain. (The terminology used is pretty confusing I have to admit. 'Challenge Domain' logically should be the challenge domain while the Provision Domain should be the CN's value) also made sure there was a CNAME record, _acme-challenge.prod.net with a value of _acme-challenge.alias.net.
Anyway a subsequent cert request later immediately failed:


{"level":"info","ts":"2025-04-23T18:32:11.376Z","caller":"orders/fulfilling_do.go:24","msg":"orders: fulfilling worker 1: ordering order id 12 (certificate name: prod.net_w_alias, subject: alias.prod.net)"},
{"level":"error","ts":"2025-04-23T18:32:11.629Z","caller":"authorizations/fulfiller.go:31","msg":"auths: failed to fulfill auth https://acme-v02.api.letsencrypt.org/acme/authz/2354375517/510057621597 (challenges: cname record _acme-challenge.alias.prod.net doesn't exist or doesn't point to _acme-challenge.alias.acc.net)","stacktrace":"certwarden-backend/pkg/domain/authorizations.(*Service).FulfillAuths.func1\n\t/home/runner/work/certwarden/certwarden/pkg/domain/authorizations/fulfiller.go:31"},
{"level":"error","ts":"2025-04-23T18:32:11.629Z","caller":"orders/fulfilling_do.go:99","msg":"orders: fulfilling worker 1: fulfill auths error: challenges: cname record _acme-challenge.alias.prod.net doesn't exist or doesn't point to _acme-challenge.alias.acc.net","stacktrace":"certwarden-backend/pkg/domain/orders.(*orderFulfillJob).Do\n\t/home/runner/work/certwarden/certwarden/pkg/domain/orders/fulfilling_do.go:99\ncertwarden-backend/pkg/datatypes/job_manager.(*Manager[...]).doJob\n\t/home/runner/work/certwarden/certwarden/pkg/datatypes/job_manager/do.go:22\ncertwarden-backend/pkg/datatypes/job_manager.NewManager[...].func1\n\t/home/runner/work/certwarden/certwarden/pkg/datatypes/job_manager/manager.go:77"},
{"level":"info","ts":"2025-04-23T18:32:11.630Z","caller":"orders/fulfilling_do.go:100","msg":"orders: fulfilling worker 1: order 12 done"},

Skeer

I should ask if I am understanding the Domain Aliases stuff correctly. When I read the doc I understand it as a CNAME for the intended domain should exist and point TO THE challenge domain.

Is it, I want a cert with a CN 'alias.bigcompany.com', but I use the challenge domain 'challenge-bigcompany.com', therefor I have to create a _acme-challenge.alias.bigcompany.com CNAME in the zone for bigcompany.com pointing to _acme-challenge.alias.challenge-bigcompany.com?

gregtwallace

The intent of the alias is to create the condition where Cert Warden does NOT have dns access over the real domain (e.g., bigcompany.com) but instead only has DNS credentials for the alias challenge-bigcompany.com.

You would manually create static DNS records (outside of CW) for bigcompany.com that point to challenge-bigcompany.com. I think you might be doing it in reverse. You need to manually create a CNAME record for every subject name you plan to use (e.g., _acme-challenge.one.bigcompany.com pointing to _acme-challenge.one.challenge-bigcompany.com if you want to use one.bigcompany.com).

If you don't care about having API credentials for bigcompany.com on CW, you're just doing extra work for no gain.

As for your other error, I suspect perhaps you created a provider that has API access for one domain, but not the other.

4/23/2025, 9:34:59 AM, info, orders/fulfilling_do.go:100, orders: fulfilling worker 2: order 11 done
4/23/2025, 9:34:59 AM, error, orders/fulfilling_do.go:99, orders: fulfilling worker 2: fulfill auths error: route53: failed to change record set: operation error Route 53: ChangeResourceRecordSets, https response error StatusCode: 400, RequestID: d74ec2d6-69cd-4cfc-9106-cea59f3ef3dd, InvalidChangeBatch: [RRSet with DNS name _acme-challenge.test.acc.net. is not permitted in zone schwarz.com.]

For instance, the API credentials are for schwarz.com but the domain acc.net is incorrectly associated to that provider.