For simplicity, I have been using Cloudflare to manage my DNS. Also, I use pfSense as my router. So, I installed the acme cert renewer in pfSense. However for this post, I am focusing on only concerned with acme and Cloudflare setup of DNS to generate certs for all my domain and sub-domains. Domain is easy there are plenty of content on setting up domain cert generation between acme and cloudflare. This is not true for understanding sub-domains. So, this article will focus on getting that working.
Step 1 - Setup a CNAME
First, that seems simple enough if you know what you are doing. However, it took me a few days to understand the logic of it in Cloudflare.
- Understand Name and Content
- Name - is the sub domain that is going to be aliased by the top level domain. For example, dmz.alshowto.com would be the sub domain and I want it aliased to txt on alshowto.com.
- Set to _acme-challenge.dmz then Cloudflare completes with the TLD(Top Level Domain).
- Content is the pointer actual record that will contain the text. In my case below it is
- I set to acme.alshowto.com
- when acme.sh run it creates a TXT at acme.ashowto.com containing a generated one time key very simular to how it normally uses _acme-challenge for normal domains only it uses my unique name I specified. Note: this helps with multiple domains as I setup each one unique and that way there will not be multiple _acme-challenge's during renewal of certs.
- This is setup this way to address the --domain-alias flag in achme.sh
- Name - is the sub domain that is going to be aliased by the top level domain. For example, dmz.alshowto.com would be the sub domain and I want it aliased to txt on alshowto.com.
- Configure acme.sh correctly with all Cloudflare keys
- Mostly beyond the scope of this article. I will show the key elements, but will not elaborate on them as there are may articles to understand this process out there. Also, I will list them below.
- Need to create at least two domain entries one for *.sub.domain.com and sub.domain.com.
- Example of acme.sh
/usr/local/pkg/acme/acme.sh --issue --domain '*.ad.alshowto.com' --domain-alias 'acme2.alshowto.com' --dns 'dns_cf' --domain 'ad.alshowto.com' --domain-alias 'acme2.alshowto.com' --dns 'dns_cf' --home '/tmp/acme/real-ad.alshowto.com/' --accountconf '/tmp/acme/real-ad.alshowto.com/accountconf.conf' --force --reloadCmd '/tmp/acme/real-ad.alshowto.com/reloadcmd.sh' --log-level 3 --log '/tmp/acme/real-ad.alshowto.com/acme_issuecert.log'
- Mostly beyond the scope of this article. I will show the key elements, but will not elaborate on them as there are may articles to understand this process out there. Also, I will list them below.
Other Sources of Info
So as promised, I am going to provide a list of resources to help with this endevor.
- acme related info
- https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode - alias mode info.
- https://letsencrypt.org/ - general lets encrypt info.
- https://www.danielcolomb.com/2019/08/29/creating-wildcard-certificates-on-pfsense-with-lets-encrypt/ - good general info an acme in pfsense.
- https://docs.netgate.com/pfsense/en/latest/packages/acme/index.html - pfsense acme help
- https://dan.langille.org/2019/02/01/acme-domain-alias-mode/ - more info on alias mode and Cloudflare.