Addon Domain: Manage Subdomain(s) Only, not the Primary Domain

[liebn0r]

I have an account, my main account, let's call it Blue and it hosts blue.com on IP 1.2.3.4 (for sake of example). My friend has a domain on their own server, let's call it buddy.com (for sake of example). We want my server to handle all wildcard domains (*.buddy.com) not already being managed by buddy.com's DNS, specifically on the Blue account because that has all the software and environment on it we want to handle *.buddy.com's traffic. We also want SSL enabled.

I'm really close to figuring this out. Here's what I know I need to do:

• My friend adds DNS records for buddy.com:
  *.buddy.com 1.2.3.4 300
  _cpanel-dcv-test-record.buddy.com ns1.blue.com 300
  _acme-challenge.buddy.com ns1.blue.com 300
• I add all of buddy.com's nameserver IPs to "Configure Remote Service IPs"
• I go into the Blue cPanel account and... somehow magically (this is the part I can't figure out) only add *.buddy.com as an addon subdomain and configure it do the subdirectory I want to handle its traffic
• I install the letsencrypt plugin for AutoSSL and run it for the Blue account

Now I can accomplish this if I add buddy.com as an addon domain with all of the subdomain and DNS configuration that comes with it including www and webmail and cpanel etc etc and then add *.buddy.com as a wildcard subdomain, but ***I don't want*** the server to try to manage the buddy.com primary domain, I only want to manage the wildcard subdomain.

Is there a way to do this properly? If not, to what extent can I edit the DNS records and remove all the crap I don't want? How else can I trim this down to configure only the minimum necessary to accomplish what I want?

 

[cPRex]

Hey there! I think you're doing everything correctly. Since the DNS for buddy.com isn't managed and also isn't pointed to your machine, the site itself won't point here even though it may create that domain as part of your setup process. It will exist on the server, but just not be used.

After you create the domain you're welcome to remove any DNS records that you aren't using, such as the "cpanel" and "webmail" entries as that won't negatively impact the account at all.

 

[liebn0r]

I'm having an issue with Let's Encrypt not validating these domains:



It's trying to perform DCV on the root domain which is not hosted on the server, only wildcard domains are. How do I fix this? Can I somehow instruct Let's Encrypt to perform DCV on a subdomain to verify the wildcard certificate?

 

[cPRex]

While it may not be able to verify the root domain, it should then move on to any other domains that are set up on the account. Is that not happening?

 

[liebn0r]

I'm not sure I understand the question. There are other domains on the account that have the root domain hosted on the server and they're passing. The system isn't securing SSL certificates for the wildcard domains described in the original post.

 

[cPRex]

Is the domain actually configured on the server as *.domain.com?

 

[liebn0r]

Yes, here you can see the line items:

Also the root domains are listed since there's no way to exclude them:

 

[cPRex]

Thanks for that - you are correct that you would need to be using Let's Encrypt, but the issue is with DNS verification:

https://docs.cpanel.net/knowledge-base/third-party/the-lets-encrypt-plugin/

"If you use the Let's Encrypt plugin to issue certificates for wildcard domains, be aware that:

This plugin cannot use HTTP DCV challenges to issue certificates for wildcard domains. This is because Let's Encrypt does not support this type of challenge. For more information, read Let's Encrypt's HTTP-01 challenge type documentation.

You cannot use this plugin to obtain certificates for wildcard domains if you use third-party DNS hosting. You must host DNS on your local cPanel & WHM server or within the server's DNS cluster."

 

[liebn0r]

The _cpanel-dcv-test-record and _acme-challenge DNS records are pointed to the server. That worked in the initial setup, I'm not sure why it's not working now.

 

[cPRex]

If you'd like to submit a ticket we'd be happy to check the configuration of the machine and make sure everything is in place.

 

[liebn0r]

For the record, I opened a ticket for this, and it's not going well. I'm getting passed between so many different support people, and each one starts over without thoroughly reading the ticket and coming up with new explanations or bringing up issues that have already been addressed. My responses and questions go unanswered, there's no consistency whatsoever.

The root domain DNS (i.e. REDACTED) has the DCV subdomain records (_cpanel-dcv-test-record and _acme-challenge) set to my server's nameservers (it was ns1.bid.glass and ns2.bid.glass but someone told me to switch it to server.bid.glass and then I got passed off to someone else). A dig of _cpanel-dcv-test-record.REDACTED.io has no answer. A dig trace of _cpanel-dcv-test-record.REDACTED shows that my cPanel server is the one responding. A DNS lookup for the TXT record for _cpanel-dcv-test-record.carsheet.io reports the TXT record set by my cPanel server. What's going wrong here?

 

[cPRex]

Changing nameservers doesn't sound like something we'd normally recommend. Can you post the ticket number here so I can review the situation?

 

[liebn0r]

94323479

 

[cPRex]

Thanks for that - I do see the ticket was escalated from Level 1 support and eventually making its way to Level 3, and was only passed to new technicians while shift changes were happening. If you don't believe the ticket was handled properly, you can request to work directly with a supervisor through that ticket and we'll be happy to do that.

It still seems there are problems with the DNS configuration with those records that is keeping the workaround from working properly. It's also worth noting that the configuration you're trying to implement is not something that is officially supported.

 

[liebn0r]

I'm just trying to find a solution.

 

[cPRex]

I honestly don't think there is a perfect solution here as the method you are trying to get AutoSSL working isn't something that is officially supported by either cPanel or Let'sEncrypt.

 

[liebn0r]

Well, it did work originally, that's why there are valid wildcard SSL certificates for those domains in the first place. According to the logs, Let's Encrypt is only attempting HTTP-based DCV, not DNS-based DCV. I wonder if it would pass if it attempted DNS-based DCV because the TXT records are getting updated correctly, but I don't know how the authentication process is managed by WHM/Let'sEncrypt.

 

[cPRex]

I see you've replied with that into to the ticket as well, so the level 3 techs will be replying to that soon with more details.