CNAME domain name cannot obtain certificate through DNS

[hhs66317]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

I need to get the certificate through DNS method, and the domain name points to the dynamic DNS domain name in the router through CName method. The dynamic DNS domain name is not controlled, how should it be handled

What did you see instead?

How do you use lego?

Binary

Reproduction steps

lego --email [email protected] --dns tencentcloud --domains nas.yyyyyyy.top --domains *.nas.yyyyyyy.top --dns.propagation-disable-ans --dns.resolvers 114.114.114.114 run

Effective version of lego

D:\Software\lego>lego --version
lego version 4.22.2 windows/amd64

Logs

D:\Software\lego>lego --email [email protected] --dns tencentcloud --domains nas.yyyyyyy.top --domains *.nas.yyyyyyy.top --dns.propagation-disable-ans --dns.resolvers 114.114.114.114 run
2025/03/04 11:34:55 [INFO] [nas.yyyyyyy.top, *.nas.yyyyyyy.top] acme: Obtaining bundled SAN certificate
2025/03/04 11:34:56 [INFO] [*.nas.yyyyyyy.top] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/123123123/456456456
2025/03/04 11:34:56 [INFO] [nas.yyyyyyy.top] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/123123123/456456456
2025/03/04 11:34:56 [INFO] [*.nas.yyyyyyy.top] acme: use dns-01 solver
2025/03/04 11:34:56 [INFO] [nas.yyyyyyy.top] acme: Could not find solver for: tls-alpn-01
2025/03/04 11:34:56 [INFO] [nas.yyyyyyy.top] acme: Could not find solver for: http-01
2025/03/04 11:34:56 [INFO] [nas.yyyyyyy.top] acme: use dns-01 solver
2025/03/04 11:34:56 [INFO] [*.nas.yyyyyyy.top] acme: Preparing to solve DNS-01
2025/03/04 11:34:56 [INFO] Found CNAME entry for "_acme-challenge.nas.yyyyyyy.top.": "ros.yyyyyyy.top."
2025/03/04 11:34:56 [INFO] Found CNAME entry for "ros.yyyyyyy.top.": "abc11111111.sn.mynetname.net."
2025/03/04 11:34:59 [INFO] [nas.yyyyyyy.top] acme: Preparing to solve DNS-01
2025/03/04 11:34:59 [INFO] Found CNAME entry for "_acme-challenge.nas.yyyyyyy.top.": "ros.yyyyyyy.top."
2025/03/04 11:34:59 [INFO] Found CNAME entry for "ros.yyyyyyy.top.": "abc11111111.sn.mynetname.net."
2025/03/04 11:35:01 [INFO] [*.nas.yyyyyyy.top] acme: Cleaning DNS-01 challenge
2025/03/04 11:35:01 [INFO] Found CNAME entry for "_acme-challenge.nas.yyyyyyy.top.": "ros.yyyyyyy.top."
2025/03/04 11:35:01 [INFO] Found CNAME entry for "ros.yyyyyyy.top.": "abc11111111.sn.mynetname.net."
2025/03/04 11:35:01 [WARN] [*.nas.yyyyyyy.top] acme: cleaning up failed: tencentcloud: failed to get hosted zone: zone mynetname.net. not found in dnspod for domain abc11111111.sn.mynetname.net.
2025/03/04 11:35:01 [INFO] [nas.yyyyyyy.top] acme: Cleaning DNS-01 challenge
2025/03/04 11:35:01 [INFO] Found CNAME entry for "_acme-challenge.nas.yyyyyyy.top.": "ros.yyyyyyy.top."
2025/03/04 11:35:01 [INFO] Found CNAME entry for "ros.yyyyyyy.top.": "abc11111111.sn.mynetname.net."
2025/03/04 11:35:02 [WARN] [nas.yyyyyyy.top] acme: cleaning up failed: tencentcloud: failed to get hosted zone: zone mynetname.net. not found in dnspod for domain abc11111111.sn.mynetname.net.
2025/03/04 11:35:02 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/123123123/456456456
2025/03/04 11:35:03 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/123123123/456456456
2025/03/04 11:35:03 Could not obtain certificates:
        error: one or more domains had a problem:
[*.nas.yyyyyyy.top] [*.nas.yyyyyyy.top] acme: error presenting token: tencentcloud: failed to get hosted zone: zone mynetname.net. not found in dnspod for domain abc11111111.sn.mynetname.net.
[nas.yyyyyyy.top] [nas.yyyyyyy.top] acme: error presenting token: tencentcloud: failed to get hosted zone: zone mynetname.net. not found in dnspod for domain abc11111111.sn.mynetname.net.

Go environment (if applicable)

$ go version && go env
# paste output here

[ldez]

https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/#the-advantages-of-a-cname

[zhakexie]

Hello, I have the same problem as you, but I am different in that I have two domains, one of which can apply for a certificate normally, while the other domain name cannot apply for a certificate

[zhakexie]

你可以看看你的解析记录里面是不是有URL类型的泛域名,比如(www.xxxx.com)， 可以先把这个解析暂停，然后就可以正常的申请证书

[MasinAD]

I stumbled upon the same problem today while investigating why my cert hasn't renewed yet.

I use AVM's MyFritz DynDNS service to access my internally hosted services. For this, I CNAME a subdomain to the DynDNS address record of MyFritz.

I had my cert issued without problems initially. But on renewal it fails. lego seems to resolve the CNAME record and then use the resulting domain to determine the zone for further token actions. This, of course, is wrong :-). AFAIU Let's Encrypt's CNAME handling it is about setting a CNAME record for _acme-challenge.subdomain.example.com and then follow this to its target, not following a CNAME record for subdomain.example.com. In my case the CNAME subdomain.example.com should never be resolved to longuniqueid.myfritz.net for matters of determining the correct zone.

By disabling the CNAME support I get the correct behaviour.

LEGO_DISABLE_CNAME_SUPPORT=true lego …

Why I think it's a bug? I stated my view above. The workaround shouldn't be necessary and might even make it impossible to use the CNAME support as intended in the future when a user wants to migrate the domain handling to a CDN.

[hhs66317]

I tried using the method you provided, and the same problem still exists
LEGO_DISABLE_CNAME_SUPPORT=true

[.nas.xxxx.top] [.nas.xxxx.top] acme: error presenting token: tencentcloud: failed to get hosted zone: zone mynetname.net. not found in dnspod for domain 888888888888.sn.mynetname.net.
[nas.xxxx.top] [nas.xxxx.top] acme: error presenting token: tencentcloud: failed to get hosted zone: zone mynetname.net. not found in dnspod for domain 888888888888.sn.mynetname.net.