[tialaramex]

Would greatly benefit from explaining why they couldn't do dns-01 challenges successfully.

This an issue all the way from individuals with crappy or misconfigured DNS locally to whole TLDs (fortunately no really major ones) with non-working DNS. But it's often a teachable moment, something others can learn from.

[mrkurt]

DNS challenges weren't broken, they technically worked just fine. But they added an additional step to our setup process, and we were losing customers during signup because of it. We can still do the DNS challenge it's just not how we guide people through our setup.

Basically with the DNS challenge, we had to send people away to make DNS changes, have them come back and confirm they were approved, and then we sent them away _again_ to make another DNS change. It was kind of brutal.

(edit: we also tweaked the article to not imply "broken"!)

[infogulch]

So typical user engagement/onboarding complexity funnel issues not something inherent to the DNS/LE/Fly.

[cm2187]

Also my experience with DNS validation and let's encrypt is that propagation times can be variable. You do not know from where in the world the let's encrypt servers will contact your DNS, so you may see the new entries in your DNS, but it may not have been propagated yet to where let's encrypt query them. And then the validation failed and you need to start again from scratch. So you need to introduce some large delays to be safe.

Having DNS validation as an option is very useful, as not all certificates are used for http servers (think smtp) but not trivial to implement.

Also wildcard certs will require DNS validation.

[zAy0LfpBZLC8mAC]

Why would you need to send them away twice for DNS changes?!

[matahwoosh]

I'm assuming mrkurt meant that you send your users once to create a dns record (in case you haven't already) - you can add any hostname you want on Fly, it doesn't have to exist, yet. Then you go and create a DNS challenge for Let's Encrypt. Obviously, these 2 steps are orthogonal, but this is the reality of user onboarding.

[zAy0LfpBZLC8mAC]

But why would that need to be in two steps?

[mrkurt]

Well, it's two DNS entries. You could do them both at the same time, but people were getting that TXT record wrong pretty frequently, which would have meant https connections getting an invalid certificate had they changed their actual hostname at the same time.

Since we control the http response once DNS changes, we don't have that problem. And it's simpler for people to create CNAME/ALIAS records.

[zAy0LfpBZLC8mAC]

Erm ... you had people create TXT records? Why would you do that? Wouldn't people then have to manually update the TXT record on each certificate renew?!

Why not have them create a DNAME, a delegation, or just two CNAMEs?

[amigoingtodie]

I am guessing first time is for verification and second is for actual configuration.

[thaumaturgy]

I'd like to see that too, especially since I've been doing fully-automated Let's Encrypt with dns verification for hosted domains for well over a year now. I might be able to offer a solution to whatever issue they've had.

[cagenut]

would you consider writing up your system somewhere?