[mrkurt]

DNS challenges weren't broken, they technically worked just fine. But they added an additional step to our setup process, and we were losing customers during signup because of it. We can still do the DNS challenge it's just not how we guide people through our setup.

Basically with the DNS challenge, we had to send people away to make DNS changes, have them come back and confirm they were approved, and then we sent them away _again_ to make another DNS change. It was kind of brutal.

(edit: we also tweaked the article to not imply "broken"!)

[infogulch]

So typical user engagement/onboarding complexity funnel issues not something inherent to the DNS/LE/Fly.

[cm2187]

Also my experience with DNS validation and let's encrypt is that propagation times can be variable. You do not know from where in the world the let's encrypt servers will contact your DNS, so you may see the new entries in your DNS, but it may not have been propagated yet to where let's encrypt query them. And then the validation failed and you need to start again from scratch. So you need to introduce some large delays to be safe.

Having DNS validation as an option is very useful, as not all certificates are used for http servers (think smtp) but not trivial to implement.

Also wildcard certs will require DNS validation.

[zAy0LfpBZLC8mAC]

Why would you need to send them away twice for DNS changes?!

[matahwoosh]

I'm assuming mrkurt meant that you send your users once to create a dns record (in case you haven't already) - you can add any hostname you want on Fly, it doesn't have to exist, yet. Then you go and create a DNS challenge for Let's Encrypt. Obviously, these 2 steps are orthogonal, but this is the reality of user onboarding.

[zAy0LfpBZLC8mAC]

But why would that need to be in two steps?

[mrkurt]

Well, it's two DNS entries. You could do them both at the same time, but people were getting that TXT record wrong pretty frequently, which would have meant https connections getting an invalid certificate had they changed their actual hostname at the same time.

Since we control the http response once DNS changes, we don't have that problem. And it's simpler for people to create CNAME/ALIAS records.

[zAy0LfpBZLC8mAC]

Erm ... you had people create TXT records? Why would you do that? Wouldn't people then have to manually update the TXT record on each certificate renew?!

Why not have them create a DNAME, a delegation, or just two CNAMEs?

[mrkurt]

txt records are the only way to do the dns-01 challenge with certbot/Let's Encrypt.

The http-01 challenge is simpler, we can get people setup with one CNAME/A-record.

Once we're serving traffic, we can do all renewals with an http challenge and they don't need to change DNS ever again.

[amigoingtodie]

I am guessing first time is for verification and second is for actual configuration.