_acme-challenge for wildcard multilevel ssl

Need help how can i get wildcard certificate for multilevel domain.
I already tried creating txt record but still getting failed.

My domain is:
A0140.gotechsolutions.net in which Godaddy DNS Records it points to NS type ns1.dnslegend.org

I ran this command:
sudo certbot-auto certonly --manual --preferred-challenges=dns --email it@gotechsolutions.net --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.A0140.gotechsolutions.net

It produced this output:
Challenge failed for domain a0140.gotechsolutions.net

  • The following errors were reported by the server:
    Domain: a0140.gotechsolutions.net
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.a0140.gotechsolutions.net - check that a DNS record
    exists for this domain

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.2.0

I tried using this command
dig _acme-challenge.a0140.gotechsolutions.net txt

This is the output
; <<>> DiG 9.9.5-3-Ubuntu <<>> _acme-challenge.a0140.gotechsolutions.net txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43461
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.a0140.gotechsolutions.net. IN TXT

;; AUTHORITY SECTION:
a0140.gotechsolutions.net. 60 IN SOA dns.dnsengine.org. nobody.invalid. 2020021744 10800 3600 1209600 3600

;; Query time: 243 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Tue Feb 18 08:32:39 UTC 2020
;; MSG SIZE rcvd: 137

Hi @kyanklee

you use --manual, so you have to create a TXT with a special domain name and a special value.

But checking your domain there is no TXT entry visible - https://check-your-website.server-daten.de/?q=a0140.gotechsolutions.net#txt

Should look like

How did you create the required TXT entry?

PS: Ah, checked your main domain that looks better - https://check-your-website.server-daten.de/?q=gotechsolutions.net#txt

So your menu adds the domain name.

So you have to create an entry with

_acme-challenge.a0140

then the menu completes your domain name.

Hi @JuergenAuer
Good day
I already added it in the dns records but still not recognize

That’s the same old value.

If one value is checked and is wrong, you must create a new order -> new token -> new value.

Start a new order, add the TXT entry. Then use the online tool or dig to check if the value is correct. Then confirm it, so Letsencrypt checks the value.

1 Like

This is not your NS record.
Your NS for this subdomain points to

dns.dnsengine.org 210.57.28.106 2607:7700:0:2a:0:1:cdb1:d1e7

(The IPs might be wrong since my ISP had a history of modifying IPv6 records)

Also, your DNS record panel is still GoDaddy. If you added an NS record, servers will ignore anything you setup on your original NS server and ask the NS you set for the subdomain.

You’ll need to modify records on the DNS provider you delegates to.

Thank you

Hi @stevenzhu

It is intended that only this subdomain a0140.gotechsolutions.net points to ns1.dnslegend.org
but ns1.dnslegend.org is not ours

Is there a way to get free wildcard ssl for this multilevel subdomain?

Unfortunately, no. You must prove control with DNS validation in order to request wildcard certificate.

Thank you

1 Like

Is it possible if i point first a0140.gotechsolutions.net to my server to validate wildcard certificate
After validating i will point it again to ns1.dnslegend.org?

1 Like

It is entirely possible. However this will create manual works and can’t be used in automatic renewal.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.