Briefly, I’m trying to get a wildcard cert that also includes the base domain:
openssl req -text -noout -verify -in star.dirtside.com.csr
X509v3 Subject Alternative Name:
DNS:dirtside.com, DNS:.dirtside.com, DNS:.dirtside.net, DNS:dirtside.net, DNS:*.dirtside.org, DNS:dirtside.org
This causes certbot to generate _acme-challenge.domain.name twice with two different values. When it attempts to then verify the colliding names, half of them of course fail.
My domain is: dirtside.com
I ran this command:
certbot certonly --config certbot.ini --csr ./$D.csr --manual --preferred-challenges dns --preferred-challenges dns --server https://acme-staging-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok --manual-auth-hook challenge.sh
It produced this output:
Saving debug log to /home/herrin/certbot/star/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Performing the following challenges:
dns-01 challenge for dirtside.com
dns-01 challenge for dirtside.net
dns-01 challenge for dirtside.org
dns-01 challenge for dirtside.com
dns-01 challenge for dirtside.net
dns-01 challenge for dirtside.org
Output from challenge.sh:
server reload successful
Output from challenge.sh:
server reload successful
Output from challenge.sh:
server reload successful
Output from challenge.sh:
server reload successful
Output from challenge.sh:
server reload successful
Output from challenge.sh:
server reload successful
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. dirtside.net (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “n70IKgiDngge20rwtQqEo7CmOvxhpL8CwAIo0g5vsiE” found at _acme-challenge.dirtside.net, dirtside.org (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “QPj7n4VXXCBz6QV3kZm_8x58SnpZUrbs46tmKvvRWpg” found at _acme-challenge.dirtside.org, dirtside.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “T0bJfSBMRvTolXeKCQJoe_DAcdgDAQxRBYF4iKjawRQ” found at _acme-challenge.dirtside.com
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: dirtside.net
Type: unauthorized
Detail: Incorrect TXT record
“n70IKgiDngge20rwtQqEo7CmOvxhpL8CwAIo0g5vsiE” found at
_acme-challenge.dirtside.netDomain: dirtside.org
Type: unauthorized
Detail: Incorrect TXT record
“QPj7n4VXXCBz6QV3kZm_8x58SnpZUrbs46tmKvvRWpg” found at
_acme-challenge.dirtside.orgDomain: dirtside.com
Type: unauthorized
Detail: Incorrect TXT record
“T0bJfSBMRvTolXeKCQJoe_DAcdgDAQxRBYF4iKjawRQ” found at
_acme-challenge.dirtside.comTo fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): none
The operating system my web server runs on is (include version): Debian Linux Stable (Buster, 10)
My hosting provider, if applicable, is: none
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0