While trying to issue a wildcard certificate to a domain, using DNS-RFC2136 (BIND) plugin in a “certonly” request, certbot registers two TXT _acme-challenge entries on my DNS server, and none matches the ACME challenge expected by the server. Therefore it fails verification.
This is happening with both the dns-rfc2136 plugin and a manual hook I’ve been happily using for the past 2+ years. My original certbot was an ancient 0.38 version, which was updated to 1.3.0 as part of a troubleshooting session.
The “certupdate” command is just a wrapper script that does a few things prior and after the certificate is issued.
It is my understanding wildcard certificates are only issued if requested with DNS challenge, so the HTTP based options are a no go for me. Any advices around this DNS challenge are welcome.
DNS problem: SERVFAIL looking up TXT for _acme-challenge.hquest.pro.br - the domain's nameservers may be malfunctioning
Running a test through any one of DNS testing sites (Let's Debug), we can see there's a problem with the DNSSEC configuration of the domain:
DNS response for hquest.pro.br had fatal DNSSEC issues: validation failure <hquest.pro.br. CAA IN>: no keys have a DS with algorithm RSASHA1-NSEC3-SHA1 from 2001:470:100::2 for key hquest.pro.br. while building chain of trust
HE does not support hosting master DNSSEC entries, however they work just fine as slave. And yep, seems there are more pressing concerns on my zone. Appreciated for the hints - assumed this piece was OK when it is not.
After fixing the DS record on my upstream provider for this domain, and let a few minutes for the propagation to do its magic, I have it all set now, with brand new/renewed certificates!
Thank you @_az for the hint of the letsdebug website - added it to my links arsenal.