[acme.sh]Incorrect TXT record when there are a lot of domains

awsl · January 2, 2021, 3:04pm

My domain is:awslblog.com

I ran the command below:

acme.sh --issue --challenge-alias _acme.awsl.blog --dns dns_cf -d awslblog.com \
-d awsl.tech -d awsl.wtf -d ngksp.ga -d ngksp.gq -d ngksp.ml -d ngksp.tk -d nmsl8.cf -d nmsl8.ga -d nmsl8.gq -d nmsl8.ml -d nmsl8.tk -d thinking.gq -d thinkingnull.cf -d thinkingnull.ga -d thinkingnull.gq -d thinkingnull.ml -d thinkingnull.tk \
-d *.awslblog.com -d *.awsl.tech -d *.awsl.wtf -d *.ngksp.ga -d *.ngksp.gq -d *.ngksp.ml -d *.ngksp.tk -d *.nmsl8.cf -d *.nmsl8.ga -d *.nmsl8.gq -d *.nmsl8.ml -d *.nmsl8.tk -d *.thinking.gq -d *.thinkingnull.cf -d *.thinkingnull.ga -d *.thinkingnull.gq -d *.thinkingnull.ml -d *.thinkingnull.tk \
-d awneed.icu --dns dns_cf --challenge-alias awneed.icu \
-d plashspeed.tech --dns dns_cf --challenge-alias plashspeed.tech \
-d *.awneed.icu --dns dns_cf --challenge-alias awneed.icu \
-d *.plashspeed.tech --dns dns_cf --challenge-alias plashspeed.tech \
-d awsl.blog --dns dns_cf --challenge-alias awsl.blog \
-d *.awsl.blog --dns dns_cf --challenge-alias awsl.blog \
--test --dnssleep 100 --keylength ec-256

It produced this output https://paste.ubuntu.com/p/BMjVY3CN4V

[Sat Jan  2 20:38:45 CST 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Sat Jan  2 20:38:46 CST 2021] _ret='0'
[Sat Jan  2 20:38:46 CST 2021] code='200'
[Sat Jan  2 20:38:46 CST 2021] *.awslblog.com:**Verify error:Incorrect TXT record** 
[Sat Jan  2 20:38:46 CST 2021] Skip for removelevel:
[Sat Jan  2 20:38:46 CST 2021] pid
[Sat Jan  2 20:38:46 CST 2021] No need to restore nginx, skip.
[Sat Jan  2 20:38:46 CST 2021] _clearupdns

My web server is (include version):
nginx/1.19.6 I use dns challenge,so web server isn't important.
The operating system my web server runs on is (include version):
Linux version #35~18.04.1-Ubuntu SMP Thu Dec 10 09:22 UTC 2020, release 5.4.0, machine x86_64

I can login to a root shell on my machine (yes or no, or I don't know):yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):acme.sh/v2.8.8

I try to create wildcard certificates for 21*2 domains at a time,but it said Verify error:Incorrect TXT record after I waiting 300 seconds. I use cloudflare , all the free domains are CNAME to _acme-challenge.awsl.blog ,and other domains can be direct controlled via cloudflare api.
I have tried to remove some domains,and it works correctly , but when I add all 42 domains in cert, it failed.I watched cloudflare dashboard while waiting for dnssleep , obviously some of TXT records were added correctly(But I'm not sure if everything is correct),What's wrong? I don't want to reduce the number of domain names in the certificate.

Osiris · January 2, 2021, 2:12pm

Have you tried increasing the dnssleep option? Sometimes DNS propogation is quite slow. I've read about users on this Community (with probably different DNS providers tho) with succes only when waiting for like, 10 or 15 minutes.

JuergenAuer · January 2, 2021, 2:21pm

Hi @awsl

that's expected, see https://check-your-website.server-daten.de/?q=awsl.blog

*.awsl.blog has a CNAME to awsl.eastasia.cloudapp.azure.com, so that domain is checked, not your Cloudflare domain.

PS:

_acme-challenge.awslblog.com goes to _acme-challenge.awsl.blog, but the second has the next CNAME.

PPS: May be my idea is wrong. If _acme-challenge.awsl.blog is created via acme.sh, that's more specific then the wildcard, so that should block the wildcard. Is this correct if the wildcard is a CNAME? Good question.

awsl · January 2, 2021, 2:18pm

Thank you for your suggestion.I thought 300 seconds are enough , and acme.sh use 20s as default. When there are less than 10 domain names in the certificate, dnssleep 10s can work.So I guess DNS propogation is not the main problem.

JuergenAuer · January 2, 2021, 2:28pm

awsl:

acme.sh --issue --challenge-alias _acme.awsl.blog --dns dns_cf -d awslblog.com \
-d awsl.tech -d awsl.wtf -d ngksp.ga -d ngksp.gq -d ngksp.ml -d ngksp.tk -d nmsl8.cf -d nmsl8.ga -d nmsl8.gq -d nmsl8.ml -d nmsl8.tk -d thinking.gq -d thinkingnull.cf -d thinkingnull.ga -d thinkingnull.gq -d thinkingnull.ml -d thinkingnull.tk \
-d *.awslblog.com -d *.awsl.tech -d *.awsl.wtf -d *.ngksp.ga -d *.ngksp.gq -d *.ngksp.ml -d *.ngksp.tk -d *.nmsl8.cf -d *.nmsl8.ga -d *.nmsl8.gq -d *.nmsl8.ml -d *.nmsl8.tk -d *.thinking.gq -d *.thinkingnull.cf -d *.thinkingnull.ga -d *.thinkingnull.gq -d *.thinkingnull.ml -d *.thinkingnull.tk \
-d awneed.icu --dns dns_cf --challenge-alias awneed.icu \
-d plashspeed.tech --dns dns_cf --challenge-alias plashspeed.tech \
-d *.awneed.icu --dns dns_cf --challenge-alias awneed.icu \
-d *.plashspeed.tech --dns dns_cf --challenge-alias plashspeed.tech \
-d awsl.blog --dns dns_cf --challenge-alias awsl.blog \
-d *.awsl.blog --dns dns_cf --challenge-alias awsl.blog \
--test --dnssleep 100 --keylength ec-256

I'm not firm with acme.sh. But is your command correct?

First line - first the challenge-alias, then the -d parameter. But later:

First the -d, then the challenge-alias? Looks like some combinations alias / domain are wrong.

awsl · January 2, 2021, 2:32pm

Hi,here's acme.sh wiki page https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode .This is just a rough demonstration.I followed it and I'm not sure if I am right. But it works when only 10 domains in a cert.

JuergenAuer · January 2, 2021, 3:24pm

There you see: First the -d, then the alias. So

may not be used.

Osiris · January 2, 2021, 2:41pm

By the way, you also have a -d awneed.icu before you have the --challenge-alias awneed.icu. That's probably also not going to work I guess.

awsl · January 2, 2021, 2:42pm

Interestingly, the problem domain has changed.
[Sat Jan 2 22:35:29 CST 2021] code='200'
[Sat Jan 2 22:35:29 CST 2021] ngksp.ga:Verify error:Incorrect TXT record
[Sat Jan 2 22:35:29 CST 2021] Skip for removelevel:
[Sat Jan 2 22:35:29 CST 2021] pid
[Sat Jan 2 22:35:29 CST 2021] No need to restore nginx, skip.
[Sat Jan 2 22:35:30 CST 2021] _clearupdns

awsl · January 2, 2021, 2:46pm

It seems that -d first then --challenge-aliasand--dns.I'll retry my command later.

Osiris · January 2, 2021, 3:23pm

Indeed, the examples say the order is:

-d ${DOMAINS} --challenge-alias ${ALIAS} --dns ${DNS_PROVIDER}

awsl · January 2, 2021, 3:24pm

It seems you are right. I thought I could abbreviate the command, but I couldn't.
I successfully got the certificate using the following command.The size of fullchains are 3.81kb，just 0.5kb bigger than single domain cert !
Now you can pay a visit to awsl.blog to see the cert with so many domains.
Thanks to everyone who helped me!

acme.sh --issue -d awslblog.com --challenge-alias awsl.blog --dns dns_cf
-d awsl.tech --challenge-alias awsl.blog --dns dns_cf
-d awsl.wtf --challenge-alias awsl.blog --dns dns_cf
-d ngksp.ga --challenge-alias awsl.blog --dns dns_cf
-d ngksp.gq --challenge-alias awsl.blog --dns dns_cf
-d ngksp.ml --challenge-alias awsl.blog --dns dns_cf
-d ngksp.tk --challenge-alias awsl.blog --dns dns_cf
-d nmsl8.cf --challenge-alias awsl.blog --dns dns_cf
-d nmsl8.ga --challenge-alias awsl.blog --dns dns_cf
-d nmsl8.gq --challenge-alias awsl.blog --dns dns_cf
-d nmsl8.ml --challenge-alias awsl.blog --dns dns_cf
-d nmsl8.tk --challenge-alias awsl.blog --dns dns_cf
-d thinking.gq --challenge-alias awsl.blog --dns dns_cf
-d thinkingnull.cf --challenge-alias awsl.blog --dns dns_cf
-d thinkingnull.ga --challenge-alias awsl.blog --dns dns_cf
-d thinkingnull.gq --challenge-alias awsl.blog --dns dns_cf
-d thinkingnull.ml --challenge-alias awsl.blog --dns dns_cf
-d thinkingnull.tk --challenge-alias awsl.blog --dns dns_cf
-d *.awslblog.com --challenge-alias awsl.blog --dns dns_cf
-d *.awsl.tech --challenge-alias awsl.blog --dns dns_cf
-d *.awsl.wtf --challenge-alias awsl.blog --dns dns_cf
-d *.ngksp.ga --challenge-alias awsl.blog --dns dns_cf
-d *.ngksp.gq --challenge-alias awsl.blog --dns dns_cf
-d *.ngksp.ml --challenge-alias awsl.blog --dns dns_cf
-d *.ngksp.tk --challenge-alias awsl.blog --dns dns_cf
-d *.nmsl8.cf --challenge-alias awsl.blog --dns dns_cf
-d *.nmsl8.ga --challenge-alias awsl.blog --dns dns_cf
-d *.nmsl8.gq --challenge-alias awsl.blog --dns dns_cf
-d *.nmsl8.ml --challenge-alias awsl.blog --dns dns_cf
-d *.nmsl8.tk --challenge-alias awsl.blog --dns dns_cf
-d *.thinking.gq --challenge-alias awsl.blog --dns dns_cf
-d *.thinkingnull.cf --challenge-alias awsl.blog --dns dns_cf
-d *.thinkingnull.ga --challenge-alias awsl.blog --dns dns_cf
-d *.thinkingnull.gq --challenge-alias awsl.blog --dns dns_cf
-d *.thinkingnull.ml --challenge-alias awsl.blog --dns dns_cf
-d *.thinkingnull.tk --challenge-alias awsl.blog --dns dns_cf
-d awneed.icu --challenge-alias awneed.icu --dns dns_cf
-d plashspeed.tech --challenge-alias plashspeed.tech --dns dns_cf
-d *.awneed.icu --challenge-alias awneed.icu --dns dns_cf
-d *.plashspeed.tech --challenge-alias plashspeed.tech --dns dns_cf
-d awsl.blog --challenge-alias awsl.blog --dns dns_cf
-d *.awsl.blog --challenge-alias awsl.blog --dns dns_cf
--test --dnssleep 10 --keylength ec-256

sahsanu · January 2, 2021, 3:39pm

You don't need to use --challenge-alias and --dns parameters on every domain, this command should work fine:

acme.sh --issue -d awslblog.com 
-d awsl.tech
-d awsl.wtf
-d ngksp.ga
-d ngksp.gq
-d ngksp.ml
-d ngksp.tk
-d nmsl8.cf
-d nmsl8.ga
-d nmsl8.gq
-d nmsl8.ml
-d nmsl8.tk
-d thinking.gq
-d thinkingnull.cf
-d thinkingnull.ga
-d thinkingnull.gq
-d thinkingnull.ml
-d thinkingnull.tk
-d *.awslblog.com
-d *.awsl.tech
-d *.awsl.wtf
-d *.ngksp.ga
-d *.ngksp.gq
-d *.ngksp.ml
-d *.ngksp.tk
-d *.nmsl8.cf
-d *.nmsl8.ga
-d *.nmsl8.gq
-d *.nmsl8.ml
-d *.nmsl8.tk
-d *.thinking.gq
-d *.thinkingnull.cf
-d *.thinkingnull.ga
-d *.thinkingnull.gq
-d *.thinkingnull.ml
-d *.thinkingnull.tk
-d awsl.blog
-d *.awsl.blog --challenge-alias awsl.blog --dns dns_cf
-d awneed.icu
-d *.awneed.icu --challenge-alias awneed.icu --dns dns_cf
-d plashspeed.tech
-d *.plashspeed.tech --challenge-alias plashspeed.tech --dns dns_cf
--test --dnssleep 10 --keylength ec-256