[Sat Jan 2 20:38:45 CST 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
[Sat Jan 2 20:38:46 CST 2021] _ret='0'
[Sat Jan 2 20:38:46 CST 2021] code='200'
[Sat Jan 2 20:38:46 CST 2021] *.awslblog.com:**Verify error:Incorrect TXT record**
[Sat Jan 2 20:38:46 CST 2021] Skip for removelevel:
[Sat Jan 2 20:38:46 CST 2021] pid
[Sat Jan 2 20:38:46 CST 2021] No need to restore nginx, skip.
[Sat Jan 2 20:38:46 CST 2021] _clearupdns
My web server is (include version):
nginx/1.19.6 I use dns challenge,so web server isn't important.
The operating system my web server runs on is (include version):
Linux version #35~18.04.1-Ubuntu SMP Thu Dec 10 09:22 UTC 2020, release 5.4.0, machine x86_64
I can login to a root shell on my machine (yes or no, or I don't know):yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):acme.sh/v2.8.8
I try to create wildcard certificates for 21*2 domains at a time,but it said Verify error:Incorrect TXT record after I waiting 300 seconds. I use cloudflare , all the free domains are CNAME to _acme-challenge.awsl.blog ,and other domains can be direct controlled via cloudflare api.
I have tried to remove some domains,and it works correctly , but when I add all 42 domains in cert, it failed.I watched cloudflare dashboard while waiting for dnssleep , obviously some of TXT records were added correctly(But I'm not sure if everything is correct),What's wrong? I don't want to reduce the number of domain names in the certificate.
Have you tried increasing the dnssleep option? Sometimes DNS propogation is quite slow. I've read about users on this Community (with probably different DNS providers tho) with succes only when waiting for like, 10 or 15 minutes.
*.awsl.blog has a CNAME to awsl.eastasia.cloudapp.azure.com, so that domain is checked, not your Cloudflare domain.
PS:
_acme-challenge.awslblog.com goes to _acme-challenge.awsl.blog, but the second has the next CNAME.
PPS: May be my idea is wrong. If _acme-challenge.awsl.blog is created via acme.sh, that's more specific then the wildcard, so that should block the wildcard. Is this correct if the wildcard is a CNAME? Good question.
Thank you for your suggestion.I thought 300 seconds are enough , and acme.sh use 20s as default. When there are less than 10 domain names in the certificate, dnssleep 10s can work.So I guess DNS propogation is not the main problem.
Interestingly, the problem domain has changed.
[Sat Jan 2 22:35:29 CST 2021] code='200'
[Sat Jan 2 22:35:29 CST 2021] ngksp.ga:Verify error:Incorrect TXT record
[Sat Jan 2 22:35:29 CST 2021] Skip for removelevel:
[Sat Jan 2 22:35:29 CST 2021] pid
[Sat Jan 2 22:35:29 CST 2021] No need to restore nginx, skip.
[Sat Jan 2 22:35:30 CST 2021] _clearupdns
It seems you are right. I thought I could abbreviate the command, but I couldn't.
I successfully got the certificate using the following command.The size of fullchains are 3.81kb,just 0.5kb bigger than single domain cert !
Now you can pay a visit to awsl.blog to see the cert with so many domains.
Thanks to everyone who helped me!