Acme.sh supports ACME v2 wildcard now

Is it correct that I needed to create two TXT records with the same domain (_acme-challenge.example.com)?

Yes, do it.
One is used for example.com, the other for *.example.com

Something’s changed. When I run acme.sh --test --issue -d example.com -d *.example.com --dns --force or acme.sh --staging --issue -d example.com -d *.example.com --dns --force the message asks to add JUST ONE TXT RECORD. It’s exactly the same record that’s already there. I don’t think I’m suppose to use two TXT with the same value nor does my provider permit that. I’ve confirmed that the record is fully propagated and uses exactly what’s being asked. Previously when I ran the same command, it would ask to add two TXT records with different values. That also never worked even though the domain and values were exactly as requested.

Has anyone else gotten --dns (without argument) to work with wildcard?

Do what it tells you to.

If it lists 2 txt records, just add 2. If it shows only one txt record, just add one.

The real reason is that one of the txt record was already verified last time you use it. So, you just need to add only one this time.

1 Like

BTW, most of the DNS providers support to add multiple txt records for the same domain, for example: example.com.

1 Like

Thank you for your info.

But not more than one with the same value.

example.com and *.example.com are validated by _acme-challenge.example.com, that means that if example.com ist already validated by dns-01, no more validations needed for *.example.com - it is already validated, that the value of _acme-challenge.example.com is under the control of the user requested the certificate.

2 Likes

Is this true of subdomains in both v1 and v2? Wildcard only? For example, in v1 and v2, does following only require validating dns-01 once hence only one TXT should suffice, the least specific (_acme-challenge.example.com)?

acme.sh ... -d example.com -d s1.example.com -d www.example.com --dns ...

That requires setting TXT records with different values for _acme-challenge.example.com, _acme-challenge.s1.example.com and _acme-challenge.www.example.com.

You're not wrong that one could suffice, but it's not designed that way.

example.com and *.example.com are validated by _acme-challenge.example.com, that means that if example.com ist already validated by dns-01, no more validations needed for *.example.com - it is already validated, that the value of _acme-challenge.example.com is under the control of the user requested the certificate.

No, it's wrong.

if you already validated the domain example.com, you will need to verify example.com again for the wildcard domain *.example.com.

That means, Letsencrypt thinks example.com and *.example.com are 2 different domain to validate.

2 Likes

But whats the advantage of validate the same _acme-challenge.example.com two times? If I have control, this is also true some seconds later. I could agree, if the txt-record for wildcard had a different name...

Yes, I thought so. but that’s what letsencrypt does now.

vladimir@debian:~$ acme.sh --version
https://github.com/Neilpang/acme.sh
v2.7.6
vladimir@debian:~$ acme.sh --test --issue -d *.kngcit.ru --dns
[Вт янв 16 09:40:10 MSK 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Вт янв 16 09:40:12 MSK 2018] Single domain='*.kngcit.ru'
[Вт янв 16 09:40:12 MSK 2018] Getting domain auth token for each domain
[Вт янв 16 09:40:12 MSK 2018] Getting webroot for domain='*.kngcit.ru'
[Вт янв 16 09:40:12 MSK 2018] Getting new-authz for domain='*.kngcit.ru'
[Вт янв 16 09:40:14 MSK 2018] The new-authz request is ok.
[Вт янв 16 09:40:14 MSK 2018] new-authz error: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: Invalid character in DNS name","status": 400}
[Вт янв 16 09:40:14 MSK 2018] Please add '--debug' or '--log' to check more details.
[Вт янв 16 09:40:14 MSK 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
vladimir@debian:~$

Why Invalid character in DNS name?

Did you mean "*.kngcit.ru" ?

Yes. I edited the post.

You are not using staging v2.

I think perhaps you forgot to export BRANCH=2 when you installed.

export BRANCH=2
curl https://get.acme.sh | sh
$ acme.sh --test --issue -d "*.kngcit.ru" --dns
[Tue 16 Jan 17:52:49 AEDT 2018] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Tue 16 Jan 17:52:50 AEDT 2018] Registering account
[Tue 16 Jan 17:52:52 AEDT 2018] Registered
[Tue 16 Jan 17:52:52 AEDT 2018] ACCOUNT_THUMBPRINT='IwOdVg6z252UzF7WKcQ6HTge89KBX84YHCWJimdlUpA'
[Tue 16 Jan 17:52:52 AEDT 2018] Creating domain key
[Tue 16 Jan 17:52:52 AEDT 2018] The domain key is here: /home/alex/.acme.sh/*.kngcit.ru/*.kngcit.ru.key
[Tue 16 Jan 17:52:52 AEDT 2018] Single domain='*.kngcit.ru'
[Tue 16 Jan 17:52:52 AEDT 2018] Getting domain auth token for each domain
[Tue 16 Jan 17:52:54 AEDT 2018] Getting webroot for domain='*.kngcit.ru'
[Tue 16 Jan 17:52:54 AEDT 2018] Add the following TXT record:
[Tue 16 Jan 17:52:54 AEDT 2018] Domain: '_acme-challenge.kngcit.ru'
[Tue 16 Jan 17:52:54 AEDT 2018] TXT value: 'IezuZ-Wa92ALfQP9735Xca1G4bCmatbaFeqdHVmpIpo'
[Tue 16 Jan 17:52:54 AEDT 2018] Please be aware that you prepend _acme-challenge. before your domain
[Tue 16 Jan 17:52:54 AEDT 2018] so the resulting subdomain will be: _acme-challenge.kngcit.ru
[Tue 16 Jan 17:52:54 AEDT 2018] Please add the TXT records to the domains, and retry again.
[Tue 16 Jan 17:52:54 AEDT 2018] Please add '--debug' or '--log' to check more details.
[Tue 16 Jan 17:52:54 AEDT 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
2 Likes

Yes. Now everything works! Thank you.

Hi,

Thanks for this client! I’m quite new using ACME :slight_smile:

@Neilpang
Got an issue on my side when trying to create a wildcard cert using AWS (–dns dns_aws). It works when not using wildcard. However as soon as I insert the wildcard I got an “Le_OrderFinalize not found.” error:

[root@server .acme.sh]# acme.sh --issue --dns dns_aws -d "*.domain.com" -d "domain.com" -d "www.domain.com" -w /root/domain.com --standalone --force --test
[Tue Jan 23 18:48:36 UTC 2018] Standalone mode.
[Tue Jan 23 18:48:36 UTC 2018] Standalone mode.
....
[Tue Jan 23 18:33:47 UTC 2018] Multi domain='DNS:*.domain.com,DNS:domain.com,DNS:www.domain.com'
[Tue Jan 23 18:33:47 UTC 2018] Getting domain auth token for each domain
[Tue Jan 23 18:33:47 UTC 2018] url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Tue Jan 23 18:33:47 UTC 2018] payload='{"identifiers": [{"type":"dns","value":"*.domain.com"},{"type":"dns","value":"domain.com"},{"type":"dns","value":"www.domain.com"}]}'
[Tue Jan 23 18:33:47 UTC 2018] RSA key
[Tue Jan 23 18:33:47 UTC 2018] HEAD
[Tue Jan 23 18:33:47 UTC 2018] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Jan 23 18:33:47 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Jan 23 18:33:47 UTC 2018] _ret='0'
[Tue Jan 23 18:33:47 UTC 2018] POST
[Tue Jan 23 18:33:47 UTC 2018] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Tue Jan 23 18:33:47 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Jan 23 18:33:48 UTC 2018] _ret='0'
[Tue Jan 23 18:33:48 UTC 2018] code='400'
[Tue Jan 23 18:33:48 UTC 2018] Le_OrderFinalize
[Tue Jan 23 18:33:48 UTC 2018] Le_OrderFinalize not found.
[Tue Jan 23 18:48:36 UTC 2018] Please check log file for more details: /root/.acme.sh/acme.sh.log

If I remove the *.domain.com, it works but uses the acme v1 staging.

[root@server .acme.sh]# acme.sh --issue --dns dns_aws  -d "domain.com" -d "www.domain.com" -w /root/domain.com --standalone --force --test
[Tue Jan 23 18:52:39 UTC 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 23 18:52:40 UTC 2018] Multi domain='DNS:domain.com,DNS:www.domain.com'
[Tue Jan 23 18:52:40 UTC 2018] Getting domain auth token for each domain
[Tue Jan 23 18:52:40 UTC 2018] Getting webroot for domain='domain.com'
[Tue Jan 23 18:52:40 UTC 2018] Getting new-authz for domain='domain.com'
[Tue Jan 23 18:52:41 UTC 2018] The new-authz request is ok.
[Tue Jan 23 18:52:41 UTC 2018] Getting webroot for domain='www.domain.com'
[Tue Jan 23 18:52:41 UTC 2018] Getting new-authz for domain='www.domain.com'
[Tue Jan 23 18:52:42 UTC 2018] The new-authz request is ok.
[Tue Jan 23 18:52:42 UTC 2018] domain.com is already verified, skip dns-01.
[Tue Jan 23 18:52:42 UTC 2018] www.domain.com is already verified, skip http-01.
[Tue Jan 23 18:52:42 UTC 2018] Verify finished, start to sign.
[Tue Jan 23 18:52:43 UTC 2018] Cert success.

And fails if I force the v02 staging server.

[root@server .acme.sh]# acme.sh --issue --dns dns_aws  -d "domain.com" -d "www.domain.com" -w /root/domain.com --standalone --force --server https://acme-staging-v02.api.letsencrypt.org/directory
[Tue Jan 23 18:54:48 UTC 2018] Multi domain='DNS:domain.com,DNS:www.domain.com'
[Tue Jan 23 18:54:48 UTC 2018] Getting domain auth token for each domain
[Tue Jan 23 18:54:49 UTC 2018] Le_OrderFinalize not found.
[Tue Jan 23 18:54:49 UTC 2018] Please check log file for more details: /root/.acme.sh/acme.sh.log

Any pointer for what the cause could be (rate limit? because 400 Bad request does not tell me much)

Thanks for any help.

@tob it may be worthwhile to open a new thread in the Issuance Tech section of the forum to discuss with the Let’s Encrypt team whether this is intentional behavior or just an oversight.

Hello. I have same problem…
I try run cmd - ./acme.sh --debug --test --issue -d 34.mydomain.com -d *.34.mydomain.com --dns dns_aw

on debug view
Check for domain=‘34.mydomain.com
_currentRoot=‘dns_aws’
Check for domain=’*.34.mydomain.com’
_currentRoot=‘dns_aws’

d=‘34.mydomain.com
txtdomain=’_acme-challenge.34.mydomain.com’
txt=‘2Tf-9NigycRUDU4IaYqG75EOxFU67zow6kRIGoThPN4’
d_api=’./acme/dnsapi/dns_aws.sh’
Found domain api file: ./acme/dnsapi/dns_aws.sh

txt record updated success.
d=’*.34.mydomain.com’
txtdomain=’_acme-challenge.34.mydomain.com’
txt=‘GAkqBZhsAFH5c5M0Kjb-0PI4nrejXhzfYnIniIMH_4w’
d_api=’./acme/dnsapi/dns_aws.sh’
Found domain api file: ./acme/dnsapi/dns_aws.sh
First detect the root zone

34.mydomain.com:Verify error:Incorrect TXT record

in console aws I see only 1 row, last txt - GAkqBZhsAFH5c5M0Kjb-0PI4nrejXhzfYnIniIMH_4w
acme.sh version is 2.7.7

@wisdem

fixed, please upgrade to the latest dev code and try again.

export  BRANCH=dev
acme.sh --upgrade