Allowed TTL MUST BE greater than 600, not 1

Just two question. I have a domain on Register.it. Domain has many subdomains, so I wish to generate a certificate for

*.example.com, example.com

The only option I can use is “Manual DNS verification”. For all my other domains that have NO subdomain I can simply upload control files, but for multiple domains this option si not available.
So I generate _acme-challenge.example.com TXT Records.
https://www.sslforfree.com/create?domains=*.example.com%20example.com generates 2 TXT records.

First question:

when I add those records to my DNS, should I remove the old ones, or can I keep them for a while?

Second question:

I am requested to set a Time to Live equal to 1 second. My provider, REGISTER, allows to use TTL vales > 600 only. I asked them to allow me to use 1 but they said that they cannot. Any value below 600 is forbidden. When I change the TXT records using 600 for TTL, I get no certificates.
Step 3), that is, Verify TXT records, does not work. I have to try / reset certificates many times before it works. Really a mess.

What can I do?

Yes. Really, you can remove them as soon as the domain is validated and the cert is issued, and I’d think it’s a good idea to do so.

I’d expect this is because it’s taking some time (a wild guess would be as much as the 600-second TTL) for the new record to propagate across their DNS servers. When certbot prompts you to create the text records, try waiting about 15 minutes before allowing it to continue; that may help.

You may also want to consider either using a different DNS provider (Cloudflare seems to work well and supports automated updates with many popular clients) or running a local instance of acme-dns to handle validation.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.