When trying to obtain a wildcard cert including the base domain as well as *., certbot asks the user to create two TXT records, in sequence, but with the same name.
The problem is that it’s not clear (to me at least) whether I should overwrite the _acme-challenge TXT record, or create another one with the same name but the second challenge string generated by certbot, or append the second challenge string to the first.
I’m a webdev and not a DNS expert, and in most systems, IDs like _acme-challenge tend to be unique. My instinct was to overwrite the first value for the _acme-challenge TXT record. Then I saw various forum posts saying that you need to create one TXT record with both values (separated by a newline?)_. On the other hand, creating two separate TXT records with the same name was (surprisingly to me) possible (on DigitalOcean).
I’m still confused, still haven’t managed to get the cert, and I think there’s room for improved clarity here. One shouldn’t need to be a DNS expert to use certbot, right?
You can have multiple TXT records in place for the same name. For instance, this might happen if you are validating a challenge for a wildcard and a non-wildcard certificate at the same time. However, you should make sure to clean up old TXT records, because if the response size gets too big Let’s Encrypt will start rejecting it.
Can’t believe, I was going to ask more or less the same question in the same second.
I just tried in the V2 staging environment with my client https://github.com/bruncsak/ght-acme.sh , it creates two TXT records for the same name. The staging boulder happily accepted both the two challenges and issued the test certificate for my.domain and *.my.domain. I do not know is it just accidentally working in the boulder, or is it very explicitly implemented to work that way? How much the client developers may rely on that?
Thanks for clarifying that. My point still stands - if certbots goal is to make getting certificates easy, then it could output clearer messages when more than one domain is involved.
A related problem in that case is that when the challenge fails for the first domain, the user doesn’t know until the end, after the second challenge fails as well. This is just wasting time.
there is one problem: Different hosters have different solutions.
Some hosters allow it to create multiple entries with the same domain name _acme-challenge -> two domain names, two values
Other hosters allow only one domain name _acme-challenge, but different values -> one domain name, two values
Third, there are some limited hosters, only one domain name with one value is possible -> you can't create a certificate using example.com + *.example.com, both using dns validation.
That's not a Certbot problem, it's an ACME thing. If you are a webdev, you have to know such basics of the web / dns. It't the basic of your work.
Also, Let's Encrypt is meant to be automated. Using the manual plugin is highly discouraged. You'd be better off using one of the DNS plugins as said above.
In 10+ years of web development, I've only marginally heard of ACME once when I had to get a wilcard cert. I highly, highly doubt that in any webdev interviews, anyone has ever been asked about ACME. I still have no idea what it is, and frankly, don't care. There's way too much stuff I need to keep up with when it comes to full-stack web development and JS library churn, to also concern myself with ACME. That's devops. I'm just a webdev who wants a wildcard cert, and I managed to get one by essentially running a one-liner. I really don't think it's worth it understanding the mechanics of ACME for me any more than it's worth understanding fluid dynamics in order to drive a car.