Be clearer about the TXT record(s) for multiple domains

When trying to obtain a wildcard cert including the base domain as well as *., certbot asks the user to create two TXT records, in sequence, but with the same name.

The problem is that it’s not clear (to me at least) whether I should overwrite the _acme-challenge TXT record, or create another one with the same name but the second challenge string generated by certbot, or append the second challenge string to the first.

I’m a webdev and not a DNS expert, and in most systems, IDs like _acme-challenge tend to be unique. My instinct was to overwrite the first value for the _acme-challenge TXT record. Then I saw various forum posts saying that you need to create one TXT record with both values (separated by a newline?)_. On the other hand, creating two separate TXT records with the same name was (surprisingly to me) possible (on DigitalOcean).

I’m still confused, still haven’t managed to get the cert, and I think there’s room for improved clarity here. One shouldn’t need to be a DNS expert to use certbot, right?

From https://letsencrypt.org/docs/challenge-types/:

You can have multiple TXT records in place for the same name. For instance, this might happen if you are validating a challenge for a wildcard and a non-wildcard certificate at the same time. However, you should make sure to clean up old TXT records, because if the response size gets too big Let’s Encrypt will start rejecting it.

Can’t believe, I was going to ask more or less the same question in the same second.
I just tried in the V2 staging environment with my client https://github.com/bruncsak/ght-acme.sh , it creates two TXT records for the same name. The staging boulder happily accepted both the two challenges and issued the test certificate for my.domain and *.my.domain. I do not know is it just accidentally working in the boulder, or is it very explicitly implemented to work that way? How much the client developers may rely on that?

Thanks for clarifying that. My point still stands - if certbots goal is to make getting certificates easy, then it could output clearer messages when more than one domain is involved.

A related problem in that case is that when the challenge fails for the first domain, the user doesn’t know until the end, after the second challenge fails as well. This is just wasting time.

If you haven’t already tried, the certbot-dns-digitalocean plugin will deal with all of this for you - https://certbot-dns-digitalocean.readthedocs.io/en/stable/

A range of other clients are capable of this too:

Hi @dandv

there is one problem: Different hosters have different solutions.

  • Some hosters allow it to create multiple entries with the same domain name _acme-challenge -> two domain names, two values
  • Other hosters allow only one domain name _acme-challenge, but different values -> one domain name, two values
  • Third, there are some limited hosters, only one domain name with one value is possible -> you can’t create a certificate using example.com + *.example.com, both using dns validation.

That’s not a Certbot problem, it’s an ACME thing. If you are a webdev, you have to know such basics of the web / dns. It’t the basic of your work.

Perhaps the output could be improved, I don’t know about that. Luckily, certbot is open source, so I would like to invite you to make a Pull Request with an improvement! That way everybody can make use of the issue you’ve ran into.

Also, Let’s Encrypt is meant to be automated. Using the manual plugin is highly discouraged. You’d be better off using one of the DNS plugins as said above.

I tried acme.sh and it failed with “Incorrect TXT record”

In 10+ years of web development, I’ve only marginally heard of ACME once when I had to get a wilcard cert. I highly, highly doubt that in any webdev interviews, anyone has ever been asked about ACME. I still have no idea what it is, and frankly, don’t care. There’s way too much stuff I need to keep up with when it comes to full-stack web development and JS library churn, to also concern myself with ACME. That’s devops. I’m just a webdev who wants a wildcard cert, and I managed to get one by essentially running a one-liner. I really don’t think it’s worth it understanding the mechanics of ACME for me any more than it’s worth understanding fluid dynamics in order to drive a car.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.