Can't pass the TXT record test when trying to get a wildcard domain certificate

My domain is: *.iiio.studio

I ran this command: sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.iiio.studio --manual --preferred-challenges dns-01 certonly

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.iiio.studio


Please deploy a DNS TXT record under the name:

_acme-challenge.iiio.studio.
with the following value:
m0HjpSEGWMNLhMG4pOETmH3tbV89wtyBeKs2N9tgkxQ

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: Dig (DNS lookup).
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.


When TXT record is set and shows in the google client, I hit enter and i get this error:
An unexpected error occurred:
requests.exceptions.ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

Also certbot is working perfectly on all my other domains pointed to the same server

My web server is (include version): ESXi running Ubuntu Server 22 using NGINX with Node.js and Postgresql

The operating system my web server runs on is (include version): Ubuntu Server 22

My hosting provider, if applicable, is: Myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 3.0.1

1 Like

Hello @iiio,

Using the online tool Let's Debug yields these results for the DNS-01 challenge.
https://letsdebug.net/iiio.studio/2313896


TXTDoubleLabel
Warning
Some DNS records were found that indicate TXT records may have been incorrectly manually entered into DNS editor interfaces. The correct way to enter these records is to either remove the domain from the label (so enter "_acme-challenge.www.example.org" as "_acme-challenge.www") or include a period (.) at the end of the label (enter "_acme-challenge.example.org.").
The following probably-erroneous TXT records were found:
_acme-challenge.iiio.studio.iiio.studio. 0 IN TXT "m0HjpSEGWMNLhMG4pOETmH3tbV89wtyBeKs2N9tgkxQ"
_acme-challenge.iiio.studio.iiio.studio. 0 IN TXT "m0HjpSEGWMNLhMG4pOETmH3tbV89wtyBeKs2N9tgkxQ" 

Edit

Note _acme-challenge.iiio.studio.iiio.studio.
most likely should be _acme-challenge.iiio.studio.

3 Likes

yeah that makes sense. would that have happened if lets say i put *.iiio.studio and iiio.studio on the same cert request without seperating them?

i tried to add a period after the whole _acme-challenge string, but namecheap says its an error and wont save it

Yes, it would have.

1 Like

Yes. And, normally both are included on the cert request. Either as two separate -d options or a quoted, comma-delimited string. You will be asked to add two TXT records one for each name. Yes, I know it seems odd since they are the same DNS name but that's how it works as each domain in the cert has to be validated.

3 Likes

I don't know what namecheap's panel requires but often the "name" part in those panels is just _acme-challenge and the dns panel automatically adds the apex domain to that.

3 Likes

okay so i had to put the name of the TXT field as just '_acme-challenge' and then the TXT string. that allowed me to pass the test via certbot, but just to confirm if that complete are you saying it'|l cover *.iiio.studio + iiio.studio, or do i have to explictly add both of them using separate d flags?

1 Like

Every domain name you want in your cert must be listed in the Certbot command. Either as multiple -d options or a string like: -d "example.com,*.example.com"

A name of *.example.com works for subdomains of example.com but not example.com itself. This is why both are usually needed.

3 Likes

makes sense thank you.

one last question, do i now convert the keys into crt files, and place them in the ca-certificates folder? or do I symlink them?

Into what? "crt files"? What are those exactly?

For what purpose?

2 Likes

Oh i think maybe i was looking at the wrong walkthrough,

Do you know of a resource online that can help with the next steps?

at this moment I have the .pem files generated, but my urls arent https yet, so im assuming theres another step?

Thank you for your help, i appreciate it.

That step differs per application, so no, I cannot point to a single fitting how-to on how to do that. Looking at "NGINX with Node.js" I wouldn't dare to suggest anything other than your favorite search engine might suggest something helpful.

1 Like

okay no worries ill look around. thanks again!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.