CERTBOT_DOMAIN for wildcard domains

Yes.

You can't set a DNS resource record (RR) with an actual wildcard symbol in it. Let's Encrypt requires you to put two TXT RRs on the same hostname for the example you're presenting here.

Probably a limitation of AWS Route53, because two TXT records are required.

A workaround might be getting two separate certificates, one for the "base" subdomain and one for the wildcard. After that, when both hostnames are validated, it should be possible to get a certificate with both hostnames without actually the need for validating the hostnames again.

It seems the certbot-dns-route53 plugin can handle two TXT records: Amazon route53 wildcard domain support question / issue - #4 by jacksnodgrass

Not sure how you'd fix that with the manual plugin tho. Perhaps we could have a look at your DNS update script?

1 Like