Thanks for your very quick reply!
Righty.
I'll take your point in the context of Let's Encrypt certificates, however I do note that I have other wildcard certificates that appear to do exactly that?
So how is this resolved in Let's Encrypt?
If I request using
-d tentacom.net -d "*.tentacom.net"
then certbot's DNS-01 verification process runs as follows:
Plugins selected: Authenticator manual, Installer None
-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/tentacom.net.conf)
It contains these names: *.tentacom.net
You requested these names for the new certificate: tentacom.net, *.tentacom.net.
Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for tentacom.net
dns-01 challenge for tentacom.net
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.tentacom.net with the following value:
meszQmIAMDc_S8xN8JCEQgLPdcj4jddrNF-hcz68aV4
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.tentacom.net with the following value:
u--tUJQZOpg6AerJyPrIi4R1FatG0rs_M1gUk5C1b98
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
So then it effectively asks me to have two different TXT records for the same domain.
The DNS server is fine with that, but will the ACME system be ok and check beyond the first TXT record?
Also, which should be specified first, the base domain or the wildcard?
I believe this affects which name gets put in to the common name of the certificate.