Domain and wildcard registration at the same time


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: example.com

I ran this command: sudo certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

It produced this output:
It asked me " Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
— "
it did this twice with different passkeys.

My web server is (include version): not applicable

The operating system my web server runs on is (include version): not applicable

My hosting provider, if applicable, is: hosteurope.de

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


I am trying to get a wildcard certificate that also applies to the non-subdomain version of my page. Therefore I am trying to get a certificate for BOTH *.example.com and example.com. I was adviced that this is the right procedure. I want to use the DNS authentication because uploading a file to my webserver is a bit cumbersome due to the security in place and I can never complete it on time.
Unfortunately DNS authentication now also does not work, since I am requested to enter the _acme-challenge.example.com DNS TXT entry twice with different keys. This does not make any sense. Also even if I turn down the TTL, I can turn it down to 5 minutes minimum. Lower is not possible with my DNS provider.

How can I avoid this weird procedure of changing the key mid authentication?


EDIT:
Here is a more verbose copy-paste from the certbot output:

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

nT5q7HnpO-3QrwTuSvmSvvp89ONgDnr9hS_fhzTk0CM

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

rU8O6tqPPkkga7RWTYVqdvhgLuZKzyH8auA6J7bTTfE

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ozhan.de (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "rU8O6tqPPkkga7RWTYVqdvhgLuZKzyH8auA6J7bTTfE" found at _acme-challenge.example.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: Incorrect TXT record
   "rU8O6tqPPkkga7RWTYVqdvhgLuZKzyH8auA6J7bTTfE" found at
   _acme-challenge.example.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

#2

Hi @burak1,

Yes, you need to create 2 different TXT records for _acme-challenge.example.com at the same time, one of them will validate example.com and the other one will validate *.example.com.

You should not worry about TTL, LE doesn’t cache DNS records, well it does but as far as I know, just 60 seconds so doesn’t matter what is the TTL used in your records.

But once you have created both TXT records with the right challenge, before press continue, you must be sure all the authoritative DNS servers for your domain answer with the new added TXT records, it could take seconds or several minutes.

Cheers,
sahsanu


#3

So I can actually have multiple DNS TXT entries for the same sub-domain ?!?
Also certbot shows me the challenges one-by-one and asks me to verify the entries before it contiunes to the next, but at the end checks all of them at the same time.
It is a tad confusing for someone that is not a DNS expert…


#4

Yes, you can :wink:

Even in the last one, you receive this sentence Before continuing, verify the record is deployed.

I agree it could confuse someone which is not used to this DNS stuff and even if you try to validate the record on your own and you think it is ok, maybe not all your authoritative DNS servers have been updated yet so the validation could fail. In this case, to validate that your records have been added properly and have been propagated to all your authoritative DNS servers you can use dig or nslookup command.

1.- Check what are the authoritative DNS servers for your domain:

$ dig example.com ns +short
b.iana-servers.net.
a.iana-servers.net.

or

$ nslookup -type=ns example.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
example.com     nameserver = a.iana-servers.net.
example.com     nameserver = b.iana-servers.net.

Authoritative answers can be found from:

2.- Now we know the auth DNS servers for example.com domain are a.iana-servers.net and b.iana-servers.net so we need to query them for the added TXT records.

$ dig @a.iana-servers.net _acme-challenge.example.com TXT
"GQBjxMxEV--A2ctasRVcUJSdkLf3WZOt_xhDLs2F8Go"
"ibmUFawHqlJWnEHbkXUk5vpKa0IKVJPXFBPktc_edMk"

$ dig @b.iana-servers.net _acme-challenge.example.com TXT
"GQBjxMxEV--A2ctasRVcUJSdkLf3WZOt_xhDLs2F8Go"
"ibmUFawHqlJWnEHbkXUk5vpKa0IKVJPXFBPktc_edMk"

or using nslookup

$ nslookup -type=txt _acme-challenge.example.com a.iana-servers.net
Server:         a.iana-servers.net
Address:        2001:500:8f::53#53

_acme-challenge.example.com  text = "ibmUFawHqlJWnEHbkXUk5vpKa0IKVJPXFBPktc_edMk"
_acme-challenge.example.com  text = "GQBjxMxEV--A2ctasRVcUJSdkLf3WZOt_xhDLs2F8Go"


$ nslookup -type=txt _acme-challenge.example.com b.iana-servers.net
Server:         b.iana-servers.net
Address:        2001:500:8d::53#53

_acme-challenge.example.com  text = "ibmUFawHqlJWnEHbkXUk5vpKa0IKVJPXFBPktc_edMk"
_acme-challenge.example.com  text = "GQBjxMxEV--A2ctasRVcUJSdkLf3WZOt_xhDLs2F8Go"

and we should receive the same answer from both auth DNS servers, if we don’t receive the same answer then we will need to wait a bit more till the new records are propagated between all our auth DNS servers.

Once we get the right answer from all of them we can press continue :wink:

Cheers,
sahsanu