Domain and wildcard registration at the same time


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot certonly --manual --preferred-challenges dns --server

It produced this output:
It asked me " Please deploy a DNS TXT record under the name with the following value:
— "
it did this twice with different passkeys.

My web server is (include version): not applicable

The operating system my web server runs on is (include version): not applicable

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I am trying to get a wildcard certificate that also applies to the non-subdomain version of my page. Therefore I am trying to get a certificate for BOTH * and I was adviced that this is the right procedure. I want to use the DNS authentication because uploading a file to my webserver is a bit cumbersome due to the security in place and I can never complete it on time.
Unfortunately DNS authentication now also does not work, since I am requested to enter the DNS TXT entry twice with different keys. This does not make any sense. Also even if I turn down the TTL, I can turn it down to 5 minutes minimum. Lower is not possible with my DNS provider.

How can I avoid this weird procedure of changing the key mid authentication?

Here is a more verbose copy-paste from the certbot output:

Are you OK with your IP being logged?
(Y)es/(N)o: y

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.
Press Enter to Continue

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "rU8O6tqPPkkga7RWTYVqdvhgLuZKzyH8auA6J7bTTfE" found at

 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Incorrect TXT record
   "rU8O6tqPPkkga7RWTYVqdvhgLuZKzyH8auA6J7bTTfE" found at

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.


Hi @burak1,

Yes, you need to create 2 different TXT records for at the same time, one of them will validate and the other one will validate *

You should not worry about TTL, LE doesn’t cache DNS records, well it does but as far as I know, just 60 seconds so doesn’t matter what is the TTL used in your records.

But once you have created both TXT records with the right challenge, before press continue, you must be sure all the authoritative DNS servers for your domain answer with the new added TXT records, it could take seconds or several minutes.



So I can actually have multiple DNS TXT entries for the same sub-domain ?!?
Also certbot shows me the challenges one-by-one and asks me to verify the entries before it contiunes to the next, but at the end checks all of them at the same time.
It is a tad confusing for someone that is not a DNS expert…


Yes, you can :wink:

Even in the last one, you receive this sentence Before continuing, verify the record is deployed.

I agree it could confuse someone which is not used to this DNS stuff and even if you try to validate the record on your own and you think it is ok, maybe not all your authoritative DNS servers have been updated yet so the validation could fail. In this case, to validate that your records have been added properly and have been propagated to all your authoritative DNS servers you can use dig or nslookup command.

1.- Check what are the authoritative DNS servers for your domain:

$ dig ns +short


$ nslookup -type=ns

Non-authoritative answer:     nameserver =     nameserver =

Authoritative answers can be found from:

2.- Now we know the auth DNS servers for domain are and so we need to query them for the added TXT records.

$ dig TXT

$ dig TXT

or using nslookup

$ nslookup -type=txt
Address:        2001:500:8f::53#53  text = "ibmUFawHqlJWnEHbkXUk5vpKa0IKVJPXFBPktc_edMk"  text = "GQBjxMxEV--A2ctasRVcUJSdkLf3WZOt_xhDLs2F8Go"

$ nslookup -type=txt
Address:        2001:500:8d::53#53  text = "ibmUFawHqlJWnEHbkXUk5vpKa0IKVJPXFBPktc_edMk"  text = "GQBjxMxEV--A2ctasRVcUJSdkLf3WZOt_xhDLs2F8Go"

and we should receive the same answer from both auth DNS servers, if we don’t receive the same answer then we will need to wait a bit more till the new records are propagated between all our auth DNS servers.

Once we get the right answer from all of them we can press continue :wink:



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.