I'm having trouble with txt _acme-challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:loweoak.net

I ran this command:
certbot -v certonly --manual --preferred-challenges dns -d loweoak.net -d *.loweoak.net
It produced this output:
It asked me to put two _acme-challenge.loweoak.net in, but, my provider responded with "cannot create multiple TXT records with same name in standard web-interface."
My web server is (include version):
Apache
The operating system my web server runs on is (include version):
Fedora
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @wlowe, and welcome to the LE community forum

• You could switch to another authentication method... [Like: HTTP-01]
  OR
• Use one TXT record at a time.
  This path is somewhat of a "trick".
  It plays on the caching of the partial authentication.
  Your request remains the same.
  But you enter only the first TXT record.
  Then after that request fails, you make the same request again.
  But this time you enter only the second TXT record.
  If all goes to plan, the combined individual validations will pass the authentication and you will receive the requested cert.

You probably want to change DNS provider, as this is a rather silly limitation from their part. It's perfectly fine and allowed by RFCs to have multiple TXT RR for the same name in a DNS zone.

As Rudy already said, you might also want to change to the http-01 challenge, but you wouldn't get a wildcard certificate then (as that's not allowed with the http-01 challenge).. Do you really require the wildcard certificate to begin with?

If you reaaaally need to use the dns-01 challenge, moving DNS provider also helps with handling the challenge itself, as there are multiple DNS providers out there with an API Certbot can interact with. See e.g. DNS providers who easily integrate with Let's Encrypt DNS validation for a non-comprehensively list.

Edit: Hmm, it seems Dyn is already on that list. It seems Lego is supported, so you might be able to use the certbot-dns-multi Certbot plugin, which uses lego under the hood, as a DNS plugin.

@Osiris, do you think one can obtain a cert for two entries while using separate authentication methods for each entry?

If so, then HTTP-01 can be used for the FQDN and DNS-01 for the single wildcard.

I don't think Certbot can combine different challenges in a single go. Not when using separate authenticators in any case. Certbot can only use a single authenticator plugin per invocation.

Using the manual plugin however, it might be possible. But I would not recommend the manual plugin at all.

No even with the latest version?

What about another ACME client?

[Is that a viable solution?]

Other ACME clients can. I don't remember which ones.

What would the command look like for HTTP-01? My server is behind a router. For some reason everything else I tried doesn't work either.

Can it be reached via HTTP from the Internet?

acme.sh for one. Can mix DNS providers or DNS and HTTP in same cert

Yes, It can be reached on port 80 or 443

Not from my corner of the Internet.
HTTP fails:

curl -Ii http://loweoak.net/
curl: (56) Recv failure: Connection reset by peer

HTTPS works:

curl -Iik https://loweoak.net/
HTTP/1.1 200 OK
Date: Wed, 06 Sep 2023 16:46:26 GMT
Server: Apache
Last-Modified: Tue, 23 Feb 2021 02:03:58 GMT
ETag: "83-5bbf754dfab26"
Accept-Ranges: bytes
Content-Length: 131
Content-Type: text/html; charset=UTF-8

Also a time out from my corner of the world (Europe).

That said, I recommended the certbot-dns-multi Certbot plugin earlier above. I'm interested why that wouldn't be an option.

Do we even know what version of certbot is in use?
certbot --version

Ditto

$ nmap -Pn -p80,443 loweoak.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-06 10:26 PDT
Nmap scan report for loweoak.net (47.209.245.83)
Host is up (0.064s latency).

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds

Same here, wherever Google is making this VPN exit

❯ curl ifconfig.co; nmap -Pn -p80,443 loweoak.net
2606:40:c8:608d::6a:7f2
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-06 19:34 CEST
Nmap scan report for loweoak.net (47.209.245.83)
Host is up (0.21s latency).

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 3.60 seconds

I guess we should compare outputs:
traceroute -T -p 80 loweoak.net
traceroute -T -p 443 loweoak.net

[I would but my firewalls interfere with the HTTP results]

❯ sudo traceroute -T -p 80 loweoak.net
traceroute to loweoak.net (47.209.245.83), 30 hops max, 60 byte packets
 1  136.22.97.161 (136.22.97.161)  159.052 ms  167.233 ms *
 2  * * *
 3  * * *
 4  * * *
 5  be3001.agr41.fra03.atlas.cogentco.com (130.117.14.73)  191.530 ms  191.424 ms *
 6  be3187.ccr42.fra03.atlas.cogentco.com (130.117.1.118)  209.129 ms be2814.ccr42.ams03.atlas.cogentco.com (130.117.0.141)  137.173 ms be2813.ccr41.ams03.atlas.cogentco.com (130.117.0.121)  145.375 ms
 7  be2813.ccr41.ams03.atlas.cogentco.com (130.117.0.121)  145.179 ms be2814.ccr42.ams03.atlas.cogentco.com (130.117.0.141)  145.328 ms be12488.ccr42.lon13.atlas.cogentco.com (130.117.51.41)  241.764 ms
 8  be2490.ccr42.jfk02.atlas.cogentco.com (154.54.42.85)  241.809 ms be2101.ccr32.bos01.atlas.cogentco.com (154.54.82.38)  176.308 ms be2318.ccr32.bio02.atlas.cogentco.com (154.54.61.117)  205.496 ms
 9  be2889.ccr21.cle04.atlas.cogentco.com (154.54.47.49)  193.283 ms  198.823 ms be2890.ccr22.cle04.atlas.cogentco.com (154.54.82.245)  171.791 ms
10  be2717.ccr41.ord01.atlas.cogentco.com (154.54.6.221)  175.015 ms  186.574 ms be2889.ccr21.cle04.atlas.cogentco.com (154.54.47.49)  193.375 ms
11  be2892.ccr22.cle04.atlas.cogentco.com (154.54.82.253)  182.284 ms be2831.ccr21.mci01.atlas.cogentco.com (154.54.42.165)  187.436 ms  194.321 ms
12  be2432.ccr31.dfw01.atlas.cogentco.com (154.54.3.133)  209.087 ms be2832.ccr22.mci01.atlas.cogentco.com (154.54.44.169)  201.856 ms  234.485 ms
13  be2433.ccr32.dfw01.atlas.cogentco.com (154.54.3.213)  235.847 ms be2764.ccr41.dfw03.atlas.cogentco.com (154.54.47.214)  229.752 ms be2432.ccr31.dfw01.atlas.cogentco.com (154.54.3.133)  197.615 ms
14  be2763.ccr41.dfw03.atlas.cogentco.com (154.54.28.74)  189.783 ms 38.140.104.226 (38.140.104.226)  208.169 ms *
15  173.219.205.35 (173.219.205.35)  194.184 ms * *
16  173.219.205.35 (173.219.205.35)  200.685 ms 173.219.247.109 (173.219.247.109)  213.441 ms 173.219.205.35 (173.219.205.35)  213.349 ms
17  * 173.219.247.109 (173.219.247.109)  207.031 ms *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

~ took 19s
❯ sudo traceroute -T -p 443 loweoak.net
traceroute to loweoak.net (47.209.245.83), 30 hops max, 60 byte packets
 1  136.22.97.161 (136.22.97.161)  132.774 ms  132.780 ms *
 2  * * *
 3  * * *
 4  * * *
 5  be3001.agr41.fra03.atlas.cogentco.com (130.117.14.73)  139.307 ms * *
 6  be2813.ccr41.ams03.atlas.cogentco.com (130.117.0.121)  146.647 ms be3186.ccr41.fra03.atlas.cogentco.com (130.117.0.1)  280.639 ms be2813.ccr41.ams03.atlas.cogentco.com (130.117.0.121)  286.467 ms
 7  be2813.ccr41.ams03.atlas.cogentco.com (130.117.0.121)  286.383 ms  286.152 ms be12266.ccr42.par01.atlas.cogentco.com (154.54.56.174)  417.367 ms
 8  be2101.ccr32.bos01.atlas.cogentco.com (154.54.82.38)  292.269 ms be2318.ccr32.bio02.atlas.cogentco.com (154.54.61.117)  325.925 ms be12266.ccr42.par01.atlas.cogentco.com (154.54.56.174)  319.823 ms
 9  be2890.ccr22.cle04.atlas.cogentco.com (154.54.82.245)  292.071 ms be2318.ccr32.bio02.atlas.cogentco.com (154.54.61.117)  319.677 ms be2890.ccr22.cle04.atlas.cogentco.com (154.54.82.245)  291.821 ms
10  be2717.ccr41.ord01.atlas.cogentco.com (154.54.6.221)  313.003 ms  313.029 ms  313.078 ms
11  be2831.ccr21.mci01.atlas.cogentco.com (154.54.42.165)  312.940 ms be2718.ccr42.ord01.atlas.cogentco.com (154.54.7.129)  312.933 ms be2717.ccr41.ord01.atlas.cogentco.com (154.54.6.221)  187.048 ms
12  be2432.ccr31.dfw01.atlas.cogentco.com (154.54.3.133)  192.173 ms be2433.ccr32.dfw01.atlas.cogentco.com (154.54.3.213)  191.920 ms be2831.ccr21.mci01.atlas.cogentco.com (154.54.42.165)  190.509 ms
13  be2432.ccr31.dfw01.atlas.cogentco.com (154.54.3.133)  202.531 ms be2433.ccr32.dfw01.atlas.cogentco.com (154.54.3.213)  200.352 ms  188.798 ms
14  be2763.ccr41.dfw03.atlas.cogentco.com (154.54.28.74)  188.179 ms be2764.ccr41.dfw03.atlas.cogentco.com (154.54.47.214)  199.757 ms *
15  173.219.205.35 (173.219.205.35)  193.848 ms  193.903 ms  193.876 ms
16  173.219.247.109 (173.219.247.109)  193.845 ms 173.219.205.35 (173.219.205.35)  193.748 ms 173.219.247.109 (173.219.247.109)  193.334 ms
17  173.219.247.109 (173.219.247.109)  200.445 ms * *
18  * 47.209.245.83 (47.209.245.83)  203.116 ms  210.082 ms

My router blocks the incoming ICMP error packets for some reason when using TCP So no proper trace in between. But the port 443 stops at the correct IP at hop 18 and the port 80 trace just keeps going till hop 30 (timeout).

And using this online tool https://check-host.net/ the Permanent link to this check report from around the world show "Connection timed out".