Few days ago I've installed successfully SSL certificate for my main site and it renews automatically. I want to publish many sites as subdomains, so I took interest in Certbot Wildcard Cert feature. Every time I try to verify my domain ownership it fails, and I heard it takes some hours to DNS TXT Record to propagate. The problem is that I can't run prompt for long time, because it'd eventually timeout or I could lose the connection to my remote server.
I ran this command:
sudo certbot -i nginx --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.betafox.net -d betafox.net
It produced this output:
Incorrect TXT record
My web server is (include version):
Nginx 1.20.1
The operating system my web server runs on is (include version):
Ubuntu 20.04
My hosting provider, if applicable, is:
Kamatera Cloud Express
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Certbot 1.20.0
You could use the application screen to run certbot in screen so it won't quit if your terminal is disconnected.
But even better is to automate the adding and removing of the TXT record through an API. It looks like "domain.com" (your DNS provider, right?) offers some kind of method for managing your domain through Google Workspace: Domain Connect | Domain.com
It has two -d keywords so the DNS challenge will prompt you with data to enter for two TXT records. I do not know how your DNS provider supports that but with Amazon Route53 (one I can test) I have one TXT record with two values on separate lines.
If I do not have both values I get the same error you show. You should check again that both values were correctly entered in the DNS zone records.
And, use the googleapps toolbox link shown in the prompt to confirm.
I contacted domain.com and asked for API access, but their support staff said they didn't offer that yet. And about Google Workspace I didn't give a try yet, but it appears complex and costly.
Some DNS providers allow multiple TXT records with the same name but each having a different value. I was just trying to say there are different methods depending on the DNS provider and interface or its api. In any case, with two domains you will need two TXT values.
If you omit the -d betafox.com from the command it will only need one value but the cert will not cover that exact name - only names matching the wildcard.
@UltraBurstXD It would be helpful to see the whole sequence. Go ahead and complete it best you can and post the series here. Use three backticks ``` before and after the text you copy / paste to here.
To propagate where? I don't know how domain.com manages the dns records but it usually takes seconds or a few minutes but not hours... I mean, the only name servers where those records must be propagated is to your own dns servers (ns1.domain.com and ns2.domain.com). Indeed you can check when the txt records have been updated asking to your name servers.
If both records have been updated on both name servers then you can tell certbot to continue.
Or if you don't mind to use another client, acme.sh provides a DNS Alias mode that could be useful here. You would need to create cname records in your current dns servers and use another domain (or one subdomain of your current domain) that could be hosted in another DNS Server that allow updating the records via a dns-plugin supported by acme.sh (and there are tons of them).
Note: there are some free dns servers out there that could serve for this purpose like dynv6.
Another solution using certbot could be to use acme-dns.
Also, I see you have been playing with your txt DNS records:
$ dig _acme-challenge.betafox.net txt
_acme-challenge.betafox.net. 3600 IN CNAME betafox.net.letsencrypt.vdeck.eigdyn.com.
betafox.net.letsencrypt.vdeck.eigdyn.com. 1 IN TXT "BbAr7OH5xbjLcaPqwdo-qgLhoqO9rxfLA0B2w5YykA8"
betafox.net.letsencrypt.vdeck.eigdyn.com. 1 IN TXT "lHTV8dZPFXJXHUlNtYW9kcLZXWtHKfYzKGoXbxkNyt8"
And that is basically what I'm proposing with acme.sh DNS alias mode or with acme-dns but in a way you can automate it.
Thanks for the information, but I don't know how to use acme-dns yet... It'd be great to automate the process. I chose the manual method because it seemed fast and less complex for newbies like me
Maybe the non-wildcard hostname has already been verified through another challenge earlier. Let's Encrypt caches valid validations for 30 days. If you've gotten a certificate for betafox.net earlier e.g. using the http-01 challenge, it might be that now you just have to validate *.betafox.net to complete the entire thing.
A CNAME entry won't satisfy the TXT record request.
It will only differ the request to another site.
Think like: Call forwarding...
I call your phone number... You either:
answer it and then answer my question
forward the call to another who now must answer the ringing phone and also answer my question.
[without an answer to the question, no cert will be issued]
Well, now Firefox (The browser I'm using) says some parts of my page aren't secure (Images to be more precise). Both my subdomain and domain sites are powered by same CMS (WordPress) and are doing nearly same thing, the only change will be in language
