Few days ago I've installed successfully SSL certificate for my main site and it renews automatically. I want to publish many sites as subdomains, so I took interest in Certbot Wildcard Cert feature. Every time I try to verify my domain ownership it fails, and I heard it takes some hours to DNS TXT Record to propagate. The problem is that I can't run prompt for long time, because it'd eventually timeout or I could lose the connection to my remote server.
I ran this command:
sudo certbot -i nginx --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.betafox.net -d betafox.net
It produced this output:
Incorrect TXT record
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
Kamatera Cloud Express
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
You could use the application screen to run certbot in screen so it won't quit if your terminal is disconnected.
But even better is to automate the adding and removing of the TXT record through an API. It looks like "domain.com" (your DNS provider, right?) offers some kind of method for managing your domain through Google Workspace: Domain Connect | Domain.com
It has two -d keywords so the DNS challenge will prompt you with data to enter for two TXT records. I do not know how your DNS provider supports that but with Amazon Route53 (one I can test) I have one TXT record with two values on separate lines.
If I do not have both values I get the same error you show. You should check again that both values were correctly entered in the DNS zone records.
And, use the googleapps toolbox link shown in the prompt to confirm.
Some DNS providers allow multiple TXT records with the same name but each having a different value. I was just trying to say there are different methods depending on the DNS provider and interface or its api. In any case, with two domains you will need two TXT values.
If you omit the -d betafox.com from the command it will only need one value but the cert will not cover that exact name - only names matching the wildcard.
To propagate where? I don't know how domain.com manages the dns records but it usually takes seconds or a few minutes but not hours... I mean, the only name servers where those records must be propagated is to your own dns servers (ns1.domain.com and ns2.domain.com). Indeed you can check when the txt records have been updated asking to your name servers.
If both records have been updated on both name servers then you can tell certbot to continue.
Or if you don't mind to use another client, acme.sh provides a DNS Alias mode that could be useful here. You would need to create cname records in your current dns servers and use another domain (or one subdomain of your current domain) that could be hosted in another DNS Server that allow updating the records via a dns-plugin supported by acme.sh (and there are tons of them).
Note: there are some free dns servers out there that could serve for this purpose like dynv6.
Another solution using certbot could be to use acme-dns.
Also, I see you have been playing with your txt DNS records:
$ dig _acme-challenge.betafox.net txt
_acme-challenge.betafox.net. 3600 IN CNAME betafox.net.letsencrypt.vdeck.eigdyn.com.
betafox.net.letsencrypt.vdeck.eigdyn.com. 1 IN TXT "BbAr7OH5xbjLcaPqwdo-qgLhoqO9rxfLA0B2w5YykA8"
betafox.net.letsencrypt.vdeck.eigdyn.com. 1 IN TXT "lHTV8dZPFXJXHUlNtYW9kcLZXWtHKfYzKGoXbxkNyt8"
And that is basically what I'm proposing with acme.sh DNS alias mode or with acme-dns but in a way you can automate it.
Maybe the non-wildcard hostname has already been verified through another challenge earlier. Let's Encrypt caches valid validations for 30 days. If you've gotten a certificate for betafox.net earlier e.g. using the http-01 challenge, it might be that now you just have to validate *.betafox.net to complete the entire thing.
Well, now Firefox (The browser I'm using) says some parts of my page aren't secure (Images to be more precise). Both my subdomain and domain sites are powered by same CMS (WordPress) and are doing nearly same thing, the only change will be in language