Issues deploying wildcard certificate with certbot

Hi,

Few days ago I've installed successfully SSL certificate for my main site and it renews automatically. I want to publish many sites as subdomains, so I took interest in Certbot Wildcard Cert feature. Every time I try to verify my domain ownership it fails, and I heard it takes some hours to DNS TXT Record to propagate. The problem is that I can't run prompt for long time, because it'd eventually timeout or I could lose the connection to my remote server.

My earlier verification error response was

My domain is:

I ran this command:
sudo certbot -i nginx --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.betafox.net -d betafox.net
It produced this output:
Incorrect TXT record
My web server is (include version):
Nginx 1.20.1
The operating system my web server runs on is (include version):
Ubuntu 20.04
My hosting provider, if applicable, is:
Kamatera Cloud Express
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Certbot 1.20.0

1 Like

You could use the application screen to run certbot in screen so it won't quit if your terminal is disconnected.

But even better is to automate the adding and removing of the TXT record through an API. It looks like "domain.com" (your DNS provider, right?) offers some kind of method for managing your domain through Google Workspace: Domain Connect | Domain.com

However, I don't know what that is exactly.

An even better alternative (IMHO) is to use GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.

5 Likes

@UltraBurstXD I agree with @Osiris that it is ideal to automate this.

But, just looking at your manual command:

It has two -d keywords so the DNS challenge will prompt you with data to enter for two TXT records. I do not know how your DNS provider supports that but with Amazon Route53 (one I can test) I have one TXT record with two values on separate lines.

If I do not have both values I get the same error you show. You should check again that both values were correctly entered in the DNS zone records.

And, use the googleapps toolbox link shown in the prompt to confirm.

4 Likes

I contacted domain.com and asked for API access, but their support staff said they didn't offer that yet. And about Google Workspace I didn't give a try yet, but it appears complex and costly.

1 Like

Hmm... My DNS Provider doesn't support that, unfortunately. Well, my FQDN already has SSL cert. I'll omit the redundant command next time.

1 Like

Some DNS providers allow multiple TXT records with the same name but each having a different value. I was just trying to say there are different methods depending on the DNS provider and interface or its api. In any case, with two domains you will need two TXT values.

If you omit the -d betafox.com from the command it will only need one value but the cert will not cover that exact name - only names matching the wildcard.

See this thread for some helpful tips.

3 Likes

It seems I can't issue wildcard cert for my subdomains... There's only challenge for FQDN now that I see with more attention

1 Like

@UltraBurstXD It would be helpful to see the whole sequence. Go ahead and complete it best you can and post the series here. Use three backticks ``` before and after the text you copy / paste to here.

3 Likes

Hello @UltraBurstXD,

To propagate where? I don't know how domain.com manages the dns records but it usually takes seconds or a few minutes but not hours... I mean, the only name servers where those records must be propagated is to your own dns servers (ns1.domain.com and ns2.domain.com). Indeed you can check when the txt records have been updated asking to your name servers.

dig @ns1.domain.com _acme-challenge.betafox.net txt
dig @ns2.domain.com _acme-challenge.betafox.net txt

If both records have been updated on both name servers then you can tell certbot to continue.

Or if you don't mind to use another client, acme.sh provides a DNS Alias mode that could be useful here. You would need to create cname records in your current dns servers and use another domain (or one subdomain of your current domain) that could be hosted in another DNS Server that allow updating the records via a dns-plugin supported by acme.sh (and there are tons of them).

Note: there are some free dns servers out there that could serve for this purpose like dynv6.

Another solution using certbot could be to use acme-dns.

Also, I see you have been playing with your txt DNS records:

$ dig _acme-challenge.betafox.net txt
_acme-challenge.betafox.net. 3600 IN    CNAME   betafox.net.letsencrypt.vdeck.eigdyn.com.
betafox.net.letsencrypt.vdeck.eigdyn.com. 1 IN TXT "BbAr7OH5xbjLcaPqwdo-qgLhoqO9rxfLA0B2w5YykA8"
betafox.net.letsencrypt.vdeck.eigdyn.com. 1 IN TXT "lHTV8dZPFXJXHUlNtYW9kcLZXWtHKfYzKGoXbxkNyt8"

And that is basically what I'm proposing with acme.sh DNS alias mode or with acme-dns but in a way you can automate it.

Cheers,
sahsanu

5 Likes
certbot certonly --manual  -d "*.betafox.net" -d betafox.net --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Only performs challenge for:
dns-01 challenge for betafox.net

Once. Shouldn't it be twice like on this post?

1 Like

Those came by default.

Thanks for the information, but I don't know how to use acme-dns yet... It'd be great to automate the process. I chose the manual method because it seemed fast and less complex for newbies like me

I added the requested TXT Record some hours ago from failed challenge and to see if it'd propagate. Nothing happened till now.

1 Like

Maybe the non-wildcard hostname has already been verified through another challenge earlier. Let's Encrypt caches valid validations for 30 days. If you've gotten a certificate for betafox.net earlier e.g. using the http-01 challenge, it might be that now you just have to validate *.betafox.net to complete the entire thing.

5 Likes

You should remove the CNAME record for _acme-challenge, it is taking precedence so you can't view the new added TXT record.

5 Likes

So, I could use CNAME record in TXT place? I'll remove that troublesome record right away.

1 Like

A CNAME entry won't satisfy the TXT record request.
It will only differ the request to another site.
Think like: Call forwarding...
I call your phone number... You either:

  • answer it and then answer my question
  • forward the call to another who now must answer the ringing phone and also answer my question.

[without an answer to the question, no cert will be issued]

2 Likes

Indeed, it was. After it's removal everything went smooth.

3 Likes

Well, now Firefox (The browser I'm using) says some parts of my page aren't secure (Images to be more precise). Both my subdomain and domain sites are powered by same CMS (WordPress) and are doing nearly same thing, the only change will be in language

1 Like

I'll try to clear cache and browsing data

1 Like

That sounds like a mixed content type warning. Not related to the certs really.

See:

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.