Let's Encrypt fails with two TXT challenges by Mod_MD for wildcard certificates

My domain is: freigabe.center strategische-qualifizierung.de, zinal.app, zinal.center, zinal.eu, ...
I ran this command: Apache Mod_MD dns-01 challenge + custom nsupdate script
It produced this output: invalid TXT record
My web server is (include version): Apache 2.4.41
The operating system my web server runs on is (include version): Debian 10 Buster
My hosting provider, if applicable, is: own servers
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is: Apache 2.4.41


wildcard certificates need the domain itself and the wildcard domain (e.g. zinal.eu and *.zinal.eu).
This causes mod_md to generate two TXT records with different dns-01 challenges. Whenever two TXT records are created, the validation by Let's Encrypt fails with "Invalid TXT record".

I read Boulder loops over all TXT records and uses an OR-logic.

Does anyone have an idea why this does not work?
Thanx for any hint. :slight_smile:

1 Like

Have you tested this with a single domain (and in the test/staging environment)?
Were two new TXT records being created in your DNS zone?
How long did you wait for global DNS synchronization?

1 Like

Try chuck a 60 second sleep onto the end of your nsupdate script.

Depending on what TTL you use and how mod_md responds to challenges, you might also be encountering the (upto) 60 second cache on Let's Encrypt's resolvers.

i.e. Because the DNS question is the same, the resolver cache could be preventing the ACME server from seeing the second TXT record properly.


I thought Boulder didn't cache any DNS?

1 Like

thanks my issue has been fixed.


I seem to recall from previous discussions that it caches for the record's TTL or a max of 60 seconds whichever is lower. So if TTL is like 30 sec, it'll cache for 30 sec. If TTL is 5 min, it'll only cache for 60 sec.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.