Ok, so are you saying I need to have multiple _acme-challenge records? I still do not understand how that would work. The LE DNS call would get a random response from GoDaddy in that scenario right? In my zone * is not a subdomain. Also, if you look at the logs, Certbot issues the same request for *.mountaintrips.com as mountaintrips.com. Both authorizations are “mountaintrips.com” - see logs below.
content-length: 487
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
location: https://acme-v02.api.letsencrypt.org/acme/order/72222906/2332907212
boulder-requester: 72222906
date: Fri, 14 Feb 2020 20:59:43 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 000119Ol7O15AVbr9zd2GkrZZSEJCOmBP3NUhpGSQVNC9u4
{
“status”: “pending”,
“expires”: “2020-02-21T20:59:43.880751746Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “*.mountaintrips.com”
},
{
“type”: “dns”,
“value”: “mountaintrips.com”
}
],
“authorizations”: [
“https://acme-v02.api.letsencrypt.org/acme/authz-v3/2818997906”,
“https://acme-v02.api.letsencrypt.org/acme/authz-v3/2818997907”
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/72222906/2332907212”
}
2020-02-14 12:59:43,929:DEBUG:acme.client:Storing nonce: 000119Ol7O15AVbr9zd2GkrZZSEJCOmBP3NUhpGSQVNC9u4
2020-02-14 12:59:43,930:DEBUG:acme.client:JWS payload:
2020-02-14 12:59:43,947:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/2818997906:
{
“protected”: “eyJub25jZSI6ICIwMDAxMTlPbDdPMTVBVmJyOXpkMkdrclpaU0VKQ09tQlAzTlVocEdTUVZOQzl1NCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjgxODk5NzkwNiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83MjIyMjkwNiIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “UODSTg0yIAmetwT_vSGuTda-0CrEfOeqJXeAstUbuyMhOYRsuUI3Y108iqM538UMFowmE1PWTarqbEll2iODysMsdEvbJqC6Hzct7gAvPafEs3VaqCDoX57vfXOZwDEpPrduwXPUmMrC3m3hrhc17y5YPcl3T2h7fiqIYo8WX3MlrOjr94hPCkD-_39dkar4FgrFv7c4aBqBeyjxIFFqFHe12blLafixo8-XDxvK0THqWFDlG6384qi7jWdF0nTma6vQasH71REqwuDsrc56SCgqu0GSDFguX0Rda5Vtbdl7uXm25SLicPrTVWT6k94Wh66H7dmdc9BagLoHfQ2M3w”
}
2020-02-14 12:59:44,002:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/2818997906 HTTP/1.1” 200 389
2020-02-14 12:59:44,003:DEBUG:acme.client:Received response:
HTTP 200
content-length: 389
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 72222906
date: Fri, 14 Feb 2020 20:59:43 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001IK4vVSJhXGnlA6_aNtx-bl7IByWPrA0lAFgbzoo1E5E
{
“identifier”: {
“type”: “dns”,
“value”: “mountaintrips.com”
},
“status”: “pending”,
“expires”: “2020-02-21T20:59:43Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997906/glTonA”,
“token”: “78sHNSOTnPuUkXd_KmqICLlF9YRg9ICjtQLFZIB4Vo8”
}
],
“wildcard”: true
}
2020-02-14 12:59:44,004:DEBUG:acme.client:Storing nonce: 0001IK4vVSJhXGnlA6_aNtx-bl7IByWPrA0lAFgbzoo1E5E
2020-02-14 12:59:44,005:DEBUG:acme.client:JWS payload:
2020-02-14 12:59:44,014:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/2818997907:
{
“protected”: “eyJub25jZSI6ICIwMDAxSUs0dlZTSmhYR25sQTZfYU50eC1ibDdJQnlXUHJBMGxBRmdiem9vMUU1RSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjgxODk5NzkwNyIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83MjIyMjkwNiIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “EtR5c-sLi7fOxy8qFUngCXFH30c_KDfar-fpvIxpRxtqqtNNbMjOUPtBHs9ae74Ptowl4bRjwp08IvZcoYw63NJtSUzM5PE3Oi4fJjiAVS8svzpTEWHZq7Y2FFZkZ64jKpRWGk6eR_ZAzGGDVkTP9NYPCQ3-07LyG0IdXtBpMPaMdZVbpQvn32NBZs56ZKTLTMKknDHJ17za5RbgKqKpwCo-x-QYHJokWjOk7dpW5wErV8AYNmbEKJKSb5H5leKYB5ELdJnf03IXwY6QdPliFpQleT1VO4t1WvlFp5v3T4gP12EOx26AzP_r_qQTRWL3pHrIAABcSrpPmjk02uPlLg”
}
2020-02-14 12:59:44,061:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/2818997907 HTTP/1.1” 200 795
2020-02-14 12:59:44,062:DEBUG:acme.client:Received response:
HTTP 200
content-length: 795
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 72222906
date: Fri, 14 Feb 2020 20:59:44 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 00015urcOSzm1pBl1OXtOyGf3nw70_9W8tMr1ORx4jbTuxM
{
“identifier”: {
“type”: “dns”,
“value”: “mountaintrips.com”
},
“status”: “pending”,
“expires”: “2020-02-21T20:59:43Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997907/lEsnfA”,
“token”: “Z7g1Q6R4NjJxyOssw_z020YISQBbbTWC4LnQj8i8Eo4”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997907/mA2FfQ”,
“token”: “Z7g1Q6R4NjJxyOssw_z020YISQBbbTWC4LnQj8i8Eo4”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997907/-A47jA”,
“token”: “Z7g1Q6R4NjJxyOssw_z020YISQBbbTWC4LnQj8i8Eo4”
}
]
}
2020-02-14 12:59:44,063:DEBUG:acme.client:Storing nonce: 00015urcOSzm1pBl1OXtOyGf3nw70_9W8tMr1ORx4jbTuxM
2020-02-14 12:59:44,064:INFO:certbot._internal.auth_handler:Performing the following challenges:
2020-02-14 12:59:44,064:INFO:certbot._internal.auth_handler:dns-01 challenge for mountaintrips.com
2020-02-14 12:59:44,064:INFO:certbot._internal.auth_handler:dns-01 challenge for mountaintrips.com
2020-02-14 12:59:44,068:INFO:certbot._internal.hooks:Running manual-auth-hook command: /etc/letsencrypt/renewal-hooks/pre/authenticate.sh
2020-02-14 13:01:14,611:INFO:certbot._internal.hooks:Running manual-auth-hook command: /etc/letsencrypt/renewal-hooks/pre/authenticate.sh
2020-02-14 13:02:45,325:INFO:certbot._internal.auth_handler:Waiting for verification…
2020-02-14 13:02:45,326:DEBUG:acme.client:JWS payload:
{
“type”: “dns-01”,
“resource”: “challenge”
}
2020-02-14 13:02:45,333:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997906/glTonA:
{
“protected”: “eyJub25jZSI6ICIwMDAxNXVyY09Tem0xcEJsMU9YdE95R2Yzbnc3MF85Vzh0TXIxT1J4NGpiVHV4TSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMjgxODk5NzkwNi9nbFRvbkEiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzIyMjI5MDYiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “ewogICJ0eXBlIjogImRucy0wMSIsIAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiCn0”,
“signature”: “n07VTkWbVxDNQ14A0oIO5GZMDOzFZwSgU2hQ6W_33o3uHq3V0EIUa842MBuwvobpNwlXk4NdPs_vQogc4oGJr6rz3iQA8_lL9eLxJ07oyhylgoE49mdX7J4lbdEbF_g_JizYrcKUGxnBcP_X2tO5TFpRiuzlt1eOn3LKDo_wQ2Ea6HhZX9aJjifBFrPCSr4546xlksGgFSUtWJwdZvWR96-QRjtbSIJnRy243rL8XbJIU3uCq5Z4686psBqLFQih7GcrLSMDWvAfcE6Cob_JLqcIRgibjLFqdpjnQNTvdlG0ULjUFAk4Nrl5cFujpaJuxxxqKBwjy_6KdpaLxtQIhA”
}
2020-02-14 13:02:45,386:DEBUG:urllib3.connectionpool:“POST /acme/chall-v3/2818997906/glTonA HTTP/1.1” 200 184
2020-02-14 13:02:45,387:DEBUG:acme.client:Received response:
HTTP 200
content-length: 184
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-v02.api.letsencrypt.org/acme/authz-v3/2818997906;rel=“up”
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997906/glTonA
boulder-requester: 72222906
date: Fri, 14 Feb 2020 21:02:45 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002J1ITVU7Rrinr_3NBHt17WQAVGF0vEnkitxzvX1_WR2Q
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997906/glTonA”,
“token”: “78sHNSOTnPuUkXd_KmqICLlF9YRg9ICjtQLFZIB4Vo8”
}
2020-02-14 13:02:45,388:DEBUG:acme.client:Storing nonce: 0002J1ITVU7Rrinr_3NBHt17WQAVGF0vEnkitxzvX1_WR2Q
2020-02-14 13:02:45,389:DEBUG:acme.client:JWS payload:
{
“type”: “dns-01”,
“resource”: “challenge”
}
2020-02-14 13:02:45,395:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997907/mA2FfQ:
{
“protected”: “eyJub25jZSI6ICIwMDAySjFJVFZVN1JyaW5yXzNOQkh0MTdXUUFWR0YwdkVua2l0eHp2WDFfV1IyUSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMjgxODk5NzkwNy9tQTJGZlEiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzIyMjI5MDYiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “ewogICJ0eXBlIjogImRucy0wMSIsIAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiCn0”,
“signature”: “ggVd7T8gfVK2SrTcucEb7b6jFXQmLR19BlwaRZfX7rhZbnExFDumrtLBFKs_irZujCbJ2LOBB9TI7-RF_wyePriOrVnqNjwVVYR_eFxIjhz6AjAjtU2vNRAbHQyXWBOw3Wn6uIQ8eA4oDAW1P1FA1fAgLbAMhpW8Ck6rupVljRbPccvw34gdJD8K8nWP03nACZVaLzf9ls1PWdgGuQckgGvmJwxOTZzk5aWThv-Gl-k2exJ5ph2K1IhR7RhzMuY4RWh2UdNciIDPhkzWW5dGf3RYCda31u80hhra_MtsXWU9uRyHSc_2tp5PXDNICt-5wgeCtNff1BY3pxqh5D-CLw”
}
2020-02-14 13:02:45,445:DEBUG:urllib3.connectionpool:“POST /acme/chall-v3/2818997907/mA2FfQ HTTP/1.1” 200 184
2020-02-14 13:02:45,446:DEBUG:acme.client:Received response:
HTTP 200
content-length: 184
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-v02.api.letsencrypt.org/acme/authz-v3/2818997907;rel=“up”
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997907/mA2FfQ
boulder-requester: 72222906
date: Fri, 14 Feb 2020 21:02:45 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002hqCUciUymD1mjtO9hgqwpmi4xRN4vTNkpFcrsN9Co3g
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997907/mA2FfQ”,
“token”: “Z7g1Q6R4NjJxyOssw_z020YISQBbbTWC4LnQj8i8Eo4”
}
2020-02-14 13:02:45,447:DEBUG:acme.client:Storing nonce: 0002hqCUciUymD1mjtO9hgqwpmi4xRN4vTNkpFcrsN9Co3g
2020-02-14 13:02:46,449:DEBUG:acme.client:JWS payload:
2020-02-14 13:02:46,454:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/2818997906:
{
“protected”: “eyJub25jZSI6ICIwMDAyaHFDVWNpVXltRDFtanRPOWhncXdwbWk0eFJONHZUTmtwRmNyc045Q28zZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjgxODk5NzkwNiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83MjIyMjkwNiIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “WTQ-SiRLzFcNCPq5waI_SP9Krc4oYrgDI6jWTGkTdCsgkV0KQXuqj8daIakIvOpCK0QK0HR6AbRjomDqqn93dIGnPyLO_TY28xwO9MRfZlNJ6IbwQSd2y8LK_gcThJqtpZm59_4gqCnYZSB1CIy_FV-bEbMfpmr14J34TUOBV3ZQ2jBd6dq3guQ0ALQPHCwhf0cJrOy14RCcDh0ycYEZC_CJa8XOiyfNwm-v-LFXhji3H6vKlEq2yLGqfMAp5XqEo0kPUbMS6AVae9gvWQLhyPeEA4-kXJEHskI0o4LecCKZKu-PPh3yajM_xN4_TduaBcU5mOzqcZIToOrb7Z2tHA”
}
2020-02-14 13:02:46,498:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/2818997906 HTTP/1.1” 200 629
2020-02-14 13:02:46,499:DEBUG:acme.client:Received response:
HTTP 200
content-length: 629
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 72222906
date: Fri, 14 Feb 2020 21:02:46 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002pTLCpq-EJ9YOr4f-JC2mzN-YelAHgdNi-ZQ_ifxBtRw
{
“identifier”: {
“type”: “dns”,
“value”: “mountaintrips.com”
},
“status”: “invalid”,
“expires”: “2020-02-21T20:59:43Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Incorrect TXT record “h_O_dPHpTQIkmGgooCMDPsQ2Z16W5auV09GCRohIB4Q” found at _acme-challenge.mountaintrips.com”,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997906/glTonA”,
“token”: “78sHNSOTnPuUkXd_KmqICLlF9YRg9ICjtQLFZIB4Vo8”
}
],
“wildcard”: true
}
2020-02-14 13:02:46,499:DEBUG:acme.client:Storing nonce: 0002pTLCpq-EJ9YOr4f-JC2mzN-YelAHgdNi-ZQ_ifxBtRw
2020-02-14 13:02:46,501:DEBUG:acme.client:JWS payload:
2020-02-14 13:02:46,506:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/2818997907:
{
“protected”: “eyJub25jZSI6ICIwMDAycFRMQ3BxLUVKOVlPcjRmLUpDMm16Ti1ZZWxBSGdkTmktWlFfaWZ4QnRSdyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjgxODk5NzkwNyIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83MjIyMjkwNiIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “q51-eWyKsp3iMvGd_DW63YHKpYzAMQnm4-TCAYA0qugsPosPbMqBv5fdYZo5y9PgMgirOPmUSu1o_0Ocg_n9aQTYmp51nV7OYU-txX6x2rL5r_P4mai15OOkJgJb-P8zvyF1inr8Huld533l07zFH8O9A5NI9lyz4oWoYMjGrXmwE2wbQ-3vY2usvjN7ZPvQbl6U7ZPOmqV5tameMl4E4tYNVjVUuvUSnrfqTlf5wpR825L6V25KxBFUF0tG96dKiBNz7wOx3UCsF1Wzfp2wOdmd8N8o9VR-ThOeTCt57AFLU0GTnLsWruDgIu6fvVEAGogTEhqyOdiZcCEHB9X5ZA”
}
2020-02-14 13:02:46,550:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/2818997907 HTTP/1.1” 200 464
2020-02-14 13:02:46,551:DEBUG:acme.client:Received response:
HTTP 200
content-length: 464
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 72222906
date: Fri, 14 Feb 2020 21:02:46 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001CFma0RwhK-JcgEDwGqbG_upuX4lEquPX9OuLmdX9pDk
{
“identifier”: {
“type”: “dns”,
“value”: “mountaintrips.com”
},
“status”: “valid”,
“expires”: “2020-03-15T21:02:45Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “valid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2818997907/mA2FfQ”,
“token”: “Z7g1Q6R4NjJxyOssw_z020YISQBbbTWC4LnQj8i8Eo4”,
“validationRecord”: [
{
“hostname”: “mountaintrips.com”
}
]
}
]
}
2020-02-14 13:02:46,551:DEBUG:acme.client:Storing nonce: 0001CFma0RwhK-JcgEDwGqbG_upuX4lEquPX9OuLmdX9pDk
2020-02-14 13:02:46,552:WARNING:certbot._internal.auth_handler:Challenge failed for domain mountaintrips.com
2020-02-14 13:02:46,552:INFO:certbot._internal.auth_handler:dns-01 challenge for mountaintrips.com
2020-02-14 13:02:46,553:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:
Domain: mountaintrips.com
Type: unauthorized
Detail: Incorrect TXT record “h_O_dPHpTQIkmGgooCMDPsQ2Z16W5auV09GCRohIB4Q” found at _acme-challenge.mountaintrips.com