Multiple level (sub)domains & manual hooks

I’m trying to get some answers from the documentation to no avail.

Let’s say you’re running certbot for a multiple level domain like this:

certbot ... -d domain.com *.domain.com *.sub.domain.com ... --manual-auth-hook "myscript.sh"

I understand that myscript.sh will be called 3 times with env variables:

CERTBOT_DOMAIN and CERTBOT_VALIDATION

Now, let’s focus on the call for validating *.sub.domain.com:

Do I need to set a TXT record on _acme-challenge.sub.domain.com or on _acme-challenge.domain.com?

What is it going to be the global variable CERTBOT_DOMAIN for myscript.sh for validating *.sub.domain.com?

Thanks

EDIT: CERTBOT_DOMAIN is "sub.domain.com"

1 Like

Yes.
It basically "_acme-challenge" replaces the "*" in the wildcard request.

1 Like

Yes to what option?

_acme-challenge.sub.domain.com

or

_acme-challenge.domain.com

Also, what’s going to be CERTBOT_DOMAIN ?

Thanks!

A request for both of those would require TWO _acme-challenge TXT records:

  1. _acme-challenge.domain.com
  2. _acme-challenge.sub.domain.com

So, yes, it's not an "a" OR "b" question.

1 Like

OK, great.

Now, how is myscript.sh going to know that I need to set _acme-challenge.sub.domain.com?
Will CERTBOT_DOMAIN be sub.domain.com when called for validating *.sub.domain.com?

Thanks again

1 Like

I’m not 100% certain - but it is NOT “domain.com
It is either “*.sub.domain.com” or “sub.domain.com”.

Perhaps you can test with --staging / --dry-run
Add an echo %var% >> log.file to your script and see what value is there

1 Like

CERTBOT_DOMAIN doesn’t include the “*.”.

In that case, it would be “sub.domain.com”.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.