One certificate for both base domain and its wildcard


#1

Hi,

I’d like to use certbot to apply one certificate for both base domain and its wildcard,

./certbot-auto certonly -d mydomain.net,*.mydomain.net --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Result failed with the error below.
Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.net with the following value:

89opX…XCm89

Before continuing, verify the record is deployed.

Press Enter to Continue


Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.net with the following value:

R9o7…cKXdE

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mydomain.net (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “89opX…XCm89” found at _acme-challenge.mydomain.net

It uses the same DNS TXT record “_acme-challenge.mydomain.net” to verify both mydomain.net and *.mydomain.net, which leads the failure.

Any help?
Thanks in advance.

Allen


#2

Hi @Alien,

You must add both TXT records under the same subdomain _acme-challenge.mydomain.net, I mean, you shouldn’t replace one with the other, you must create two different TXT records under the same subdomain. Your DNS provider should and must allow to add multiple TXT records under the same subdomain.

Cheers,
sahsanu


#3

Hi sahsanu,
Thanks for your quick help. Actually I added both records, but failed.
But I had a retry just now when seeing your comment and wait few more seconds after adding the second records.
Now it works! :star_struck:


#4

Glad you get it working. When you add a new record to your DNS server, you should wait till all the DNS servers listed for your domain have been updated with this new info. I mean, if your domain is mydomain.net and your dns servers are:

ns1.dnsprovider.tld
ns2.dnsprovider.tld
ns3.dnsprovider.tld

You must wait till the 3 servers have been updated with the new added/modified record because Let’s Encrypt will choose one of them randomly and maybe the choosed one has not been updated yet.

Cheers,
sahsanu


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.