Hello,
I have problems with the renewal of all my wildcard domains.
The _acme-challenge TXT entry is set correctly and also can be resolved externally e.g. MX Toolbox.
When I press “Continue” I get an error which says that an incorrect TXT record was found. I don’t have any idea where this record comes from, definately not from the domain’s _acme-challenge txt record:
please share the list of your domain names you want to have in one certificate.
In “Help”, there is a list of questions:
–
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
what should the second _acme-challenge record contain?
If I set up a second one manually with a random value it gets deleted during the Let’s Enrypt renewal process.
I have to split up my posts because I only can use one image at a time.
Let’s Encrypt says it found an incorrect _acme-challenge record that doesn’t fit the one it set by itself nor the one I manually added before. So it must be looking at another place.
one with *.neverlands.at neverlands.at (13.07.2018)
one with neverlands.at webmail.neverlands.at www.neverlands.at (04.07.2018)
And you use (2). Did you create all certificates via Plesk?
So one time it worked. Is it possible that there is a list of all active certificates? So you can delete (1) + (3)?
It’s also possible that there is an internal error. If you want a certificate (2), it’s not allowed that the certificate has a third name like www.neverlands.at.
There are curious things:
Your domain:
nslookup -type=txt _acme-challenge.neverland.at.
_acme-challenge.neverland.at text =
"11193eb3248b065ba852889311358195e9f21ed6"
_acme-challenge.neverland.at text =
"v=spf1 -all"
My own domain with the last working txt entry:
nslookup -type=txt _acme-challenge.server-daten.de.
_acme-challenge.server-daten.de text =
"d0xivWiWzkAOK5osbODQw6JDUsygUE3bEMTfNvdp4Cc"
First, you have also a SPF record under _acme-challenge. Second, your txt entry
"11193eb3248b065ba852889311358195e9f21ed6"
looks like this is only a hexadecimal coded string. But this is wrong. This must be a base64url-encoded string.
if you want one certificate with two domain names *.neverland.at neverland.at, you get two challenges, so there are two challenge - token (long random values).
So the Letsencrypt-client has to create two entries
_acme-challenge.neverland.at
with two computed values: Token + Hash value of the public key -> SHA256 -> base64url.
Hello Jürgen,
it the meantime I’ve been able to find the solution.
It was all about waiting… I had seen that Let’s Encrypt always found an “incorrect” _acme-challenge record that was one of the old ones that it had set hours before.
So I startet the renewal, waited some hours and then finsihed the process - that was it. Did it with all my other domain wildcards too. Somehow the Let’s Encrypt service gets the new record information much later - even if the record already can be found in other services like MX Tools.
Btw. there is still only one _acme-challenge record in the top level domain DNS records which seems to be the way it should be - Let’s enrypt deletes all other entries during the renewal process anyway …
Many thanks for your efforts,
best regards,
Neverlands
