The problem is that renewals on wildcards are failing on a custom renewal system when using these options
Turns out that when a wildcarded domain is about to be renewed, automate_auth_hook.py is receiving
“example.com” instead of “*.example.com”
“subdomain.example.com” instead of “*.subdomain.example.com”
This custom system works as follows:
automate_hook_auth.py sends the CERTBOT_DOMAIN and CERTBOT_VALIDATION pair to a tiny custom DNS server, which caches that pair in a map.
When later the let’s encrypt validation server queries for the CERTBOT_VALIDATION of that CERTBOT_DOMAIN via the public DNS system, the server looks up the domain in the map and answers with the validation code.
The problem is that since the wildcard is omitted in the CERTBOT_DOMAIN environment variable passed to the script, this erroneous ‘example.com’ will overwrite the map entry which was supposed to be for the real ‘example.com’
So: The DNS server will receive one CERTBOT_VALIDATION for “example.com”, which is meant to be for “*.example.com”, followed by a CERTBOT_VALIDATION for the real “example.com”, which is supposed to go in the same certificate as the wildcard version of that domain. Since the DNS server receives two different CERTBOT_VALIDATION for the same “example.com”, the last one overwrites the first CERTBOT_VALIDATION. So when queried for “*.example.com”, which is actually a query for “example.com” because DNS doesn’t allow wildcards, the return CERTBOT_VALIDATION is the one for the real “example.com”, which doesn’t match the first one. So the certificate renovation will fail.
I’ve noted differences in capitalization arriving in the DNS server, like one time for “exAMPle.Org” and the second one “ExamPLE.oRG”. Is there a way to pass this capitalization to automate_hook_auth.py so that it can pass it to the DNS server and that one then can map a capitalization-sensitive version of the domain names and use that to distinguish which CERTBOT_VALIDATION is referred to?