Testing dns wildcard manual run challenge twice

I need certificate for domain.tld and *.domain.tld so i use dns and manual method for change dns variable it’s tested with last pebble v2.2.2 version and certbot 0.40.1

I run simple pebble server and fake dns server to test and run this command and certbot work well:

REQUESTS_CA_BUNDLE=/app/app/3rd/pebble/chain.pem certbot certonly --manual --preferred-challenges dns --email samplemail@gmail.com --agree-tos -d '*.google.tld' -n --manual-auth-hook='/app/app/app certbot:auth-hook' --manual-cleanup-hook='/app/app/app certbot:cleanup-hook' --manual-public-ip-logging-ok --server https://127.0.0.1:14000/dir

Output

aving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for google.tld
Running manual-auth-hook command: /app/app/app certbot:auth-hook
Output from manual-auth-hook command app:
google.tld
CEFikYe6IB6-RxjrZUF-sgOFChzDgoqywLGIFtwAad4
2019-11-22T12:16:10.857Z
CEFikYe6IB6-RxjrZUF-sgOFChzDgoqywLGIFtwAad4


Waiting for verification...
Cleaning up challenges
Running manual-cleanup-hook command: /app/app/app certbot:cleanup-hook
Output from manual-cleanup-hook command app:
undefined


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/google.tld/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/google.tld/privkey.pem
   Your cert will expire on 2024-11-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

And result:

cfssl certinfo -cert /etc/letsencrypt/live/google.tld/cert.pem 
{  
  "subject": {
    "common_name": "*.google.tld",
    "names": [
      "*.google.tld"
    ]
  },
  "issuer": {
    "common_name": "Pebble Intermediate CA 18c1c7",
    "names": [
      "Pebble Intermediate CA 18c1c7"
    ]
  },
  "serial_number": "8140426274814243292",
  "sans": [
    "*.google.tld"
  ],
  "not_before": "2019-11-22T12:16:17Z",
  "not_after": "2024-11-22T12:16:17Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "",
  "subject_key_id": "",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIDGTCCAgGgAwIBAgIIcPiakS6PMdwwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UE\nAxMdUGViYmxlIEludGVybWVkaWF0ZSBDQSAxOGMxYzcwHhcNMTkxMTIyMTIxNjE3\nWhcNMjQxMTIyMTIxNjE3WjAXMRUwEwYDVQQDDAwqLmdvb2dsZS50bGQwggEiMA0G\nCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4XGH8rnybiT15eMjGkK7HIs5fT808\naPGKOvQU8kLTg3s1OHYC+wVsl0mfnvHrWI3T8c8NX1dpzMPV3ARpgZlGObPGzqbh\nGerHzgB9dz3KlFvh8f2i3LA8BvjlV0tWac9RycDBOLfaLwh5X4UA4NdMTSYUutv3\nAjkkU0EUOnrKhtmKoSTyivGVbbFM/VvD+gkVezeqvFUHs1WrMKdvqwFdo7G/PndD\nnVFSYv8W3SVRuFo5dDirRPON++8B8dwjnMVkj82YOlxOtnNrzUQawKVqnPwPwaHn\n738Ao+E8j6IQRaCaMST2m534SqLlhauO8DOchv/qHxKZZSq9Kty+2HRVAgMBAAGj\nWDBWMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH\nAwIwDAYDVR0TAQH/BAIwADAXBgNVHREEEDAOggwqLmdvb2dsZS50bGQwDQYJKoZI\nhvcNAQELBQADggEBABQxslOVSamnBWiuZlrvnkAgsghLI/8yCQAAMiW6jA4N2UFz\nm8HKAXen1tNsCm2HQ5Y5l0E7c5GcM/s0LDqYlOfMBz0VamQ7FEy6niVJtMDPa5S2\n37atBbak4Jr5g4JEhUjxYhFtXe9Lm2ILnbMuv8DfX8mH9kkAvOA+fkyZ1Zp6zCbz\n4qfQas21zRTKDHJqpHWQx5UjEk4A8o0K/W+LQdTuutGG9TyudIPIdZdbM76uLj4f\nC2z/fsFy+g0asmn9QTzuJ9eGKkFZh3y6zlWeCM9BcAovOkkuhxRpWN4tFq+aVKAb\nDTl7WamDnkBIvuKWNRBgh4B8XIoAzX8MK/IwGlw=\n-----END CERTIFICATE-----\n"
}

After add exactly same domain to generate wildcard. problem accured. Seems be hooks run twice:

REQUESTS_CA_BUNDLE=/app/app/3rd/pebble/chain.pem certbot certonly --manual --preferred-challenges dns --email samplemail@gmail.com --agree-tos -d 'google.tld,*.google.tld' -n --manual-auth-hook='/app/app/app certbot:auth-hook' --manual-cleanup-hook='/app/app/app certbot:cleanup-hook' --manual-public-ip-logging-ok --server https://127.0.0.1:14000/dir
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for google.tld
dns-01 challenge for google.tld
Running manual-auth-hook command: /app/app/app certbot:auth-hook
Output from manual-auth-hook command app:
google.tld
CTekG-zg_c2xWZDYr27-bASvB2VaWo9xtZuTCNpl5PU
2019-11-22T12:19:21.929Z
CTekG-zg_c2xWZDYr27-bASvB2VaWo9xtZuTCNpl5PU


Running manual-auth-hook command: /app/app/app certbot:auth-hook
Output from manual-auth-hook command app:
google.tld
CJk_h5kzt1XExBgnMF6ut9gheRAluvgF_JrAoabOWBk
2019-11-22T12:19:23.233Z
CJk_h5kzt1XExBgnMF6ut9gheRAluvgF_JrAoabOWBk


Waiting for verification...
Challenge failed for domain google.tld
dns-01 challenge for google.tld
Cleaning up challenges
Running manual-cleanup-hook command: /app/app/app certbot:cleanup-hook
Output from manual-cleanup-hook command app:
undefined

Running manual-cleanup-hook command: /app/app/app certbot:cleanup-hook
Output from manual-cleanup-hook command app:
undefined

Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: google.tld
   Type:   unauthorized
   Detail: Correct value not found for DNS challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

And as you can see challange faild on multi domain.

1 Like

Problem solved, I replace _acme-challenge.
It’s must append as new record for domain.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.