Trouble validating a wildcard certificate

I’m trying to validate a wildcard certificate for ‘*’ with a ‘dns-01’ challenge type.
The CSR includes the following fields:

  • CN: ‘*’
  • SAN: ‘DNS:*’,‘’

During phase I of the authorization process, I receive some challenge data for both domains ‘*’ and ‘’, with different resource values but an identical record ‘’.

I choose to update the DNS server with a TXT record for ‘’ matching the value intended for ‘*’, not the one intended for ‘’.

During phase II, I receive the following error:

Authorization for returned invalid:  ...
CHALLENGE: dns-01 DETAILS: Incorrect TXT record <challenge data matching *> found at"
  • Why is let’s encrypt server trying the data matching ‘’ instead of ‘*’?
  • If I update the DNS TXT record for ‘’ with the value expected for ‘’, would the certificate still be a wildcard?
  • should I invert the domains in the CSR SAN field?
  • or should I remove ‘*’ from the CSR SAN field?
1 Like

You’re requesting both hostnames: the wildcard certificate and the base domain. Do note that this is good: the wildcard hostname would not cover just the base domain name.

Don’t update, but add that value. Your DNS system should be able to add two TXT values for the same _acme-challenge hostname.

What do you mean by inverting?

That way you won’t get a wildcard certificate.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.