I’m trying to validate a wildcard certificate for ‘*.sdxlive.com’ with a ‘dns-01’ challenge type.
The CSR includes the following fields:
- CN: ‘*.sdxlive.com’
- SAN: ‘DNS:*.sdxlive.com’,‘DNS:sdxlive.com’
During phase I of the authorization process, I receive some challenge data for both domains ‘*.sdxlive.com’ and ‘sdxlive.com’, with different resource values but an identical record ‘_acme-challenge.sdxlive.com’.
I choose to update the DNS server with a TXT record for ‘_acme-challenge.sdxlive.com’ matching the value intended for ‘*.sdxlive.com’, not the one intended for ‘sdxlive.com’.
During phase II, I receive the following error:
Authorization for dns:sdxlive.com returned invalid: ... CHALLENGE: dns-01 DETAILS: Incorrect TXT record <challenge data matching *.sdxlive.com> found at _acme-challenge.sdxlive.com..."
- Why is let’s encrypt server trying the data matching ‘sdxlive.com’ instead of ‘*.sdxlive.com’?
- If I update the DNS TXT record for ‘_acme-challenge.sdxlive.com’ with the value expected for ‘sdxlive.com’, would the certificate still be a wildcard?
- should I invert the domains in the CSR SAN field?
- or should I remove ‘*.sdxlive.com’ from the CSR SAN field?