Unable to create/renew wildcard SSL certificate

Hey there,

I’m trying to create a wildcard SSL cert for lumbergeek.ca & *.lumbergeek.ca. Cert creation fails because of an inaccurate txt record.

If I only create the certificate for *.lumbergeek.ca it creates, but doesn’t verify. If I create the certificate for woody.lumbergeek.ca, it creates but doesn’t verify. Both fail because of the wrong txt record.

My domain is: lumbergeek.ca

I ran this command:

sudo certbot certonly --dns-digitalocean --dns-digitalocean-credentials ~/.do-token-certbot.ini --dns-digitalocean-propagation-seconds 60 -d lumbergeek.ca -d *.lumbergeek.ca

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-digitalocean, Installer None
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel):

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

(A)gree/©ancel: A

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for lumbergeek.ca
dns-01 challenge for lumbergeek.ca
Waiting 60 seconds for DNS changes to propagate
Waiting for verification…
Challenge failed for domain lumbergeek.ca
Challenge failed for domain lumbergeek.ca
dns-01 challenge for lumbergeek.ca
dns-01 challenge for lumbergeek.ca
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: lumbergeek.ca
  Type: unauthorized
  Detail: Incorrect TXT record
  “okkN0c5j1Q1zsVRriYctR5PZVCv0wI6ad_pxU8HZaVk” found at
  _acme-challenge.lumbergeek.ca

  Domain: lumbergeek.ca
  Type: unauthorized
  Detail: Incorrect TXT record
  “okkN0c5j1Q1zsVRriYctR5PZVCv0wI6ad_pxU8HZaVk” found at
  _acme-challenge.lumbergeek.ca

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

• Your account credentials have been saved in your Certbot
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Certbot so
  making regular backups of this folder is ideal.

• We were unable to subscribe you the EFF mailing list because your
  e-mail address appears to be invalid. You can try again later by
  visiting https://act.eff.org.

My web server is (include version): apache2 (2.4.41-1)

The operating system my web server runs on is (include version): Ubuntu 19.10

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.36.0

When I created the certificate with just “*.lumbergeek.ca”, the certificate was created but when I tried doing the dry-run renewal (certbot renew --dry-run) the TXT verification fails in the same manner.

Creating the certificates with --test-cert, and renewing with --dry-run both succeed.

60 seconds is probably not enough.

I see no txt record at all, though. (is it removed after?) https://unboundtest.com/m/TXT/_acme-challenge.lumbergeek.ca/UTWGO5HK

It does seem to be removed afterwards; during the certbot activity the TXT exists. I’ll try increasing the timeout.

If I’m reading the logs correctly, certbot is creating these TXT records:

2020-03-20 18:15:08,997:DEBUG:digitalocean.baseapi:POST https://api.digitalocean.com/v2/domains/lumbergeek.ca/records data:{'type
': 'TXT', 'name': '_acme-challenge', 'data': '4g35SwxulNMb2wQFyLk0t2YBIUnoLOWbtY9YdcfXm2Q'} {'Content-type': 'application/json',
'Authorization': 'Bearer TOKEN'} None

2020-03-20 18:15:09,534:DEBUG:digitalocean.baseapi:POST https://api.digitalocean.com/v2/domains/lumbergeek.ca/records data:{'type
': 'TXT', 'name': '_acme-challenge', 'data': 'RaefLsPEpzrFL19riNeKrFegioyDIWlgJSyahQRhjFs'} {'Content-type': 'application/json',
'Authorization': 'Bearer TOKEN'} None

But then it’s expecting the values to be different?

   Domain: lumbergeek.ca
   Type:   unauthorized
   Detail: Incorrect TXT record
   "xnsnUa5zTgIFZrvBgaYy5t87V4A-tEVno8R7aWOAYbQ" (and 1 more) found at
   _acme-challenge.lumbergeek.ca

   Domain: lumbergeek.ca
   Type:   unauthorized
   Detail: Incorrect TXT record
   "xnsnUa5zTgIFZrvBgaYy5t87V4A-tEVno8R7aWOAYbQ" (and 1 more) found at
   _acme-challenge.lumbergeek.ca

Try cleaning out all entries and then try again.

Hi @troykay

that’s wrong. You have created one correct certificate - https://check-your-website.server-daten.de/?q=lumbergeek.ca

One has both domain names and is created today.

Interesting!

Thanks, Juergen

Since then, I’ve erased my /etc/letsencrypt directory and re-run the certbot command only for “-d *.lumbergeek.ca”. That was successful.

Still trying to do the dry-run at renewing. That fails in the manner I’ve described.

Please note that cert will NOT cover: lumbergeek.ca
Only names ending with: .lumbergeek.ca
[and that meet other restrictions - like: can’t contain another “.”]

Thanks – yeah, I realise that. It’s not a general purpose server… so providing a cert for the base domain name was a nice to have, but I wanted to simplify my pain point.

Just an update: the dry run at the renewal worked after I waited a couple hours.

All good now.