Unable to create wildcard certificate on DuckDNS

Unable to create wildcard certificate to my DuckDNS account. I can create galloe.duckdns.org certificate and even *.galloe.duckdns.org certificate but not both at the same time. I have tried to check with "dig" and found out that it is only adding one TXT value to both records as far as I can understand.

My domain is:

I ran this command:
acme.sh --issue --dns dns_duckdns -d *.galloe.duckdns.org -d galloe.duckdns.org

It produced this output:
Checking galloe.duckdns.org for _acme-challenge.galloe.duckdns.org
Domain galloe.duckdns.org '_acme-challenge.galloe.duckdns.org' success.
Let's wait 10 seconds and check again.
You can use '--dnssleep' to disable public dns checks.
See: dnscheck · acmesh-official/acme.sh Wiki · GitHub
Checking galloe.duckdns.org for _acme-challenge.galloe.duckdns.org
Not valid yet, let's wait 10 seconds and check next one.
Checking galloe.duckdns.org for _acme-challenge.galloe.duckdns.org
Already success, continue next one.
Let's wait 10 seconds and check again.
My web server is (include version):

And then continues until timeout

The operating system my web server runs on is (include version):
Ubuntu 22.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme.sh v3.0.5

@Neilpang, could you take a look at this?

Is it possibly a limitation of the DuckDNS API (where it refuses to create multiple RRs with the same name at the same time) or else of the acme.sh DuckDNS integration?


Thanks for ping me.
I remember that duckdns can only create one txt record for a sub domain.
So, there is a trick if you need to create wildcard certs for your domain.
please issue a normal cert for the root domain first.

acme.sh  --issue -d     rootdomain.com  --dns dns_duck ......

Once it successes, try to issue a wildcard domain:

acme.sh  --issue  -d  rootdomain.com   -d '*.rootdomain.com'  --dns dns_duck .....

It should work.



So, the "trick" is achieved by taking advantage of the cached validation.
So that only one TXT record is actually validated at a time.
But their validations can be joined onto the same cert request.
[when processed closely to each other]


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.