Unable to create wildcard certificate on DuckDNS

grelle · December 30, 2022, 8:09pm

Unable to create wildcard certificate to my DuckDNS account. I can create galloe.duckdns.org certificate and even *.galloe.duckdns.org certificate but not both at the same time. I have tried to check with "dig" and found out that it is only adding one TXT value to both records as far as I can understand.

My domain is:
http://galloe.duckdns.org

I ran this command:
acme.sh --issue --dns dns_duckdns -d *.galloe.duckdns.org -d galloe.duckdns.org

It produced this output:
Checking galloe.duckdns.org for _acme-challenge.galloe.duckdns.org
Domain galloe.duckdns.org '_acme-challenge.galloe.duckdns.org' success.
Let's wait 10 seconds and check again.
You can use '--dnssleep' to disable public dns checks.
See: dnscheck · acmesh-official/acme.sh Wiki · GitHub
Checking galloe.duckdns.org for _acme-challenge.galloe.duckdns.org
Not valid yet, let's wait 10 seconds and check next one.
Checking galloe.duckdns.org for _acme-challenge.galloe.duckdns.org
Already success, continue next one.
Let's wait 10 seconds and check again.
My web server is (include version):

And then continues until timeout

The operating system my web server runs on is (include version):
Ubuntu 22.04

My hosting provider, if applicable, is:
AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme.sh v3.0.5

schoen · December 30, 2022, 9:26pm

@Neilpang, could you take a look at this?

Is it possibly a limitation of the DuckDNS API (where it refuses to create multiple RRs with the same name at the same time) or else of the acme.sh DuckDNS integration?

Neilpang · January 2, 2023, 3:39am

Thanks for ping me.
I remember that duckdns can only create one txt record for a sub domain.
So, there is a trick if you need to create wildcard certs for your domain.
please issue a normal cert for the root domain first.

acme.sh  --issue -d     rootdomain.com  --dns dns_duck ......

Once it successes, try to issue a wildcard domain:

acme.sh  --issue  -d  rootdomain.com   -d '*.rootdomain.com'  --dns dns_duck .....

It should work.

Thanks

rg305 · January 2, 2023, 4:06am

So, the "trick" is achieved by taking advantage of the cached validation.
So that only one TXT record is actually validated at a time.
But their validations can be joined onto the same cert request.
[when processed closely to each other]

system · February 1, 2023, 4:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.