I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I wrote the control panel myself.
I'm confused about the process. The last thing I've learned is that starting the challenge doesn't mean it's succeeded. It can reply with "give me more time" (Pending) and I see this once before it replies with an error. And according to the Certes examples (and what has worked in a separate test application) I can immediately call the finalize method and get a certificate. But in this whole setup, it doesn't work. I have no idea why. (Actually I didn't need any time in my test app, calling Validate and then immediately Generate just worked fine a few times. Is it much slower today than 2 days ago?)
I'm requesting a normal certificate (not wildcard) for two domains, dfkunde.de and the www subdomain. I request DNS challenge and get two challenges. I add them to my DNS, wait until primary and secondary nameserver resolve them all, and then validate them. When all challenges are valid, I proceed. And that fails now.
Actually I need this to be working pretty soon as it's the last part of my server migration. I previously used Certbot but that isn't available anymore if you don't agree to using snap, and I found it would be better to integrate the process into my control panel instead of hacking with external client software that doesn't know anything about my server environment.
Can you please explain, in simple words (ie. not RFC language), what steps I must perform for a DNS validation? I know of these:
Start order
Get authorisations
Get DNS challenges
Write TXT records to DNS, wait for resolving
Validate all challenges, expect "valid" response, otherwise retry (I retry every 10s)
Finalise order and download certificate (Certes combines these as Generate)
I found that I made a mistake in setting up the DNS records. For wildcard certificates, like dfkunde.de and *.dfkunde.de, all records go to the same place, that's simple. Adding www.dfkunde.de is impossible because it is rejected as redundant with the wildcard. I consider this wrong because explicitly naming a domain has wider client compatibility than relying on the wildcard. But that's a different topic.
When ordering for dfkunde.de and www.dfkunde.de, I need to put the TXT records in different places though. And this raises another question:
How do I know which challenge is for which domain? I can't find any data in the challenge objects. Is it guaranteed to be the same order as the domains were added to the order? Or will I have to look it up somewhere?
I'm also still puzzled about the namings. It looks like an authorisation and a challenge refers to the same thing. Or is it just an issue of the Certes library?
This isn't wrong. The DNS RFCs mandate this and(Confused with CNAME rules) Let's Encrypt will also refuse to add subdomains which would be included in the wildcard hostname.
Also, I'm not aware of any TLS client not capable of understanding wildcard certificates.
We've observed issues with an MQTT client library for .NET Core 2.2 or 3.1 running on Windows or Linux (can't remember which combination it was) that worked with a regular certificate but considered a wildcard certificate invalid. Other combinations worked, though, so it might be an old bug (not too old).
Oh, and is Wikipedia right that wildcards only apply to one level of subdomains, i.e. anything except a point (".")?
Yes, a wildcard is only valid for one label, the only allowed place is the utmost left label and you can only have one wildcard in a hostname. So *.*.example.com and foo.*.example.com are invalid and *.example.com won't match foo.bar.example.com.