Updating a wildcard domain

Help
#1

My domain is: turbine2.co.uk

I ran this command:
certbot certonly --manual --preferred-challenges=dns --email david@turbine2.co.uk --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.turbine2.co.uk

It produced this output:

Please deploy a DNS TXT record under the name
_acme-challenge.turbine2.co.uk with the following value:

p-K-AEs7cujrFx_LuVth1T7SkhNO7ZlV8rJLwmUNi-0

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. turbine2.co.uk (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "i53uC_2HsqxmlQnW_VDJgPKa5kIe7k8Y6o46y1MgSp8" found at _acme-challenge.turbine2.co.uk

My web server is (include version): Apache 2.4 Debian

The operating system my web server runs on is (include version): Raspbian 5.4.51-v7+ #1327 SMP Thu Jul 23 10:58:46 BST 2020 armv7l

My hosting provider, if applicable, is: 123-reg (for DNS, home hosted for web)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes (reg-123 control panel)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

I initially ran the same command to create the wildcard domain and this has worked successfully. It's come to renewal time and I've tried the command again but it's not accepting that I have updated the DNS _acme-challenge TXT record (judging by the output of the error).
How long do I need to give it between updating the DNS record and it propagating to where LetsEncrypt recognises the change? I've tried up to 45 minutes so far but of course each time I try it I have to update with a new random string.
Many thanks for the guidance,
David

1 Like
#2

Hi @turbine2

your configuration looks buggy - see https://check-your-website.server-daten.de/?q=turbine2.co.uk

Your www version has the wildcard certificate

CN=*.turbine2.co.uk
	05.08.2020
	03.11.2020
expires in 4 days	*.turbine2.co.uk - 1 entry

But your non-www version has the same certificate, so that domain isn't secure, the certificate doesn't have the turbine2.co.uk domain name.

But you have other certificates

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-10-27 2021-01-25 dsf-mail.turbine2.co.uk, mail.turbine2.co.uk, turbine2.co.uk, www.turbine2.co.uk
4 entries duplicate nr. 1
Let's Encrypt Authority X3 2020-08-28 2020-11-26 dsf-mail.turbine2.co.uk, mail.turbine2.co.uk, turbine2.co.uk, www.turbine2.co.uk
4 entries
Let's Encrypt Authority X3 2020-06-28 2020-09-26 dsf-mail.turbine2.co.uk, mail.turbine2.co.uk, turbine2.co.uk, www.turbine2.co.uk
4 entries

The newest has both domain names - non-www and www, so it would be the perfect certificate to use with both domain names.

Why do you want to create a wrong wildcard certificate (without the main domain name)?

And if you create such a certificate, two TXT entries are required - with the same domain name, but different TXT values.

ns03.domaincontrol.com

from GoDaddy is your name server. There

Domainname TXT Entry Status ∑ Queries ∑ Timeout
turbine2.co.uk ok 1 0
www.turbine2.co.uk ok 1 0
_acme-challenge.turbine2.co.uk i53uC_2HsqxmlQnW_VDJgPKa5kIe7k8Y6o46y1MgSp8 looks good, correct length, correct characters 1 0

is the wrong TXT entry. So validation can't work.

2 Likes
#3

The required TXT record entry will change every time you run certbot.
You need to pause the process while DNS is being updated and wait long enough for that change to synchronize through all your authoritative DNS servers before continuing to the next step.
Done this way, it is inherently a very manual process.
I would advise that you seek an automated solution to this process or you will be having to do this every couple of months.
The simplest would be if your DNS service provider allows for DNS updates via API.
You then need to use an ACME client that supports that API.
But even if that is not the case, you might be able to integrate such a solution with something like:

READERS: Get involved and participate: If you read something you like, then click to like it :heart:

1 Like
#4

Thanks for that comprehensive answer, that website like you have provided has a lot of good information.

Originally I did use the named certificates but I moved to wildcard ones as I can use them for other internal devices as well (my NAS and printer for example).

The problem appears to he between the control panel updating the DNS and the update propagating out as the txt record in the control panel is different to that reported.

I guess I am just going to have to be a lot more patient with moving to the next stage after the update.

Many thanks,

David

2 Likes
#5

Thanks for that. I will look into automating it once I have the update done. I just need to work out how long to delay the step between updating the DNS entry and letting it check.

2 Likes
#6

Great, so I've updated the txt record, looking at the TTL it's a 24 hour propagation as I understand it, but the "Press enter to continue" prompt times out.
Guess I'm going to have to look deeper into the automation route.

1 Like
#7

That TTL is the time for DNS servers to cache that entry after they have resolved it.
The time it takes for all the authoritative servers of your zone to synchronize is what needs to be found.
Ans also knowing how long certbot will wait for enter would be good to know too.

1 Like
#8

Looking into this and it appears that the problem is with 123-Reg not updating their nameservers from the control panel (just got to get them to admit / recognise this now).
Thanks for all the help everyone.

2 Likes