V2 Wildcards - DNS Authorisation

Good evening

I am currently testing my C# client against Pebble and the v2 staging server.

There seems to be a quirk in authorisation - if I request a certificate for example.com and *.example.com, two separate authorisations are required for the same domain.

This is somewhat superfluous and can cause significant issues if using DNS verification.

Is this expected behaviour or am I missing something in the draft standard?



Can you elaborate as to what the issues are? In my experience it is just a matter of keeping track of what TXT records you add, and cleaning them up afterwards.

Yes, it is expected because they are separate identifiers as far as the order is concerned. That they do not coalesce into a single challenge is indeed superfluous as far as I can tell, but maybe there is a good reason for it.

Hi _az

The problem is that if DNS is used to authroise both domains for both, it’s likely that as the entries will be checked in sequence

As the same DNS entry will be checked, the second will fail with a high probability due to caching or lag somewhere down the line.

I would expect the server issuing the challenges to recognise the fact that it’s issuing two different challenges for the same domain.

Although it’s probably out of scope for here, perhaps there’s a need for separate or random names for DNS challenges.



If you receive instructions to create two TXT records:

_acme-challenge.xyz.invalid IN TXT xW17Nh62ZPS9ibcqLSE8EwVLC9nyTLuzYe8o0gQS3Z332oIoAtE/BpjfuQ==
_acme-challenge.xyz.invalid IN TXT IksRAmY84+9Z9QIHCG6LAlgyN8r7HvkcjenZ8By7xbHVC7IPElXaaYtHqXEo67+/QdgMIbjMrCp1

You can create both records together, and then update the challenges, finalize the order, and then delete both records.

You only need to be sure that the nameservers are actively serving your new records (which you can do with a sleep or by polling your nameservers for the answer). However, this problem ALWAYS exists with the DNS challenge - not related to duplicate DNS labels.

Even if your DNS zone contains 10 old/invalid/duplicate _acme-challenge.xyz.invalid TXT records, Let's Encrypt will ignore them and only cares about whether it can find any one that is correct.

Well there must be an issue further up the chain as around 30% of my validations are failing, even after DNS checks and an appreciable delay…

Appreciating the higher risk of wildcard certificates, requesting a certificate containing duplicate domain names doesn’t require a double validation so it seems rather backwards that wildcards can’t do the same,

It is a fair point to make, but blaming failures on duplicate _acme-challange DNS labels, forgive me, seems like a wild guess. More likely the client is misimplemented or nameservers misbehave.

If you can share your ACME implementation or some example failed authz URLs, that might help narrow down the real problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.