When executing certbot first time using DNS verification the verification-code is provided two times

The first time you execute certbot it will run in a special "initial" mode where it, among other, ash you to accept the Terms of Service.
And if you request a new certificate in the same run using DNS verification, certbot will provide 2 verification codes for the same dns-record as stated. I updated the DNS record two times and I did confirm it was correctly updated, but it still failed.
I believe it have newer been to to succeed this first initial run!

Is it possible to force certbot to run in this initial mode, so I can test this an extra time with extra diligence?

Output from this initial run:

# certbot certonly --manual --domains "domain.com,*.domain.com" --preferred-challenges dns-01 --manual-public-ip-logging-ok --email "mail@domain.com"
...
...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.domain.com.
with the following value:
O2FJRuHxq31TMvVXXhFPRcbaYnkePUIfTw-JxysHVHQ
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.domain.com.
with the following value:
ZBHWQO9I4y8tEFToqemysOuaWb2RNUmOTU6sGAA1mNA

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.domain.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: domain.com
  Type:   unauthorized
  Detail: Incorrect TXT record "ZBHWQO9I4y8tEFToqemysOuaWb2RNUmOTU6sGAA1mNA" found at _acme-challenge.domain.com

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

When I ran the same command again resulting in certbot not running in this "initial" mode, everything went fine and only one verification code was provided and it worked.

I also attach a copy of the certbot log.
Certbot error_log.txt (29.6 KB)

Certbot version version: 1.18.0

Nope, not a bug. A wildcard hostname is seen as a separate entity in the ACME protocol, but due to the nature of such wildcard certificates (where the "*" label cannot be processed literally) it ends up having the same _acme-challenge.... hostname for verification when combined with the apex domain, as in your case.

Also, from the logs it seems one of the two hostnames was validated succesfully, but the other didn't. When you ran Certbot the next time, this valid hostname used a catched valid authorization, but the one that failed earlier, didn't have one. So you were presented with just the authorization for the hostname that was invalid the previous time.

5 Likes

If the multiple TXT record updates simply overwrote a single TXT record, then the verification would only be for one (at a time).
Can you verify that you are seeing multiple TXT records?

2 Likes

It has always provided two verifications code in the initial run. And in my view it doesn't really make much sense. Especially when if it fails, and then you just try again (this time you only get one verification code) and then you get your certificate just fine!

Just tried on an old Debian with certbot 0.31, same thing: two-verification in the initial run :frowning:

But why doesn't I get two verification code in the following runs? (using the exact same command).

I already explained that in my previous post too.

4 Likes

Which matches your request with two entries:

Then you don't understand the validation requirements.

You are repeating yourself and seem to have missed the responses:

Again, you requested a cert with two entries, each much be validated (individually).

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.