Why isn't webroot challenges support for wildcard domain certs

Hi All,

I quick Google search says that it’s due to Letsencrypt’s policy. Does anyone know if webroot challenges a possibility in the future?

The reason we would like to use the webroot method is we have a custom DNS server and it’s not practical to add/change txt records when it comes to getting and renewing ssl certs for all our mainy domains. Using a regular certs with subdomains is also not practical as the subdomains change often and more than what 1 cert can have.



Hi @vnomura,

I would say probably not.

Have you considered creating an _acme-challenge CNAME record in your DNS zone pointing to some other DNS zone? Then you can use a completely separate DNS provider of your choice (or a tool like @joohoi's acme-dns) to satisfy the Let's Encrypt DNS challenges without having to make any further changes to your regular DNS zone.

1 Like

Thank you for the tip!

So if the domain we want to get a wildcard for is webbuilder.com, the zonefile for that would have this entry?

(zone file for webbuilder.com)
_acme-challenge IN CNAME _acme-challenge.newDNSserver.com. (or location of joohoi’s acme-dns)

and in this new DNS server have a txt record

_acme-challenge IN TXT somethingsomethingsometing.

Am I in the ballpark? :confused:



Yes, that’s right. But the new DNS server doesn’t get a single one-time TXT record; rather, it has to support an API for your Let’s Encrypt client to perform updates to post the DNS record that the certificate authority asks it to each time a certificate is going to be issued.

I understand. Or… I use joohoi’s acme-dns tool. (point to that)

I have to do some research on what that actually does/is, I assume it’s “something” running on the server I use to originally request the wildcard domain.

Thanks for all your help!


My recent topic might be helpful. In short, it runs a DNS server whose only purpose is to serve TXT records for Let's Encrypt domain validation, and which has an API that can (by way of a hook script that the author has also written) be made to work pretty smoothly with certbot.


Firstly, Thank you everyone for your help!

How much time do I have from the time I request the wildcard cert and the time I have to make the txt record changes for the domain name? Does something keey trying on LE’s end every x minutes?

I’m trying to figure out the timeline of events. If I try to get a wildcard cert manually, how much time do I have to enter the new txt records.

Even in automated, I have to make sure the DNS server is updated and it’s zonefiles are reloaded etc.



7 days

No, Let's Encrypt only checks the TXT record when an ACME client sends a request to the Let's Encrypt server to "complete" the authorization.

For example, certbot and many other clients will print the token to the screen, and wait for you to press ENTER to verify it. With other clients like acme.sh, you can run one command to get a token and another one when it is ready to be checked.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.