Wildcard and domain registration breaks registration?

My domain is: 1236.be

I ran this command:
certbot certonly --dry-run -d '1236.be,*.1236.be' -n --agree-tos --email some@address --manual --preferred-challenges dns --manual-auth-hook /home/logoadmin/auth-hook.sh --manual-cleanup-hook /home/logoadmin/scripts/server2/letsencrypt/cleanup-hook.sh

Note that this works when I pass only the base domain (1236.be) or only the wildcard domain (*.1236.be) or several non-wildcard domains, but not when I pass the base domain and the wildcard domain together, which seems like a common usecase (?).

It produced this output:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: 1236.be
Type: unauthorized
Detail: Incorrect TXT record "oqF56pLpYPeNic7FSyIAIuslG5eRvd5mKGLaq6kgZ0I" found at _acme-challenge.1236.be

I changed my hook script to output information while being called:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for *.1236.be and 1236.be

Hook '--manual-auth-hook' for 1236.be ran with output:
auth for 1236.be with validation 675M4pIxGHNAcqQLo4q3Y93AZjEBiakBhXTJn5AyP4c
New key, using POST
Reading back after setting - expecting : 675M4pIxGHNAcqQLo4q3Y93AZjEBiakBhXTJn5AyP4c
response text: {"rrset_name":"_acme-challenge","rrset_type":"TXT","rrset_ttl":300,"rrset_values":[""675M4pIxGHNAcqQLo4q3Y93AZjEBiakBhXTJn5AyP4c""],"rrset_href":"https://api.gandi.net/v5/livedns/domains/1236.be/records/_acme-challenge/TXT"}

Hook '--manual-auth-hook' for 1236.be ran with output:
auth for 1236.be with validation FzOg3BePN1L5GZvbiFI1G8rlpWgIZ4ZoHHVXpEXJ0qo
Existing key, using PUT
Reading back after setting - expecting : FzOg3BePN1L5GZvbiFI1G8rlpWgIZ4ZoHHVXpEXJ0qo
response text: {"rrset_name":"_acme-challenge","rrset_type":"TXT","rrset_ttl":300,"rrset_values":[""FzOg3BePN1L5GZvbiFI1G8rlpWgIZ4ZoHHVXpEXJ0qo""],"rrset_href":"https://api.gandi.net/v5/livedns/domains/1236.be/records/_acme-challenge/TXT"}

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: 1236.be
Type: unauthorized
Detail: Incorrect TXT record "FzOg3BePN1L5GZvbiFI1G8rlpWgIZ4ZoHHVXpEXJ0qo" found at _acme-challenge.1236.be

It seems certbot first calls the auth-hook script for each domain it needs to register before reading back the DNS values for these domains.

Hence this fails when a wildcard and a base domain are both present, since the CERTBOT_DOMAIN passed for both is (in my case) '1236.be', and hence they cannot be created with the same key and a different value at the same time.

Solution could be to check domain by domain, or to use a different CERTBOT_DOMAIN for wildcards.

First posting it here to see if this is worth mentioning as a bug or whether I am completely missing something

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 22.04.02 LTS

I can login to a root shell on my machine (yes or no, or I don't know): yes (sudo)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

That's not true, it's perfectly allowed. But your DNS provider might be limited for some reason with this regard.

Can you manually add two different TXT record entries for?:
_acme-challenge.1236.be

If so, then your script may need review.
If not, then your DNS service may need review.

It's also common that DNS providers allow this, but people's DNS hook scripts don't use the DNS provider's API correctly and overwrite the old record unnecessarily (or that the DNS provider's API doesn't expose this functionality correctly). You might want to double-check the functionality of /home/logoadmin/auth-hook.sh or talk to whoever wrote it, as some implementers don't think about this subtlety because it may not matter for their own configurations.

I can create the records manually through the webinterface but not via the API - that causes 'duplicate entry' errors. So I am following that up with them.

... and I learned that DNS is not exactly a key-value store with unique keys, otherwise I would immediately have taken it up with them.

Many, many thanks.

In theory, an ACME client should be able to set up the TXT record for one of the names, have that challenge happen, and then change the TXT record to the value for the other name, have that challenge happen, and then be all set to get the certificate since both challenges completed. I don't think that Certbot's hooks allow one to do it that way, though.

[possible temp workaround - until the issue can be properly corrected]

Since the hook always tries both names, and certbot keeps them in the same order, then it will only be able to pass one of the names (since the TXT record only holds one entry) and will continue to fail for the other name.

WORKAROUND #1:
It might be able to be tricked to work with:
[the trick part is in splitting the requests correctly]

• try one name - the name that failed when both names were attempted [get a cert (with one name)]
  [see the LE logs for this failing detail]
• then immediately try both names [get the good cert (with both names)]

Otherwise...

WORKAROUND #2:
[with much less trickiness]:

• try one name [get a cert]
• then immediately try the other name [get another cert]
• then immediately try both names [get the good cert (with both names)]

With either workaround, you will end up with more certs than you need.
But you should be able to get the cert that you do need.

Another workaround:

• attempt to get a certificate for the apex domain name AND a random non-existing domain name;
  • this attempt will ultimately fail due to the second domain, but the first hostname will be authorized and Let's Encrypt caches valid authorizations for 30 days currently;
• do the same for the wildcard hostname, including a non-existing domain;
  • again, LE will cache the valid authorized wildcard hostname
• get the certificate for both hostnames: no new authorization required, as both should be valid and cached.

As far as I know that's correct indeed. I believe Certbot sets up all the challenges and afterwards let's the ACME server verify them all at the same time.

I am happy to report that everything now works, after discussing with my DNS provider.

So no workarounds needed

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.