Wildcard and root

HeMan · March 3, 2025, 6:22pm

I have a number of domains and am trying to automate renewal. Most of my hosting is on Windows in IIS, so am using PowerShell and LE64.exe. I have written scripts to update my GoDaddy DNS and import the .pfx in to IIS etc. My question is, can you use a combination of wildcards, www and root domain (i.e. www.domain.com and domain.com) and GoDaddy? This doesn't seem to uncommon a requirement, but as I understand it...

Wildcards required DNS verification.
Using both www and root requires two verifications.
Most DNSs (including GoDaddy and their API) won't let you create two TXT records with the same name.

Which creates an impossible situation.

Is there any way to get a wildcard, with www and root, without using DNS verification?

Is there any way of adding two records at once as a CSV or something similar (not as a CSV though, cos I tried that).

I have seen talk about running the validation twice, as it will cache the first part for 30 days so when you run it a second time it will just ask for the second value, but in my experience it makes up a new key every time you run it, so I can't do that.

Osiris · March 3, 2025, 6:28pm

Not sure I follow, but Let's Encrypt does not issue certificates with redundant DNS labels.

E.g., if you try to get a cert for example.com, www.example.com and *.example.com, the request will be denied because the www subdomain label is superfluous to the * label.

That said, technically it should be possible to use the dns-01 challenge for the wildcard hostname and a different challenge (e.g. http-01 challenge) for the non-wildcard example.com hostname. This is ACME client specific behaviour so it should be documented for the "LE64.exe" ACME client. I personally don't have experience with it, so I do not know this from the top of my head.

Also, ACME clients should also be able, technically speaking, to process the DNS challenges one by one.. But that is also ACME client specific behaviour.

Patryk · March 3, 2025, 6:31pm

Actually, having multiple TXT records under the same name is perfectly fine, and common.

What you could have problems with is the GoDaddy who heavily restricts access to their DNS API.

HeMan · March 3, 2025, 6:41pm

I am not trying to cover superfluous sub-domains, just *.example.com and example.com.

The docs say:
"Please note that at the moment wildcards are only supported by the v2.0 of the API and they can only be issued if DNS verification is used."

And there is no way of specifying multiple validation methods, so I assume I am stuck with DNS only.

And as I am using LE64 (and being on Windows, that seems like the only\best option) I don't have the option of processing the challenges one by one do I?

As for having two records with the same name, that seems a completely alien concept to me (I have no idea how I would even specify one from the other when it comes to deleting them?!) but I am willing to trust your statement that it is common. However, GoDaddy is hardly a small host, and they simply don't support it (so I imagine many others don't either).

So are we saying this is an impasse, with no solution?

Osiris · March 3, 2025, 6:48pm

But a poor host nonetheless if you'd ask me.

I'm not familiar with Windows clients at all, but there are other ACME clients out there. See e.g. ACME Client Implementations - Let's Encrypt. Certify the Web seems to be quite commonly used (there's a free/community version and a commercial version).

jvanasco · March 3, 2025, 7:47pm

The authors of PoshAcme and CertifyTheWeb both post here frequently. Their clients tend to be the most robust and RFC compliant in the Windows ecosystem.

rmbolger · March 3, 2025, 8:28pm

You don't need to create two TXT records with the same name. You need to create one TXT record with two "data" values.

HeMan · March 3, 2025, 8:49pm

I know this sounds cheep, but I hesitate to pay more for the automated renewal process I only need for the sake of the "free" certificates, than I currently pay for my handful of paid certificates... But will give PostAcme a spin tomorrow and see how I get on with that...

Important distinction on the TXT records for sure, but unfortunately that's still something GoDaddy doesn't offer.

rmbolger · March 3, 2025, 9:45pm

GoDaddy absolutely does offer this feature (as it is standard functionality in DNS). Almost all DNS providers do. The UI for creating records tends to be different between them though.

See Step 6 here:

HeMan · March 3, 2025, 10:13pm

I should have been more specific; they don't support this through the API.

They use the name as the key to set\delete records (which seems like the only unique reference they can use?) so there is no way of adding a second value without it just updating the first.

rmbolger · March 3, 2025, 11:56pm

I hate to keep being that guy, but yes they do. You can't add and remove individual values to an existing record. It requires PUT'ing a new copy of the whole record and all of its values. The body of the request is a JSON array of objects where each TXT value is a data field in the object.

Here's the PowerShell implementation in Posh-ACME.

github.com/rmbolger/Posh-ACME

Posh-ACME/Plugins/GoDaddy.ps1

54aad4c2c


      
          # For some odd reason, the GoDaddy API doesn't have a method to add a single
          # record. The closest we can get is re-setting the set of records that match
          # a particular Type and Name. So we need to add our new record to the current
          # set of results and send that.
          
          # filter out the empty record that may be leftover from a previous removal
          $recs = @($recs | Where-Object { $_.data -ne '' })
          
          if (!$recs -or $recs.Count -eq 0) {
              # Build the new record set from scratch
              $bodyJson = "[{`"data`":`"$TxtValue`",`"ttl`":600}]"
          } else {
              # add the new record and build the body
              $recsNew = $recs + ([pscustomobject]@{data=$TxtValue;ttl=600})
              $bodyJson = ConvertTo-Json @($recsNew) -Compress
          }
          
          try {
              Write-Verbose "Adding a new TXT record for $recShort with value $TxtValue"
              $queryParams = @{

This file has been truncated. show original

Or in other words:

PUT /example.com/records/TXT/_acme-challenge
[
    {"data":"value1","ttl":600},
    {"data":"value2","ttl":600}
]

Removing the values afterwards is actually harder than setting them because there's no way to just delete the one TXT record without re-writing the entire contents of the zone. So the Posh-ACME plugin chooses to instead just overwrite the TXT record with an empty single-valued record like this:

PUT /example.com/records/TXT/_acme-challenge
[{"data":"","ttl":600}]

griffin · March 4, 2025, 12:01am

I thought GoDaddy limited access to their DNS API by requiring a certain number of registered domain names. Might be relevant here?

webprofusion · March 4, 2025, 3:14am

Let's Encrypt controls whether an identifier is validated or not and if you have passed validation for one identifier it won't typically need you to revalidate that right away, so there's something else going on here.

Try a cert order for just the wildcard, if that works then your DNS validation is working, if it doesn't then you need to fix that before proceeding.

Common issues with DNS validation:

GoDaddy have/had an API usage restriction which stopped some automations working if your account didn't meet requirements for the number of domains managed with them etc
are you waiting long enough between updating GoDaddy and asking LE to validate your challenge responses? You may need to wait 60 seconds between the update and letting the app continue the domain validation process with LE.
If you are updating manually, check your response for the _acme-challenge.domain.com TXT record using dig Dig (DNS lookup) as it's common to mess up the label nesting and end up with _acme-challenge.domain.com.domain.com - different DNS control panels produce different results.

HeMan · March 5, 2025, 1:51pm

Hey, you can keep being "that guy" if by that you mean the guy that knows all the answers

And you do, as your method of writing two records with the same name through the API works perfectly! And once done, LE was able to validate both the wildcard and root at the same time, which makes what I am doing much simpler!

Just for anyone else's benefit, this is what I did:

Invoke-RestMethod -Method PUT -Uri "https://api.godaddy.com/v1/domains/example.com/records/TXT/_acme-challenge" -Headers @{Authorization="sso-key xyz"} -ContentType "application/json" -Body "[{`"data`": `"key1here`",`"ttl`": 600},{`"data`": `"key2here`",`"ttl`": 600}]";

Just one thing, you mentioned setting their values to blank as you can't delete them one at a time, well as long as you don't mind deleting them together, which in my case I didn't, I just did this:

Invoke-RestMethod -Method DELETE -Uri "https://api.godaddy.com/v1/domains/example.com/records/TXT/_acme-challenge" -Headers @{Authorization="sso-key xyz"}

And it deletes them both just fine.

@griffin - I currently have 21 domains, and I seem to be OK using the API, so I don't know if GD has relaxed that rule.

griffin · March 5, 2025, 1:54pm

Good to know! Thanks for the feedback!

rmbolger · March 5, 2025, 3:27pm

HeMan:

Just one thing, you mentioned setting their values to blank as you can't delete them one at a time, well as long as you don't mind deleting them together, which in my case I didn't, I just did this:
Invoke-RestMethod -Method DELETE -Uri "https://api.godaddy.com/v1/domains/example.com/records/TXT/_acme-challenge" -Headers @{Authorization="sso-key xyz"}
And it deletes them both just fine.

Nice! I wonder if they changed how that works since I originally wrote that plugin. I swear it didn't used to. But if it does now, great!

HeMan · March 5, 2025, 3:58pm

Who knows; we only have the "v1" in the URL to suggest otherwise, and looking at their documentation on the wayback machine it shows that they didn't even have a DELETE method on RECORDS when it first went live back in 2019, so they have certainly been adding stuff behind the scenes.

rmbolger · March 5, 2025, 4:16pm

The lack of DELETE methods entirely is probably what it was and why I was so confused at the time.

Topic		Replies	Views
Add wildcard to base domain certificate Help	6	1365	August 9, 2019
Domain and wildcard registration at the same time Help	4	2516	July 13, 2018
Ordering a cert for wildcard and root together requires two DNS challenges Help	14	718	March 1, 2024
GoDaddy no longer allows API access to clients (e.g. for DNS-based cert renewal) if you have less than 50 domains Help	22	3067	July 10, 2024
Wildcard DNS and the DNS-01 challenge Feature Requests	7	3045	May 22, 2020

Wildcard and root

Related topics