Wildcard & Base Domain: Two TXTs? Timeout problem

I have a question regarding wildcard challenge. Both *.ex.domain. and ex.domain. share the same challenge request _acme-challenge.ex.domain., but I must provide different keys. The challenge fails due to timeout, I believe.
Now I am out of my five hourly tries with only one of the two challenges completed.

What are the TTLs in the dns-challenge scheme and why is there no separate name for a wildcard challenge?

What ACME client are you using? Can you share the error output? What are the domain name(s)?

Please use the staging environment while you are testing/getting set up. It has higher rate limits.

TTL is not important here. Let's Encrypt sets an extremely low max TTL on our recursive resolver and we talk directly to your authoritative nameservers.

If I had to wager a guess, I'd say either your DNS provider or your ACME client are not setting two TXT records under "_acme-challenge.ex.domain.net" and is only setting one at a time. Both values need to be present at once for the validation to succeed.

Ah, thank you. That solved my problem. Its not clear from the certbot instructions that both challenges must be present at the same time so I was setting up the first, hitting enter to continue, replacing the first challenge with the second, hitting continue, and always getting a failure. Once I set up both at the same time I had success on the first try.


That’s a great point, @hampton.

I created an issue to make the Certbot messages clearer on this point:



On staging server, I already had had a completed challenge, so cert extraction went fine.

I see, there should be two TXT records with the same name but different values. I will change the hook script logic to achieve that state.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.