Your certificate (or certificates) for the names listed below will expire in 19 days (on 25 Feb 19 16:35 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
Why not just query a randomly generated subdomain to prove that the * record exists?
It’s supposed to be a cryptographic “challenge,” not a “challenge” of technical proficiency.
Otherwise, I might have to delegate a new zone such as
abejas.colmena.biz
to my own name servers and attempt the “challenge” for
*.abejas.colmena.biz
Sadly, I do not see this as a good faith challenge, and, well, in other news, I was almost gassed to death in my home last night, so I have backed off from using the wildcard for the time being.
If that is easier for you to do, you can create a CNAME record for _acme-challenge.colmena.biz and point it at _acme-challenge.abejas.colmena.biz (assuming the DNS server responsible for colmena.biz allows you to do that) - and Let's Encrypt will happily follow the CNAME and consider the challenge valid. The only catch is that your ACME client needs to be able to request a cert for one domain while answering the challenge for another - I'm not sure if Certbot knows how to do this (anyone?) but I know acme.sh does.
edit ... though I'm not sure that acme.sh supports RFC 2136 - so that might not be as useful as I thought, sorry. looks like it does, though it calls it 'nsupdate'. Obviously I'm not familiar with this stuff