Wildcard certificate with origin

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: letsencrypt.cogentco.com

I ran this command: /bin/certbot certonly -d letsencrypt.cogentco.com,.letsencrypt.cogentco.com,.sys.letsencrypt.cogentco.com --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --manual-auth-hook /usr/local/bin/letsencrypt-authenticator

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for letsencrypt.cogentco.com
dns-01 challenge for letsencrypt.cogentco.com
dns-01 challenge for sys.letsencrypt.cogentco.com
Waiting for verification…
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Failed authorization procedure. letsencrypt.cogentco.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “wMTPgKkb4UVaAvpkbaYCQmxZtGDcVTXbJJmADJ8qb6Q” found at _acme-challenge.letsencrypt.cogentco.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: letsencrypt.cogentco.com
    Type: unauthorized
    Detail: Incorrect TXT record
    “wMTPgKkb4UVaAvpkbaYCQmxZtGDcVTXbJJmADJ8qb6Q” found at
    _acme-challenge.letsencrypt.cogentco.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The issue is that I am trying to obtain a wildcard certificate that includes the origin (*.letsencrypt.cogentco.com and letsencrypt.cogentco.com). For both _acme-challenge.letsencrypt.cogentco.com is being check but with different strings. I used “–manual-auth-hook” to automatically set the TXT string as I get them from certbot. It appears the check is only done at the end so one of the challenges fails.

I don’t know how to get around it.

Hi @pklimczak,

You can have multiple TXT records for the same name, and that’s what you’re expected to do in this case. While a few APIs don’t support this, it’s not a super-unusual operation in the DNS system.

1 Like

Thanks! I definitely can do that. So letsencrypt checks all the TXT records, did not think of that! Assumed if it checks and gets a non-matching one, game over. Doh!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.