Wildcard DNS verification not propagating

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rdw.one

I ran this command:

certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.rdw.one" -d rdw.one

It produced this output:

Please deploy a DNS TXT record under the name
_acme-challenge.rdw.one with the following value:

oER8pL7Om27k7l-ioX8BSmsnNQLRg9zfnLxTZ9mcDRk

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

My web server is (include version):

Server version: Apache/2.4.46 (Ubuntu)
Server built:   2020-08-10T12:32:00

The operating system my web server runs on is (include version):
Linux ferio.raindrop.works 5.4.0-144-generic #161-Ubuntu SMP Fri Feb 3 14:49:04 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: Self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

The problem I'm having isn't anything to do with certbot as far as I can see, or my server or anything. I'm using Cloudflare for DNS services, and while I have multiple acme challenge TXT records, the only record that is reporting on any of the handful of record checkers I'm using is the txt record handling my email information

EDIT: Solution was ultimately user error. I didn't realize that _acme-challenge was a discreet subdomain in txt records, so instead of searching rdw.one, I needed to search _acme-challenge.rdw.one

Hello @minakitty, welcome to the Let's Encrypt community.

It looks like the TXT record has propagated now.

Using this online tool https://unboundtest.com/ show the TXT record
https://unboundtest.com/m/TXT/_acme-challenge.rdw.one/VPNQSMJR

Query results for TXT _acme-challenge.rdw.one

Response:
;; opcode: QUERY, status: NOERROR, id: 4701
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.rdw.one.	IN	 TXT

;; ANSWER SECTION:
_acme-challenge.rdw.one.	0	IN	TXT	"oER8pL7Om27k7l-ioX8BSmsnNQLRg9zfnLxTZ9mcDRk"
_acme-challenge.rdw.one.	0	IN	TXT	"35mRa4j6nIdjLRvInoHusPlQgvHcP5LUUMqZUXuqRW0"

----- Unbound logs -----
Mar 09 20:23:38 unbound[609776:0] notice: init module 0: validator
Mar 09 20:23:38 unbound[609776:0] notice: init module 1: iterator
Mar 09 20:23:39 unbound[609776:0] info: start of service (unbound 1.16.3).

Also that is an old version of Certbot see Certbot 2.4.0 Release

Huh. Interesting. Wonder why none of the other sites I'm using are showing it. I noticed yours is searching specifically for the acme challenge (so it ignored the spf one), maybe that's something to do with it.

I'll have to bookmark your service for later

EDIT: Oooooh, I get what happened. I didn't realize _acme-challenge was a discreet subdomain, so I was only looking for txt records on the root

Noted. Guess certbot wasn't in my apt update list. I'll get that updated as well. Thanks again!

Further information on the DNS-01 challenge can be found here Challenge Types - Let's Encrypt showing:
"After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN> ."

As Ubuntu uses a 'point release' package management system, apt might not have an update. Currently, the Certbot team recommends using snap as the method of installing Certbot. See https://certbot.eff.org/ for more info.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.