Wildcard issuance: two TXT records for the same name


But the problem is that the DNS entry to authorize *.example.com and example.com are both _acme-challenge.example.com. Even by setting the TTL to the minimum allowed by my DNS provider (30s) it is challenging to ensure that the authorization for one will not be contaminated by the authorization for the other (I just ran into the problem myself).

At the very least, when requesting a wildcard certificate, shouldn’t the authorization for *.example.com also cover example.com given that they check the same DNS entry anyway? That would allow to create an order for both *.example.com and example.com, only require to validate once _acme-challenge.example.com, and then process a certificate request for both *.example.com and example.com.

Wildcard names incomplete?

Hi @cc2e6,

This sounds like a problem with your DNS provider. The DNS RFCs allow two TXT records under the same name. Boulder, the Let’s Encrypt server-side CA, checks all of the TXT records when doing DNS-01 validation. E.g. a TXT value for the base domain (example.com) next to a TXT value for the wildcard domain will not cause either validation to fail.


Ok thanks. Let me try that then (I was deleting the first DNS entry before starting the authorization for the second)


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.