Fix requesting a certificate for a wildcard and the base domain in our lexicon plugins

[bmw]

Related to #5472. Blocked on AnalogJ/lexicon#182.

[seafoodbuffet]

I just want to confirm, today, if I use manual mode (I'm not on a DNS server with a supported plugin) and I request a base domain and its wildcard, certbot returns two TXT records with the same hostname. This causes validation to fail. The intent of this issue is to address that? And thus until 0.23.0, there's no way to get a wildcard and a base domain in a single cert using certbot?

[mnordhoff]

@seafoodbuffet You have to set both TXT records simultaneously. You can't delete the first one until after Let's Encrypt has validated them all at the end. (#5729 is about explaining this better.) Certbot's manual DNS plugin works fine right now. This issue is specifically about a bug in some of the other DNS plugins.

[seafoodbuffet]

@mnordhoff Okay, then I suspect I'm making a mistake requesting this then... here's my most recent run
(replace example.com with a domain I actually own)

 certbot certonly --manual --preferred-challenges dns \
--server https://acme-staging-v02.api.letsencrypt.org/directory \
--agree-tos -m "email@example.com" --no-eff-email \
--manual-public-ip-logging-ok \
-d "*.example.com" \
-d "example.com" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

RTkLDIf-hLGsEsz4cy6SerPASgGl65wxD5V637cXe4Y

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

b047_1Ay9FVHivhv7Sj6jEfQ_16m3YdjT_P5J-faxsI

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. example.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "RTkLDIf-hLGsEsz4cy6SerPASgGl65wxD5V637cXe4Y" found at _acme-challenge.example.com

I had created both TXT records but it seems like it found the wrong and failed?

[mnordhoff]

@seafoodbuffet If both existed on the authoritative nameservers, it would have worked. That error means only one exists. Can you start a thread on https://community.letsencrypt.org/ with more information? 🙂

[seafoodbuffet]

Okay, I wonder if I jumped the gun and tried to verify too soon whilst only one of those existed. I'll test again and if it still doesn't work, I'll start a thread. Thank you for double-checking that I'm not doing something obviously stupid.

[Fmstrat]

Given that AnalogJ/lexicon#182 closed and then reopened, but 2.2.0 has the used providers fixed (minus update_record which I don't believe is used), will certbot be waiting to integrate until all providers are tested and functional?

[bmw]

I've triggered builds of all Lexicon based DNS plugins on Docker Hub so they'll use the new version of Lexicon. I've reached out to our package maintainers and will be filing bugs to get that updated there as well.

To close this issue out we should modify setup.py for each Lexicon based plugin so it depends on Lexicon >= 2.2.1 with a brief comment explaining why.

[bmw]

@sydneyli, if you don't have time to get to this in the next couple days, let me know and I'll take it.

[sydneyli]

@bmw Got started a little late, but I'll take a look at it today.