Can't get single certificate for both DOMAIN.com and *.DOMAIN.com
#2068
Comments
|
Hello, it feels like a propagation issue: clean your TXT records and try again. |
I reproduce this issue even with clean records. rm -rf ~/.lego # This is important
CLOUDFLARE_API_KEY=.... CLOUDFLARE_EMAIL='my@email' lego --domains 'DOMAIN.COM,*.DOMAIN.COM' --accept-tos --email 'my@email' --dns cloudflare --server 'https://acme-staging-v02.api.letsencrypt.org/directory' runImportant condition - we must don't have a cached challenge for DOMAIN.com (just I think, the main issue is that LEGO add two records at one time: one for DOMAIN.com and second for *.DOMAIN.com |
This is expected: having 2 TXT records for the same domain is not a problem. |
But anyway this is LEGO's bug. I don't see any problem with this case on acme.sh or certbot. Maybe, for fixing this issue, LEGO must work like this:
The current behavior is:
But failing on 4 or 3 steps. |
Hmm, yes, with |
|
Oh no, still not working :( |
|
The fact to have multiple TXT records is not a problem, this is why lego handles the DNS challenge for Cloudflare in "parallel" and not sequentially. This provider has been widely used, for a long time, without any problem with wildcard. The problem is a propagation issue, I don't know why, I will try to find more information but it may be related to your zone or your geographical zone. |
|
I reproduce this bug in different geographical zones, different domain zones (.com and .in), different servers (hetzner vs OVH). Seems like, LEGO use incorrect TXT in cases where more than one TXT present at the same time (because *.DOMAIN.com and DOMAIN.com adds TXT to DOMAIN.com) Maybe, it is impossible to distinguish which TXT belongs to a specific domain in this case. Also, requesting certificates only for Please, see my logs. Or you can check it yourself. |
lego uses and adds the right TXT records, the validation is not done by lego but by Let's Encrypt.
It's not how it works. lego uses a "parallel" approach (several TXT records for the same domain) on 90% of the DNS providers without any issues. The other 10% are DNS providers that don't support multiple TXT records for a domain. It's a propagation issue. There are several possibilities:
|
|
Okay, I see you are right. Sorry for the misunderstanding. I don't see issue with this modifications. diff --git a/providers/dns/cloudflare/cloudflare.go b/providers/dns/cloudflare/cloudflare.go
index 2d91fe4b..11709870 100644
--- a/providers/dns/cloudflare/cloudflare.go
+++ b/providers/dns/cloudflare/cloudflare.go
@@ -151,6 +151,9 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
d.recordIDsMu.Unlock()
log.Infof("cloudflare: new record for %s, ID %s", domain, response.ID)
+ log.Infof("SLEEPING 60 SECONDS")
+
+ time.Sleep(60 * time.Second)
return nil
}LEGO have any
|
|
The
|
This is not suggestion for fix, this is how I check problem, nothing more. But, I think, option like I didn't find a similar option in LEGO. |
|
Hm, I found CLOUDFLARE_POLLING_INTERVAL=30 and it working |
|
Thanks for help. |
|
I experience exactly the same problem with cloudflare. @Azq2, how reliably Still, I think the issue is not resolved, since none of developers promoted any official solution or fix. |
FYI, I'm the main maintainer of lego. The solution found by Azq2 is in the same direction as my suggestions and fixes his problem, so it becomes the "official" solution. |
|
@ldez, it seems for deSEC |
|
This was related to Cloudflare, if you have an issue with deSEC, can you open a dedicated issue? |
|
I'm not sure if all the options below are relevant, but this combination works reliably: @ldez, currently, I'm not ready to investigate the issue further, unless it stops working. |
Welcome
What did you expect to see?
Single certificate with both
DOMAIN.comand*.DOMAIN.comWhat did you see instead?
How do you use lego?
Binary
Reproduction steps
Version of lego
lego version 4.14.2 linux/386Logs
Go environment (if applicable)
The text was updated successfully, but these errors were encountered: