dns-01 Redundant authentication when requesting wildcard certs

[Harvie]

When i use certbot to request certificate for both example.com and *.example.com, it issues two different challenges, that should both go to _acme-challenge.example.com TXT record.

While this is probably OK in most cases, it's less than optimal. I think that ACME client which sucessfully authorized for *.example.com should be also automaticaly authorized for example.com. Because the challenge is exactly the same.

If there was only one challenge for that name i would be able to simplify some of my DNS updating scripts. Right now i have to use the auth-cleanup hooks. If the challenges would be deduplicated, i could just overwrite the old _acme-challenge with the new one in the auth-hook. That will half the number of nsupdate calls and time needed to do that. But if there is need for having multiple TXT records for the same name at single time, i can't just overwrite it...

I believe this can even lower the load of letsencrypt cluster, since the servers will need to investigate less challenges, which probably takes some time.

[jsha]

Hi @Harvie! Thanks for the contribution and welcome to the Boulder repo.

We talked about this piece of inefficiency when we first implemented ACMEv2, and decided it would be simpler and safer to just have separate authorizations for the wildcard vs the non-wildcard name. This makes it easier, for instance, to enforce that authorizations for non-wildcard names are never used for wildcard issuance.

Based on your issue, we reconsidered the issue just now. Our conclusion is still the same - while it's slightly inelegant to have the two separate authorizations, it simplifies our code and seems to be working reasonably well for most clients. We'll continue to think about this, but for now our plan is to keep the current behavior.