New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failure to validate using DNS with wildcard certificate #384

Closed
JamesHorsley opened this Issue Nov 16, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@JamesHorsley
Copy link

JamesHorsley commented Nov 16, 2018

Doing a manual DNS TXT record - created record with the given code but it is failing to recognise it. A single domain certificate worked fine - so seems to be an issue on wildcard domains. Log below shows the problem - in bold the code it wanted for DNS and the code it got from the check of DNS - they are the same but it still failed (this was latest 4.0.10.0 version)

(Update DNS Manually) :: Please login to your DNS control panel for the domain '*.workflowconsulting.co.uk' and create a new TXT record named:
_acme-challenge.workflowconsulting.co.uk
with the value:
do_HAsnKD9ccJ_7GgmO8zQskDxic-pq8eDiPxeBMfYE

2018-11-16 15:03:09.275 +00:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/45911767/177406928
2018-11-16 15:03:09.487 +00:00 [VRB] Fetching Authorizations.
2018-11-16 15:03:09.824 +00:00 [VRB] Fetching Authz Challenges.
2018-11-16 15:03:10.871 +00:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/ly3fJ7gOw3HOilmYCTLDqUVhrE1_QQlHve33_V7Qpsw/9348836460
2018-11-16 15:03:11.172 +00:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/ly3fJ7gOw3HOilmYCTLDqUVhrE1_QQlHve33_V7Qpsw/9348836458
2018-11-16 15:03:11.172 +00:00 [VRB] Fetching Authz Challenges.
2018-11-16 15:03:12.167 +00:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/VGlYTxjiwMxuSCUf5vOyPXeC9ovc2lg3_pbJ1XR2tKE/9348927770
2018-11-16 15:03:12.167 +00:00 [INF] Attempting Challenge Response Validation for Domain: *.workflowconsulting.co.uk
2018-11-16 15:03:12.167 +00:00 [INF] Registering and Validating *.workflowconsulting.co.uk
2018-11-16 15:03:12.167 +00:00 [INF] Checking automated challenge response for Domain: *.workflowconsulting.co.uk
2018-11-16 15:03:14.610 +00:00 [INF] Domain validation completed: *.workflowconsulting.co.uk
2018-11-16 15:03:14.610 +00:00 [INF] Attempting Challenge Response Validation for Domain: workflowconsulting.co.uk
2018-11-16 15:03:14.610 +00:00 [INF] Registering and Validating workflowconsulting.co.uk
2018-11-16 15:03:14.610 +00:00 [INF] Checking automated challenge response for Domain: workflowconsulting.co.uk
2018-11-16 15:03:15.422 +00:00 [INF] Incorrect TXT record "do_HAsnKD9ccJ_7GgmO8zQskDxic-pq8eDiPxeBMfYE" found at _acme-challenge.workflowconsulting.co.uk
2018-11-16 15:03:17.681 +00:00 [INF] Validation of the required challenges did not complete successfully. Incorrect TXT record "do_HAsnKD9ccJ_7GgmO8zQskDxic-pq8eDiPxeBMfYE" found at _acme-challenge.workflowconsulting.co.uk
2018-11-16 15:03:17.681 +00:00 [INF] Validation of the required challenges did not complete successfully. Incorrect TXT record "do_HAsnKD9ccJ_7GgmO8zQskDxic-pq8eDiPxeBMfYE" found at _acme-challenge.workflowconsulting.co.uk

@webprofusion-chrisc

This comment has been minimized.

Copy link
Contributor

webprofusion-chrisc commented Nov 17, 2018

Hi James,

In the case of a cert for a domain wildcard + the domain itself, the instructions should tell you to create two values for the same record (this is a quirk of Let's Encrypt). So you need to add both values to the TXT record (not just one) for the validation to complete cleanly.

As a workaround, validation status is remembered by Let's Encrypt so if you can only supply one value then you can supply one, then repeat the certificate request and supply the other (the second attempt will then succeed).

Note that manual DNS is the hardest DNS option and using a supported API is much much easier (cloudflare is free/inexpensive and particularly easy).

@JamesHorsley

This comment has been minimized.

Copy link

JamesHorsley commented Nov 21, 2018

Thanks for the response - for my sins in an earIier life am using 1&1 for the domain so it isn't that easier to control the DNS. I assume (perhaps incorrectly) that once the DNS TXT token has been setup renewals will use the same value.

Anyway - I seem to have got it working - seems that you need to make sure the wildcard cert also ahs a "real" address - so say www.xyz.co.uk and *.xyz.co.uk - and when you do that it seems if you make the "real" one the first in the list then it works OK. Hope that helps anyone else who encounters this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment