Custom DNS challenge.Provider and (wildcard) SAN certificate #1648

tinmrn · 2022-05-20T07:26:09Z

tinmrn
May 20, 2022

Hello,

I'm trying to create a SAN certificate for domain.com and *.domain.com using the library.

However the verification fails because lego starts both the verification for the *. and the main domain at the same time, which both get the same _acme-challenge.redacted-domain.com check host but different TXT values.

Is this a bug or am I doing something wrong?

I'm using a custom challenge provider because our DNS software is not supported yet.

See the log:

2022/05/20 09:15:52 [INFO] [redacted-domain.com, *.redacted-domain.com] acme: Obtaining SAN certificate
2022/05/20 09:15:53 [INFO] [*.redacted-domain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2491820714
2022/05/20 09:15:53 [INFO] [redacted-domain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2491820724
2022/05/20 09:15:53 [INFO] [*.redacted-domain.com] acme: use dns-01 solver
2022/05/20 09:15:53 [INFO] [redacted-domain.com] acme: Could not find solver for: tls-alpn-01
2022/05/20 09:15:53 [INFO] [redacted-domain.com] acme: Could not find solver for: http-01
2022/05/20 09:15:53 [INFO] [redacted-domain.com] acme: use dns-01 solver
2022/05/20 09:15:53 [INFO] [*.redacted-domain.com] acme: Preparing to solve DNS-01
time="09:15:53" level=info msg="setting \"_acme-challenge.redacted-domain.com.\" to \"8M7oN8T5rZlvF-Gi8jB6lJRXoJ4YFK1gSWns90i7bxA\" for redacted-domain.com" pid=5680 pkg=autocert
2022/05/20 09:15:53 [INFO] [redacted-domain.com] acme: Preparing to solve DNS-01
time="09:15:53" level=info msg="setting \"_acme-challenge.redacted-domain.com.\" to \"D2G9RaNYF_1arVnr-9SAPVcTP82mSmHJfg1-aPNetUA\" for redacted-domain.com" pid=5680 pkg=autocert
2022/05/20 09:15:53 [INFO] [*.redacted-domain.com] acme: Trying to solve DNS-01
2022/05/20 09:15:53 [INFO] [*.redacted-domain.com] acme: Checking DNS record propagation using [172.31.0.2:53]
2022/05/20 09:15:55 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2022/05/20 09:16:01 [INFO] [redacted-domain.com] acme: Trying to solve DNS-01
2022/05/20 09:16:01 [INFO] [redacted-domain.com] acme: Checking DNS record propagation using [172.31.0.2:53]
2022/05/20 09:16:03 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2022/05/20 09:16:20 [INFO] [redacted-domain.com] The server validated our request
2022/05/20 09:16:20 [INFO] [*.redacted-domain.com] acme: Cleaning DNS-01 challenge
time="09:16:20" level=info msg="cleaning up \"_acme-challenge.redacted-domain.com.\" => \"8M7oN8T5rZlvF-Gi8jB6lJRXoJ4YFK1gSWns90i7bxA\" for redacted-domain.com" pid=5680 pkg=autocert
2022/05/20 09:16:20 [INFO] [redacted-domain.com] acme: Cleaning DNS-01 challenge
time="09:16:20" level=info msg="cleaning up \"_acme-challenge.redacted-domain.com.\" => \"D2G9RaNYF_1arVnr-9SAPVcTP82mSmHJfg1-aPNetUA\" for redacted-domain.com" pid=5680 pkg=autocert
2022/05/20 09:16:20 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2491820714
2022/05/20 09:16:20 [INFO] Skipping deactivating of valid auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2491820724
time="09:16:20" level=error msg="error: one or more domains had a problem:\n[*.redacted-domain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect TXT record \"D2G9RaNYF_1arVnr-9SAPVcTP82mSmHJfg1-aPNetUA\" found at _acme-challenge.redacted-domain.com\n\nerror getting cert for \"redacted-domain.com\"" pid=5680 pkg=autocert

BTW thank you for a great package, it helps me greatly simplify our operations management!

Answered by ldez

May 20, 2022

hello,

if your DNS provider doesn't support multiple TXT records for a domain, you need to set the Sequential method:

// Sequential All DNS challenges for this provider will be resolved sequentially.
// Returns the interval between each iteration.
func (d *DNSProvider) Sequential() time.Duration {
	return d.config.SequenceInterval
}

View full answer

ldez · 2022-05-20T09:50:30Z

ldez
May 20, 2022
Maintainer

hello,

if your DNS provider doesn't support multiple TXT records for a domain, you need to set the Sequential method:

// Sequential All DNS challenges for this provider will be resolved sequentially.
// Returns the interval between each iteration.
func (d *DNSProvider) Sequential() time.Duration {
	return d.config.SequenceInterval
}

1 reply

tinmrn May 20, 2022
Author

Thanks, that worked!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Custom DNS challenge.Provider and (wildcard) SAN certificate #1648

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Custom DNS challenge.Provider and (wildcard) SAN certificate #1648

tinmrn May 20, 2022

Replies: 1 comment · 1 reply

ldez May 20, 2022 Maintainer

tinmrn May 20, 2022 Author

tinmrn
May 20, 2022

Replies: 1 comment 1 reply

ldez
May 20, 2022
Maintainer

tinmrn May 20, 2022
Author