Hi, your using the manual DNS validation method so I assume you need to create a wildcard certificate? If not, just use http validation if you can. Manual DNS validation is really just there as a last resort if you have no other choice and it’s generally not suitable for any sustained use.
If you want a certificate for ‘domain.com’ and ‘*.domain.com’ (i.e. all subdomains immediately under domain.com) then Let’s Encrypt requires you to validate your control of both domain variations, so you will end up setting the same txt record at the least twice.
When you set the txt record you need to allow enough time for DNS propagation to at least all of your nameservers (your domain will have more than one). If you attempt to resume the request before then it will fail. The time it takes for your nameservers to be consistent depends on your DNS provider.
One option is to move your domain to a provider we support automatically, like CloudFlare. Or try acme-dns.
Yes, I want to create a wildcard and yes, this is experimental setup.
Sorry, your discussion board engine writes “no more 2 links per post” (seems not really wise for Internet-related forum so I replaced domain.com by DC everywhere below.
I’m sorry, that I didn’t understand. If I try to add DC to the same request with *DC (primary) as app pop-up suggested, then I receive an error on the next step (“DC cannot be added to the same DC wildcard request”). So could you please clarify how can I validate “both” domain variations? I have only zone “DC” with all records within. Sub-domain like wwwDC in fact is just A-record of “www” within DC (in terms of DNS). *DC is all of these A-records, it could be dozens of them.
The easiest way to do this is (manual DNS validation) is to have two managed certificates and to request them independently.
When you try to mix *.example.com and example.com in one certificate the validation process is extremely confusing (because you need to set the same TXT record to 2 different values, one to validate each variation).
This is a feature of Let’s Encrypt and I have pointed out to them that having the same record _acme-challenge.example.com for both *.example.com and example.com is confusing and difficult for users, but it’s not going to change.
Note that certificates from Let’s Encrypt cannot contain a wildcard and a subdomain (e.g. if you have *.example.com you cannot also add www.example.com to the same certificate).
For any regular use of Let’s Encrypt you must use an automated challenge response (you will be required to re-validate regularly so manual DNS is not practical for any use other than testing). The upcoming v5 of our app adds another 20
Regarding the limit of 2 links per forum post, this is a built-in feature of Discourse (our forum software) and I’ve increased the limit but the idea is that new users shouldn’t be able to spam your forum with hyperlinks, which is usually sensible.
I’m really sorry but it’s still confusing. I’ve caught an idea what Let’s Encrypt wants but what is a reason to have two requests and two certificates - one for domain.com and another one is for *.domain.com if the latter one also includes first one? Is it something that I have to do (e.g. *.domain.com will not be issued unless I firstly will issue domain.com) or something else?
P.S. Thanks for help and thanks for letting me know how to correctly format my discussion board posts.
That is a message that I was talking about. It’s unclear why I have to have “corresponding non-wildcard version” and to where I have to add it. If I just click “Yes” apps adds domain.com to the same request that contradicts to what you said and it will lead to the error on the next step anyway.
If you don’t add example.com to a certificate that already has *.example.com then try to browse to https://example.com your certificate will be invalid because it only matches subdomain names like www.example.com (not example.com by itself). The app knows this and tries to guide you to add the domain so you don’t then run into that problem.
If you could not use the Manual DNS option this whole problem would go away and you would find the process a lot easier. Is there any chance you can test a domain with Cloudflare (free)? https://docs.certifytheweb.com/docs/dns-cloudflare Manual DNS is too confusing at the best of times and I don’t think your making progress with it.
It’s possible with the right configuration to go from having no certificate to being completely configured in less than a minute, which is completely opposite to the experience you’re currently having. As mentioned, Manual DNS is for testing only and is potentially confusing and troublesome.
Okay, thanks, got it. I would however continue to try manual method just to make myself familiar with the process. Meantime, could you please look onto Let’s Encrypt DNS providers?
I would particularly interesting in “Yandex.Mail” which works with acme.sh. Would it work with your app? Currently we use commercial (paid) DNS provider which is really good but Let’s Encrypt integration. Anyway, since we’re in Russia I would prefer geographically closer DNS as Yandex than Cloudflare.
Yes, v5 will be released mid-year and has an additional 25 DNS API providers as well as support for other ACME Certificate Authorities such as BuyPass Go.
so I replaced 