Manual DNS-01 challenge does not work

  1. The app asks to create a TXT “” record to my zone (by the way, what does star (*) mean in the zone name * ?)
  2. I do create a record with advised value like “pagiMrdvY1FVq-gWPKu19S28EiHibIK32YfA_UxRw_E”
  3. I click “Request Certificate” button again as suggested to continue paused process
  4. Now app shows an error that the record “” does not exist
  5. I click “Request Certificate” again
  6. The app asks to put a value again, with new value
  7. Process repeated from the Step 2 infinitely (I actually tried to change the value approx. 10 times).

Finally I ended up with “Failed to create certificate order”. According to the log, it’s because of “too many failed authorizations recently”

Hi, your using the manual DNS validation method so I assume you need to create a wildcard certificate? If not, just use http validation if you can. Manual DNS validation is really just there as a last resort if you have no other choice and it’s generally not suitable for any sustained use.

If you want a certificate for ‘’ and ‘*’ (i.e. all subdomains immediately under then Let’s Encrypt requires you to validate your control of both domain variations, so you will end up setting the same txt record at the least twice.

When you set the txt record you need to allow enough time for DNS propagation to at least all of your nameservers (your domain will have more than one). If you attempt to resume the request before then it will fail. The time it takes for your nameservers to be consistent depends on your DNS provider.

One option is to move your domain to a provider we support automatically, like CloudFlare. Or try acme-dns.

Yes, I want to create a wildcard and yes, this is experimental setup.
Sorry, your discussion board engine writes “no more 2 links per post” (seems not really wise for Internet-related forum :slight_smile: so I replaced by DC everywhere below.

I’m sorry, that I didn’t understand. If I try to add DC to the same request with *DC (primary) as app pop-up suggested, then I receive an error on the next step (“DC cannot be added to the same DC wildcard request”). So could you please clarify how can I validate “both” domain variations? I have only zone “DC” with all records within. Sub-domain like wwwDC in fact is just A-record of “www” within DC (in terms of DNS). *DC is all of these A-records, it could be dozens of them.


The easiest way to do this is (manual DNS validation) is to have two managed certificates and to request them independently.

When you try to mix * and in one certificate the validation process is extremely confusing (because you need to set the same TXT record to 2 different values, one to validate each variation).

This is a feature of Let’s Encrypt and I have pointed out to them that having the same record for both * and is confusing and difficult for users, but it’s not going to change.

Note that certificates from Let’s Encrypt cannot contain a wildcard and a subdomain (e.g. if you have * you cannot also add to the same certificate).

For any regular use of Let’s Encrypt you must use an automated challenge response (you will be required to re-validate regularly so manual DNS is not practical for any use other than testing). The upcoming v5 of our app adds another 20

Regarding the limit of 2 links per forum post, this is a built-in feature of Discourse (our forum software) and I’ve increased the limit but the idea is that new users shouldn’t be able to spam your forum with hyperlinks, which is usually sensible.

In general it’s good to avoid letting forums think you’re linking something when you’re just demonstrating something.

…becomes the link,


…becomes a code-block or “pre-formatted text”, and won’t count against anything.

1 Like

I’m really sorry but it’s still confusing. I’ve caught an idea what Let’s Encrypt wants but what is a reason to have two requests and two certificates - one for and another one is for * if the latter one also includes first one? Is it something that I have to do (e.g. * will not be issued unless I firstly will issue or something else?

P.S. Thanks for help and thanks for letting me know how to correctly format my discussion board posts.

That is a message that I was talking about. It’s unclear why I have to have “corresponding non-wildcard version” and to where I have to add it. If I just click “Yes” apps adds to the same request that contradicts to what you said and it will lead to the error on the next step anyway.

If you don’t add to a certificate that already has * then try to browse to your certificate will be invalid because it only matches subdomain names like (not by itself). The app knows this and tries to guide you to add the domain so you don’t then run into that problem.

If you could not use the Manual DNS option this whole problem would go away and you would find the process a lot easier. Is there any chance you can test a domain with Cloudflare (free)? Manual DNS is too confusing at the best of times and I don’t think your making progress with it.

It’s possible with the right configuration to go from having no certificate to being completely configured in less than a minute, which is completely opposite to the experience you’re currently having. As mentioned, Manual DNS is for testing only and is potentially confusing and troublesome.

Okay, thanks, got it. I would however continue to try manual method just to make myself familiar with the process. Meantime, could you please look onto Let’s Encrypt DNS providers?

I would particularly interesting in “Yandex.Mail” which works with Would it work with your app? Currently we use commercial (paid) DNS provider which is really good but Let’s Encrypt integration. Anyway, since we’re in Russia I would prefer geographically closer DNS as Yandex than Cloudflare.

Yes, v5 will be released mid-year and has an additional 25 DNS API providers as well as support for other ACME Certificate Authorities such as BuyPass Go.