Using dns-01 validation through Amazon Route53 fails when I specify both a wildcard and root domain in the certificate. It seems to create a single challenge txt record for each ( *.xxx.com and xxx.com ), then validates the first one successfully, then deletes the TXT record as part of a cleanup which in turn causes the second validation to fail. Am I doing something wrong?
This used to work but has started failing recently. Sometimes it says ( skipping validation of “root_domain_here” as its already validated and in those circumstances it all completes successfully. Please help
See log sample here :
I tried again, but this time I set the root domain as the primary and now it completed as it skipped validating the wildcard domain as it said “Authorization already valid for *.redwavehq.com”
This behavior is strange and unpredictable
Thanks for raising this issue. Some DNS providers are limited to one TXT entry at a time, but simultaneously validating apex domain + wildcard requires two values for the same _acme-challenge entry, that in itself is a limitation of the ACME protocol.
In some cases we have to rely on cached validations (e.g. one of the versions of the authorization having already recently succeeded) but for normal renewals you won’t notice this because it’s automatic.
For some providers like Cloudflare we have specific logic to allow the rotation of the two most recent TXT entries for _acme-challenge, but most don’t have that. Looking at our code for the AWS Route 53 provide I think we do handle multiple TXT record values for that but we’ll test it again.
Specifically for AWS Route 53, changes take a long time to be confirmed by the API, so it’s possible there is conflict there with our asynchronous challenge cleanup and we need to do more on that specific provider to account for that.
Confirming we were able to reproduce this issue and we will look into how this can be improved specifically for the AWS Route 53 provider.
The async challenge cleanup process is running after the first identifier is validated but we could hold off and cleanup later, or we could wait for the cleanup before proceeding instead of having async in the background.
Thanks for the swift response and glad to see I wasn’t going crazy. I’ll keep an eye out for an update 
1 Like
