Im wondering if there is a bug of sorts to be sorted, I’d be happy to assist. Here’s what I know, and how I resolved it:
I have 4 domain names. I generate a single certificate for all. It includes all 4 domains, and all their subdomains. ie. domain1.com, *.domain1.com, domain2.com, *.domain2.com, etc. These are listed in the Certificate Domains section of CTW.
In the Authorization section of CTW, I use challenge type DNS-01 for validation as none of these domains host websites, only mail and 1 has an ftp server, so I must validate against DNS. I use an API to perform the acme record writes to the DNS records. In the DNS Zone ID section of this same section, you must select 1 of the 4 domains. For this example, domain1.com.
I now run the test, and all tests come back good. This means CTW was as to successfully write the DNS acme txt records.
Now I run the Request Certificate. It does it’s thing, and fails, unable to validate domain1.com. Looking at my DNS records for the 4 domains, all 8 acme txt records are written to domain4.com, 6 pointing to the other 3 domains and *.domains. The other 3 domains are untouched.
I then deaelected domain3.com and domain4.com (and related *.domainX.com), and ran it. It failed on domain2.com. So I then in Authorization change the Zone ID to domain2.com, rerun, and voa, success! I then re-add a domain and sub back into the list (domain3.com and *.domain3.com), change Zone ID to domain3.com, run Request Certificate, and again, success. I re-add domain4.com and *.domain4.com to the list, change Zone I’d to domain4.com, run Request Certificate, and again, success.
I now have all 4 domains again into a single certificate.
It appears that generating a certificate via DNS for multiple domains, CYW writes all the acme txt records to one of the domains, which causes the Zone id domain to fail. If I add them back in one at a time, changing the Zone id to the previous listed failed auth, the process works.
QUESTION:. When generating a single certificate for multiple domains, why doesn’t CTW write the acme txt records to their respective domains in DNS instead of all to one domain? As it stands, I have to jump through hoops listed above for success. Based on the logs, it appears it fails because near the end, it attempts to validate a domain which doesn’t have an acme txt records for it’s domain, because it’s written to another domain in the list.
I suspect if the acme txt records were written to their respective domains regardless of Zone ID, it wld be successful every time. This is based on the above process of what I had to do to get it to work. Im afraid I don’t understand the purpose of Zone ID, but it appears that my troubles are related to that implementation.
Any clarity on this would be really appreciated! Thanks all, I really can’t say it enough, CTW is brilliant. Unfortunately I can’t automate as I need to do this unwieldy process for success. If there is ANY WAY I can help resolve this I’m more than happy to do so, please just ask. And if it’s because I’m ignorant of something Im overlooking, please fill in the blanks for me.
Original post, log removed:
I’ve successfully renewed my certificate for multiple domains for a few months now, even have scripting working.
The last 2 days are yielding failures though and I can’t figure out what’s going on. I do see problems in the log, which I’m pasting below.
Reviewing the logs from earlier and where the latest is different from a success, it appears the creating certificate order process is where it’s failing, setting up the rest of the process to fail as well.
I run a test first and it completes without error. I’ve rebooted the machine, ensured I can reach acme-v02.api.letsencrypt dot org(22.214.171.124). Nothing in my control has changed.
Can anyone provide some enlightenment and a fix? Again, absolutely nothing has changed with the machine, the API creds, the DNS setup, etc, since all previous successes. It’s writing the txt challenge records.
Here’s the log, all looks correct except at the end it just fails.
(Update:. Retrying removed the JWS anti-nonce error, but now it just fails at the end. Everything appears to work the way it should. The DNS records are being written by the API, I confirm they’re all there)
Thanks for any help, I’m absolutely stumped. Sorry about the bold, no idea why it’s doing this, but at least Im able to post the log as before it was limiting based on links.
(Update 2:. I’ve now got a rate limit and can no longer even begin the renewal process. Going downhill fast for me here. Please, anyone have any ideas? I’m stressing out)