Wildcard cert needs 2 TXT records with same name

minimega · December 16, 2021, 8:16am

Hello everyone,
I need to request a wildcard certificate for domain.com and *.domain.com, so my website can be secured by accessing it with https://www.domain.com as well as https://domain.com

So in Certificate/Domains I created 2 different records:
*.domain.com (Primary)
domain.com

Starting with ‘Request certificate’ (dns-01/Update DNS manually) I get this response:

2021-12-16 08:56:08.503 +01:00 [INF] DNS: Creating TXT Record '_acme-challenge.domain.com' with value 'jj5AbOKoGS9iQwpgupqpCMzWRZhlG6mgKtRkPfFmNzE', in Zone Id '' using API provider '(Update DNS Manually)'
2021-12-16 08:56:08.504 +01:00 [INF] DNS: (Update DNS Manually) :: Please login to your DNS control panel for the domain 'domain.com' and create a new TXT record named: 
	_acme-challenge.domain.com 
with the value:
	jj5AbOKoGS9iQwpgupqpCMzWRZhlG6mgKtRkPfFmNzE
2021-12-16 08:56:08.504 +01:00 [INF] Requesting Validation: domain.com
2021-12-16 08:56:08.504 +01:00 [INF] (Update DNS Manually) :: Please login to your DNS control panel for the domain '*.domain.com' and create a new TXT record named: 
	_acme-challenge.domain.com 
with the value:
	qhDKVakM7v-nyMdvXtW8E-AJxV_G6Zz2Xv9iduiZL0o
(Update DNS Manually) :: Please login to your DNS control panel for the domain 'domain.com' and create a new TXT record named: 
	_acme-challenge.domain.com 
with the value:
	jj5AbOKoGS9iQwpgupqpCMzWRZhlG6mgKtRkPfFmNzE

(my domain has been replaced by ‘domain .com’)

The problem is that the remote server asks to create TWO different TXT records for domain.com and *.domain.com, but the name of the TXT record is the same: ‘_acme-challenge.domain.com’. How can I create two different TXT records, with different values but same name?

Thanks

webprofusion · December 17, 2021, 3:31am

Indeed it does, this is a quirk of the ACME standard for automated domain validation and is not something Certify The Web controls. I would strongly urge you not to use the Manual DNS method if you can avoid it, the UI should also warn you if this as well - it cannot be automated and you will need to manual intervene every time the certificate renewals.

Some DNS controls panels will let you specify multiple values for one TXT record, or let you add the same TXT record twice which let’s you work around this issue but the main workaround is to validate one combination first, then try again until all combinations have been validated (Let’s Encrypt remembers your successful validations for 30 days).

minimega · December 17, 2021, 11:49am

Hi, thanks for the reply.
Well to know it’s not my configuration issue!
I will try to create two TXT strings with the same name, if the provider will support it, or I’ll create a certificate for both www.domain.com and domain.com

Thanks a lot!