dehydrated: Incorrect TXT record with wildcard and non-wildcard in the same cert

I’m trying using ACMEv2 and wildcard and I have some issues. My domains.txt contains something like:

foo.domain.tld *.foo.domain.tld bar.domain.tld

Config for hook:

CHALLENGETYPE='dns-01'
HOOK='/opt/pdns_api.sh/pdns_api.sh'
HOOK_CHAIN="yes"

When deploying using pdns_api.sh dns hook I got created two entries with a different challenge:

_acme-challenge.foo TXT SOME_VALUE1
_acme-challenge.bar TXT SOME_VALUE2

But in logs I get:

Processing foo.domain.tld with alternative names: *.domain.tld bar.domain.tld
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 3 authorizations URLs from the CA
 + Handling authorization for foo.domain.tld
 + Handling authorization for bar.domain.tld
 + Handling authorization for foo.domain.tld
 + 3 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for foo.domain.tld authorization...
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"SOME_VALUE1\" found at _acme-challenge.foo.domain.tld",
    "status": 403
  },
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxx/xxx",
  "token": "xxx",
  "keyAuthorization": "xxx"
})

I also tried first with the production ACMEv2 and got the same issue.

I ran with debug in config file and at one point it shows:

Name:  _acme-challenge.bar.domain.tld.
Token: SOME_VALUE2
Zone:  domain.tld.
Name:  _acme-challenge.foo.domain.tld.
Token: SOME_VALUE3???
Zone:  domain.tld.
Name:  _acme-challenge.foo.domain.tld.
Token: SOME_VALUE1
Zone:  domain.tld.

I see the same thing being pushed to pdns, with obviously only the “last” challenge in the update list being accepted for foo.domain.tld.

Is it supported to have a cert with foo.domain.tld *.foo.domain.tld bar.domain.tld or there is a bug somewhere ?

(Also I can’t everytime reproduce it properly because randomly I only get a challenge generated for foo.domain.tld and nothing for bar.domain.tld 😦 )

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 15 (3 by maintainers)

Most upvoted comments

This issue is for validating a wildcard and non-wildcard domain at the same time. Specifically, this is using HOOK_CHAIN=yes. Which means the hook must be capable of deploying two TXT records, both of the form _acme-challenge.foo.com. but with two different tokens. One will validate the wildcard, and one will validate the non-wildcard.

If you’re validating foo.com and bar.foo.com and they are being validated one by one (instead of at the same time), then you would appear to not be using HOOK_CHAIN=yes. And even if you were, you wouldn’t be uploading two records of the same name–you would have two names (one of _acme-challenge.foo.com. and one of _acme-challenge.bar.foo.com.).

If you’re having troubles with an alias, that’s different again. An alias is used as a directory name / certificate-specific config filename, no more and no less. It does not impact the validation records at all. So if you’re experiencing an issue with an alias, it should be put in a separate issue, so it doesn’t get lost in the discussion over validation records.

+1
txr13 on Mar 14, 2018
Read more comments on GitHub
← RustAutoComplete: Creates 20+ temp files and doesn't delete them.
dehydrated: JWS has invalid anti-replay nonce →