lego: Can't get single certificate for both `DOMAIN.com` and `*.DOMAIN.com`

Welcome

  • Yes, I’m using a binary release within 2 latest releases.
  • Yes, I’ve searched similar issues on GitHub and didn’t find any.
  • Yes, I’ve included all information below (version, config, etc).

What did you expect to see?

Single certificate with both DOMAIN.com and *.DOMAIN.com

What did you see instead?

2023/12/08 13:40:09 Could not obtain certificates:
	error: one or more domains had a problem:
[DOMAIN.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect TXT record "....................removed....................." found at _acme-challenge.global-repair-management.com

How do you use lego?

Binary

Reproduction steps

CLOUDFLARE_API_KEY=.... CLOUDFLARE_EMAIL='my@email' lego --domains 'DOMAIN.COM,*.DOMAIN.COM' --accept-tos --email 'my@email' --dns cloudflare --server 'https://acme-staging-v02.api.letsencrypt.org/directory' run

Version of lego

lego version 4.14.2 linux/386

Logs

2023/12/08 13:39:40 [INFO] [DOMAIN.com, *.DOMAIN.com] acme: Obtaining bundled SAN certificate
2023/12/08 13:39:41 [INFO] [*.DOMAIN.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/992829....
2023/12/08 13:39:41 [INFO] [DOMAIN.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9928292....
2023/12/08 13:39:41 [INFO] [*.DOMAIN.com] acme: use dns-01 solver
2023/12/08 13:39:41 [INFO] [DOMAIN.com] acme: Could not find solver for: tls-alpn-01
2023/12/08 13:39:41 [INFO] [DOMAIN.com] acme: Could not find solver for: http-01
2023/12/08 13:39:41 [INFO] [DOMAIN.com] acme: use dns-01 solver
2023/12/08 13:39:41 [INFO] [*.DOMAIN.com] acme: Preparing to solve DNS-01
2023/12/08 13:39:43 [INFO] cloudflare: new record for DOMAIN.com, ID 10465c2f68d22366681ddc837e7d....
2023/12/08 13:39:43 [INFO] [DOMAIN.com] acme: Preparing to solve DNS-01
2023/12/08 13:39:44 [INFO] cloudflare: new record for DOMAIN.com, ID fb5e065f065a367bd10c4a7f4cb1....
2023/12/08 13:39:44 [INFO] [*.DOMAIN.com] acme: Trying to solve DNS-01
2023/12/08 13:39:44 [INFO] [*.DOMAIN.com] acme: Checking DNS record propagation using [127.0.0.53:53]
2023/12/08 13:39:46 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2023/12/08 13:39:52 [INFO] [*.DOMAIN.com] The server validated our request
2023/12/08 13:39:52 [INFO] [DOMAIN.com] acme: Trying to solve DNS-01
2023/12/08 13:39:52 [INFO] [DOMAIN.com] acme: Checking DNS record propagation using [127.0.0.53:53]
2023/12/08 13:39:54 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2023/12/08 13:39:54 [INFO] [DOMAIN.com] acme: Waiting for DNS record propagation.
2023/12/08 13:39:56 [INFO] [DOMAIN.com] acme: Waiting for DNS record propagation.
2023/12/08 13:39:58 [INFO] [DOMAIN.com] acme: Waiting for DNS record propagation.
2023/12/08 13:40:00 [INFO] [DOMAIN.com] acme: Waiting for DNS record propagation.
2023/12/08 13:40:02 [INFO] [DOMAIN.com] acme: Waiting for DNS record propagation.
2023/12/08 13:40:05 [INFO] [*.DOMAIN.com] acme: Cleaning DNS-01 challenge
2023/12/08 13:40:07 [INFO] [DOMAIN.com] acme: Cleaning DNS-01 challenge
2023/12/08 13:40:09 [INFO] Skipping deactivating of valid auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9928292....
2023/12/08 13:40:09 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9928292....
2023/12/08 13:40:09 Could not obtain certificates:
	error: one or more domains had a problem:
[DOMAIN.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect TXT record "Bg53EFRT7ZYcLZ_M...." found at _acme-challenge.DOMAIN.com

Go environment (if applicable)

About this issue

  • Original URL
  • State: closed
  • Created 7 months ago
  • Reactions: 1
  • Comments: 16 (6 by maintainers)

Commits related to this issue

Most upvoted comments

Still, I think the issue is not resolved, since none of developers promoted any official solution or fix.

FYI, I’m the main maintainer of lego.

The solution found by Azq2 is in the same direction as my suggestions and fixes his problem, so it becomes the “official” solution.

+1
ldez on Dec 21, 2023

Thanks for help.

+1
Azq2 on Dec 8, 2023
Read more comments on GitHub
← lego: BlueCat provider cleanup error
lego: DNS providers: Don't return half-populated configs from environment →