Issuing wildcard certificates stopped working

[a123b]

It seems that somewhere within the last 3 months Let's Encrypt started requiring a separate TXT record for the wildcard alt domain even if it's the same domain as the main domain.

This causes acme.sh's issuing procedure to fail, here's my debug 2 log file as an example: https://pastebin.com/dJQMvvv8
This is the same problem @kinslayer1982 described in #2230 (comment).
#3016 might also be a duplicate, but it's not including any relevant logs so I'm not sure...

So what happens is:

• TXT record is set for main domain
• TXT record is set for wildcard "alt" domain (which is the same as the main domain in this case), overwriting the previously set TXT record
• acme.sh waits for the first TXT record to propagate, which obviously never happens as it has just been overwritten by the second TXT record
• Times out after 20 mins and fails

Idea how to fix:

• Make new variable $remaining_dns_entries which is initially a copy of $dns_entries
• For each unique txtdomain in $remaining_dns_entries, remove the entry and add the TXT record
• Already request validation from Let's Encrypt even if there are still entries in $remaining_dns_entries
• Repeat until $remaining_dns_entries is empty

[auto-comment]

If this is a bug report, please upgrade to the latest code and try again:
如果有 bug, 请先更新到最新版试试:
acme.sh --upgrade
please also provide the log with --debug 2.
同时请提供调试输出 --debug 2
see: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Without --debug 2 log, your issue will NEVER get replied.
没有调试输出, 你的 issue 不会得到任何解答.

[a123b]

Quick fix for those who just need to renew their cert quickly:

Insert a break after this line and run the renewal twice.

[Neilpang]

did you read this?

In the defenition for the host make sure to set the checkbox for "Wildcard" and for "TXT".

https://github.com/acmesh-official/acme.sh/wiki/dnsapi#74-use-ddnssde-api

[a123b]

Of course. As I said, it used to work until somewhere around last month. Also, if the dns provider configuration was the problem, I don't think my "quick fix" would have worked...

Edit: It also looks like #3013 is exactly the same issue, so I'm very sure this issue is independent of the DDNS provider used.

[Neilpang]

@mod242 can you please take a look ?

[mod242]

Hello, unfortunately I was away (without Internet) that's why I just had a look right now. Somehow my test-environment seems to behave differently here for ddnss.de.

I get an "...is already verified, skip dns-01." for the second domain. Can you please confirm that you are still seeing this issue with ddnss.de wildcard domains?

[alexiri]

I have this issue with duckdns.org domains as well.

[xobotun]

Same problem here, but with Yandex DNS. Wildcard domain TXT entry overwrites normal domain TXT record:

...
Creating domain key
The domain key is here: /acme.sh/xobotun.com/xobotun.com.key
Multi domain='DNS:xobotun.com,DNS:*.xobotun.com'
Getting domain auth token for each domain
Getting webroot for domain='xobotun.com'
Getting webroot for domain='*.xobotun.com'
Adding txt value: aTN5ATzaMJccXnBvGRVCSDfxEeQEuzjmLHRF1rGD2VE for domain:  _acme-challenge.xobotun.com
The txt record is added: Success.
Adding txt value: OiHjgBTPM61zrfSDtQpbc81HdL_sgoyQm2k3ESrAOqo for domain:  _acme-challenge.xobotun.com
The txt record is added: Success.
Let's check each DNS record now. Sleep 20 seconds first.
Checking xobotun.com for _acme-challenge.xobotun.com
Not valid yet, let's wait 10 seconds and check next one.
Checking xobotun.com for _acme-challenge.xobotun.com
...

When I looked up DNS entries manually, there was only the second one, obviously.

Will temporarily try to fix by issuing two separate certificates, one for main domain and the other one for wildcard.

[mod242]

As I mentioned in #2230 I think this is related to some change in LEs behaviour and not to the API-Implementation for the different providers. Your experience with Yandex seems to increase this impression.

[OnkelM]

this bug is still there and has never been adressed, is anyone working on this?
the same issue with overwritten TXT entry because of wildcard happens also on Kasserver (dns_kas.sh)