Wildcard DNS challenge gets overwritten by domain DNS challenge

[doftnet]

What I did:

Request a certificate for example.com, *.example.com

Expected result:

I get a certificate with SAN example.com and *.example.com

Actual result:

I request a certificate for example.com and *.example.com (because I use the main domain and a handful of subdomians) and the plugin adds the challenges to PDNS, except the PDNS API only has options to replace and delete RRSets, not add, so the first challenge gets overwritten. The challenge fails and the certificate isn't issued.

Thoughs:

It should be possible when adding a challenge record to first check if TXT records with the same name already exist in that zone and roll those records into the API request that submits the new challenge.

I've managed to work around this issue for the moment by requesting a certificate with only the domain and then running the request a second time with with the domain plus the wildcards, which apparently works because after the challenge is validated, it remains valid for some period of time afterwards so the second request (and all it's new challenges) get validated fine and the original challenges are still valid so the cert gets issued, but scheduling two separate runs of certbot to work around this is less than ideal.

[lowEagle]

I ran into similar problems a while ago.

My workaround is very similar to your's, as I am issuing the certificate / renewal twice. This can easily be done via one or two cron-entries.

However, I am running the same command twice. During the first run the main-domain will get validated but the wildcard fails. During the second run the main-domain-validation seems to stay valid, thus, the wildcard will be validated. After the second run the certificate is issued / renewed successfully.

As you say it is not ideal but i can live with that (for now) and don't have any problems.

[robin-thoni]

Sorry for the delay.

If I understand correctly, the problem is that the first DNS update will create _acme-challenge.example.com 600 TXT token-for-example.com, and then the second one will replace it with _acme-challenge.example.com 600 TXT token-for-*.example.com, leaving the zone like:

[...]
_acme-challenge.example.com 600 TXT token-for-*.example.com
[...]

instead of:

[...]
_acme-challenge.example.com 600 TXT token-for-example.com
_acme-challenge.example.com 600 TXT token-for-*.example.com
[...]

Is that correct? In my memory, domains were validated one by one, which only requires one record at a time.

If yes, a possible solution would be to first fetch the current state of the _acme-challenge.example.com record, and revert it to its original state. Not sure how certbot manages the cleanings. A workflow could be:

• Set challenge for example.com
  • Retrieve TXT _acme-challenge.example.com (= NX)
  • Set _acme-challenge.example.com to ["token-for-example.com"]
• Set challenge for *.example.com
  • Retrieve TXT _acme-challenge.example.com (= ["token-for-example.com"])
  • Set _acme-challenge.example.com to ["token-for-example.com", "token-for-*.example.com"]
• Clean challenge for *.example.com
  • Set _acme-challenge.example.com to ["token-for-example.com"]
• Clean challenge for example.com
  • Remove _acme-challenge.example.com

Anyway, as I mentioned in #6, I don't use PDNS anymore. If you want to make a PR, I'll merge it, but I won't fix it myself.

[doftnet]

That's the gist of it.. From what I can see when I was tinkering with it, yes, each challenge is completed individually but only after all the necessary challenges for that certificate have been added to DNS so by the time the query comes in, there's only one TXT record (on account of the fact that the wildcard challenge uses the same record name).

The workaround that I used is to request a certificate with only the domain challenges first, then submit a second request with all the wildcards included. It works because the challenge validation on the ACME2 servers is good for some amount of time after the challenge is completes (a few hours or a few days perhaps?), so I can, after a couple of runs, get the certificate with all the right SANs on one certificate, but it takes a good five minutes to wait for notify to push the updates to my secondary server before it's consistently replying with update records and having to run it twice obviously doubles the amount of time it takes to get a new certificate... which, I guess in the grand scheme of things isn't so bad if it's scripted to run in the background when I'm asleep... but it's a puzzle that begs to be solved so.. here we are.

I happen to be on travel for my day job at the moment, and it's a cold and miserable day outside so, perhaps now is a good time for me to tinker with this again. The workflow you describe above is more or less the approach I figured I'd try when I had the chance to tinker so... shrugs... here we go.

[robin-thoni]

Well, feel free to make a PR :)

[splashx]

@doftnet wildcard works with this plugin - if you're interested.

[dresch86]

@doftnet wildcard works with this plugin - if you're interested.

It doesn't work if you add the primary domain at the same time as the wildcard because the underlying dns-lexicon dep would overwrite the record too. I created a PR to fix this issue. The record Lets Encrypt looks for isn't "_acme_challenge.*.mydomain.com". It looks for "_acme_challenge.mydomain.com" for both primary and wildcard certs. Should be resolved soon.

[splashx]

@primesoftware it has been resolved with certbot-dns-powerdns==0.1.1 (thanks for the work on it btw!)

[rysson]

And also it has been resolved with #10