Verification Fails for Wildcard Certficates with Base Domain

[mmohr-alta4]

A Certificate which includes both *.example.com and example.com would fail to verify on renewal. Certbot creates two ACME challenges on the same domain and the kasserver-dns-certbot script overwrites the first record instead of adding a second one. Because of this the verification for the first domain will always fail.

Command to create the certificate: certbot certonly -d "example.com" -d "*.example.com" --preferred-challenges dns --manual --manual-auth-hook kasserver-dns-certbot --manual-cleanup-hook kasserver-dns-certbot -m [email protected]

The error occurs when executing: certbot renew --dry-run

[fetzerch]

Sorry for the late reply. I'm able to reproduce the problem. Unfortunately it's not that straight forward to fix because the scripts and the underlying lib were implemented based on the assumption that the FQDN would be unique.

In the meantime lego gained native support for All-Inkl: https://go-acme.github.io/lego/dns/allinkl/ I'm not sure if it's suffering from the same issue, but depending on your usecase, you might wanna try this in the meantime.

[br4nnigan]

this is how you handle such a cert: --domains 'example.com,*.example.com'

[br4nnigan]

this is how you handle such a cert: --domains 'example.com,*.example.com'

actually what I wrote is irrelevant, it's the same result. Could reproduce the problem

[br4nnigan]

actually I never experienced this problem before, I regularly update a wildcard+domain certificate (manually) and never had to do TWO dns challenges. Even more funny, to verify this I did an update and for whatever reason didn't have to do ANY challenge and the renew was successful.