Unable to provision a certificate for wildcarded domain (all DNS records in hetzner zone, no split dns)

[collinvandyck]

I'm trying to get the hetzner dns provider cert to work with a wildcarded subdomain, but I'm having issues with provisioning the cert for a four-segment domain. A normal subdomain does work properly with the hetzner dns provider.

I've set up my hetzner zone for 5xx.engineer as follows (irrelevant records omitted):

A foobar.5xx.engineer 100.123.179.103
A vps.5xx.engineer    100.123.179.103
A *.vps.5xx.engineer  100.123.179.103

In my Caddyfile, I've got two virtualhosts defined, each delegating dns-01 challenges to caddy-dns/hetzner:

foobar.5xx.engineer  {
  tls {
    dns hetzner {env.CADDY_HETZNER_DNS_TOKEN}
  }
  respond "foobar ({remote_host}:{remote_port})"
}

foo.vps.5xx.engineer  {
  tls {
    dns hetzner {env.CADDY_HETZNER_DNS_TOKEN}
  }
  respond "foo @ vps ({remote_host}:{remote_port})"
}

The first site, foobar.5xx.engineer is able to provision a cert through the dns provider, but the second one, foo.vps.5xx.engineer fails to work.

caddy  | {"level":"info","ts":1721779684.2958658,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"foo.vps.5xx.engineer","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy  | {"level":"error","ts":1721779694.1754322,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"foo.vps.5xx.engineer","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"No TXT record found at _acme-challenge.foo.vps.5xx.engineer","instance":"","subproblems":[]}}
caddy  | {"level":"error","ts":1721779694.175478,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"foo.vps.5xx.engineer","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"No TXT record found at _acme-challenge.foo.vps.5xx.engineer","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1848095037/290009038687","attempt":1,"max_attempts":3}
caddy  | {"level":"error","ts":1721779694.175556,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"foo.vps.5xx.engineer","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.foo.vps.5xx.engineer"}
caddy  | {"level":"info","ts":1721779694.175649,"logger":"tls.obtain","msg":"releasing lock","identifier":"foo.vps.5xx.engineer"}
caddy  | {"level":"error","ts":1721779694.175839,"logger":"tls","msg":"job failed","error":"foo.vps.5xx.engineer: obtaining certificate: [foo.vps.5xx.engineer] Obtain: [foo.vps.5xx.engineer] solving challenge: foo.vps.5xx.engineer: [foo.vps.5xx.engineer] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.foo.vps.5xx.engineer (ca=https://acme-v02.api.letsencrypt.org/directory)"}

I verified that it DOES work for a four-part domain that has an explicit A record without relying on the wildcard, but anything that uses the wildcard fails to provision.

It seems similar to https://github.com/caddy-dns/hetzner/issues/9 but the error message is different. It also seems similar to https://github.com/caddy-dns/hetzner/issues/2 but I'm not using split DNS, so I decided to create a new issue.

Is there any guidance on how to create the subdomain wildcard so that the hetzner dns provider will work in that case? Thank you!

---

Caddy build specs:

FROM caddy:2.8.4-builder AS builder
RUN xcaddy build v2.8.4 \
    --with github.com/tailscale/caddy-tailscale \
    --with github.com/caddy-dns/hetzner

FROM caddy:2.8.4
RUN apk add curl
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
COPY ./Caddyfile /etc/caddy/Caddyfile
COPY html /srv