I call dehydrated from the command line for every domain. If I try to get a wildard certificate this failed with the message "Challenge is invalid".
That's my call:
/opt/dehydrated/dehydrated -c -t dns-01 -o /etc/ssl/reksys -a secp384r1 -d domain.info -d *.domain.info -k /opt/dehydrated/hook.sh
I have a hook script which sets the token to the nameserver. This works and make no problems if you have only a single domain.
So you can see, I have the domain twice in the call. Once alone and once with wildcard. The result of this call looks like that:
Processing domain.info with alternative names: *.domain.info
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 2 authorizations URLs from the CA
+ Handling authorization for domain.info
+ Handling authorization for domain.info
+ 2 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for domain.info authorization...
+ Cleaning challenge tokens...
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.domain.info",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/sIuPB8ocWGvOy_2-01tST_k8OY5cyz0wBPABASwvSFg/7932386848",
"token": "AjNkNX6i-Nv8j8bpbTU6u3X6Fs0S4r7x4b4Sgr76cqY"
})
For me, it looks like dehydrated call the hook script twice and in this case the wildcard (*.) is removed. So both challenges have the same name which will result in the problem, that the frist challenge will be deleted if the second one is added. So the first one is invalid.
I fixed the problem by myself. You need multiple TXT records for the domain. Then this worked. So I modified my script not do delete the old tokens until the cleanup is called...
I call dehydrated from the command line for every domain. If I try to get a wildard certificate this failed with the message "Challenge is invalid".
That's my call:
/opt/dehydrated/dehydrated -c -t dns-01 -o /etc/ssl/reksys -a secp384r1 -d domain.info -d *.domain.info -k /opt/dehydrated/hook.sh
I have a hook script which sets the token to the nameserver. This works and make no problems if you have only a single domain.
So you can see, I have the domain twice in the call. Once alone and once with wildcard. The result of this call looks like that:
For me, it looks like dehydrated call the hook script twice and in this case the wildcard (*.) is removed. So both challenges have the same name which will result in the problem, that the frist challenge will be deleted if the second one is added. So the first one is invalid.
I called the script with
bash -x
: