txr13
commented
2 months ago This is expected behavior, and documented here: https://github.com/dehydrated-io/dehydrated/blob/master/docs/troubleshooting.md#dns-invalid-challenge-since-dehydrated-060--why-are-dns-challenges-deployed-first-and-verified-later
The records "domain.org" and "*.domain.org" are two distinct names to be validated, and therefore the CA requires both to pass a separate challenge. This is not within dehydrated's ability to control. As documented, doing only one record at a time would cause one challenge to be cached and re-used (incorrectly) for the second lookup, causing it to fail. This caching is also not within dehydrated's ability to control.
It is acceptable (and very much within RFC spec) for multiple TXT records to be present for the same domain. You should be able to upload both challenges simultaneously so that validation works as expected, though you may need to modify the hook script to accomplish this.
dooferorg
When trying to get a cert for 'domain.org' and '*.domain.org', I noticed the call to the challenges (even though they're the same domain and on the same line in 'domains.txt' is called twice.
This presents a problem for me since I'm trying to handle, also via shell script, an update to IBM NSOne. With a call to the script I can set the record _acme-challenge.domain.org just fine, however since it's called twice then the second challenge value overwrites the first and then when the check comes, it fails since it finds the second value but is expecting the first.
I wanted to ask if that was the expected behavior for 'dehydrated'.
If it IS, then is there a way to handle just one challenge at a time for a domain (or matching subdomain) and then get the single wildcard certificate from it? Seems kinda cumbersome otherwise to have to add multiple records of the same type even though it's essentially just the one domain.