Wildcard & Base Domain: Two TXTs #304

New Issue

Closed

opened 2025-12-29 01:21:46 +01:00 by adam · 2 comments

adam commented 2025-12-29 01:21:46 +01:00

Owner

Copy Link

Originally created by @badfiles on GitHub (Mar 15, 2018).

This example became invalid since a wildcard request with base domain included needs two TXT records present at the same time.

 # Simple example: Use nsupdate with local named
    # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key

https://community.letsencrypt.org/t/wildcard-base-domain-two-txts-timeout-problem/56105

Originally created by @badfiles on GitHub (Mar 15, 2018). This example became invalid since a wildcard request with base domain included needs two TXT records present at the same time. ``` # Simple example: Use nsupdate with local named # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key ``` https://community.letsencrypt.org/t/wildcard-base-domain-two-txts-timeout-problem/56105

adam closed this issue 2025-12-29 01:21:47 +01:00

adam commented 2025-12-29 01:21:48 +01:00

Author

Owner

Copy Link

@jobe1986 commented on GitHub (Mar 15, 2018):

That example is still perfectly valid. The hook script is called for EACH individual "token" value set for the TXT record, that example deletes only the TXT record with the supplied token value. So that example will be called once for each TXT record even if they are the same name.

I Currently use the nsupdate method with my setup for domain validations, and I have yet to have an issue with either TXT records remaining where they shouldn't or with TXT records being deleted when they shouldn't.

Example of the output from dehydrated when using my hook script (note the lines prefixed with ADD: and DEL: are from my hook script when it uses nsupdate to add or delete a TXT record):

Processing test.mdbnet.net with alternative names: *.test.mdbnet.net
 + Creating new directory /home/dehydrated/dehydrated/certs/test.mdbnet.net ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for test.mdbnet.net
 + Handling authorization for test.mdbnet.net
 + 2 pending challenge(s)
 + Deploying challenge tokens...
ADD: _acme-challenge.test.mdbnet.net. 300 IN TXT "CUcIs48zueUn0vVl8OdNyhnzhODxdKTugXbLeUxjEZg"
ADD: _acme-challenge.test.mdbnet.net. 300 IN TXT "1n-OMurTo1NbdLHZriNuSqz-1oJfpOxPdsR-_BX9Ags"
 + Responding to challenge for test.mdbnet.net authorization...
DEL: _acme-challenge.test.mdbnet.net. 300 IN TXT "CUcIs48zueUn0vVl8OdNyhnzhODxdKTugXbLeUxjEZg"
 + Challenge is valid!
 + Responding to challenge for test.mdbnet.net authorization...
DEL: _acme-challenge.test.mdbnet.net. 300 IN TXT "1n-OMurTo1NbdLHZriNuSqz-1oJfpOxPdsR-_BX9Ags"
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

@jobe1986 commented on GitHub (Mar 15, 2018): That example is still perfectly valid. The hook script is called for EACH individual "token" value set for the TXT record, that example deletes only the TXT record with the supplied token value. So that example will be called once for each TXT record even if they are the same name. I Currently use the nsupdate method with my setup for domain validations, and I have yet to have an issue with either TXT records remaining where they shouldn't or with TXT records being deleted when they shouldn't. Example of the output from dehydrated when using my hook script (note the lines prefixed with ADD: and DEL: are from my hook script when it uses nsupdate to add or delete a TXT record): ``` Processing test.mdbnet.net with alternative names: *.test.mdbnet.net + Creating new directory /home/dehydrated/dehydrated/certs/test.mdbnet.net ... + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for test.mdbnet.net + Handling authorization for test.mdbnet.net + 2 pending challenge(s) + Deploying challenge tokens... ADD: _acme-challenge.test.mdbnet.net. 300 IN TXT "CUcIs48zueUn0vVl8OdNyhnzhODxdKTugXbLeUxjEZg" ADD: _acme-challenge.test.mdbnet.net. 300 IN TXT "1n-OMurTo1NbdLHZriNuSqz-1oJfpOxPdsR-_BX9Ags" + Responding to challenge for test.mdbnet.net authorization... DEL: _acme-challenge.test.mdbnet.net. 300 IN TXT "CUcIs48zueUn0vVl8OdNyhnzhODxdKTugXbLeUxjEZg" + Challenge is valid! + Responding to challenge for test.mdbnet.net authorization... DEL: _acme-challenge.test.mdbnet.net. 300 IN TXT "1n-OMurTo1NbdLHZriNuSqz-1oJfpOxPdsR-_BX9Ags" + Challenge is valid! + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done! ```

adam commented 2025-12-29 01:21:48 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Mar 15, 2018):

I also don't see how that code would be invalid, it only deletes exactly what it should delete.

@lukas2511 commented on GitHub (Mar 15, 2018): I also don't see how that code would be invalid, it only deletes exactly what it should delete.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

sudo-env

testing

rfc8738

jsonsh

v0.7.2

v0.7.1

v0.7.0

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.1

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels

Complicated

bug

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

suggestions wanted

testing

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#304