Challenge failing with wildcard domain and naked domain

I think this is self-explanatory. I redacted the domain to example.tld and hook stored at /path/to/hook.sh.

Command:

# certbot certonly --email "$EMAIL" --agree-tos --no-eff \
  --manual --manual-auth-hook /path/to/hook.sh \
  --manual-cleanup-hook /path/to/hook.sh \
  --preferred-challenges dns \
  -d example.tld -d *.example.tld

Results:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None                               
Requesting a certificate for example.tld and *.example.tld                                     
Performing the following challenges:                                                 
dns-01 challenge for example.tld                                                          
dns-01 challenge for example.tld                                                          
Running manual-auth-hook command: /path/to/hook.sh
Output from manual-auth-hook command hook.sh:
Setting challenge to XXXXXXXXXXXXXXXXXXXXX ...
Waiting 120s for changes be published.
Mon 05 Apr 2021 07:30:08 PM MDT                                                      
Token published. Returning to certbot.
                                                                                     
Running manual-auth-hook command: /path/to/hook.sh                                 
Output from manual-auth-hook command hook.sh:                                        
Setting challenge to YYYYYYYYYYYYYYYYYYYYY ...                 
Waiting 120s for changes be published.                                               
Mon 05 Apr 2021 07:32:10 PM MDT                                                      
Token published. Returning to certbot.                                               
                                          
Waiting for verification...
Challenge failed for domain example.tld
Challenge failed for domain example.tld
dns-01 challenge for example.tld
dns-01 challenge for example.tld
Cleaning up challenges
Running manual-cleanup-hook command: /path/to/hook.sh
Output from manual-cleanup-hook command hook.sh:
Deleting challenge XXXXXXXXXXXXXXXXXXXXX ...
Token deleted. Returning to certbot.

Running manual-cleanup-hook command: /path/to/hook.sh
Output from manual-cleanup-hook command hook.sh:
Deleting challenge YYYYYYYYYYYYYYYYYYYYY ...
Token deleted. Returning to certbot.

Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.tld
   Type:   dns
   Detail: DNS problem: query timed out looking up TXT for
   _acme-challenge.example.tld

   Domain: example.tld
   Type:   dns
   Detail: DNS problem: query timed out looking up TXT for
   _acme-challenge.example.tld

I don’t think the challenge should be happening twice. Maybe both TXT records are being set, one being overridden, and then both get checked and fail somehow.

Let me know if you need more info.

-Keith

Oh, and my .dedynauth is in the same dir as hook.sh and looks like:

# Place your dedyn.io access token here:
DEDYN_TOKEN=ZZZZZZZZZZZZZZZZZZZZ

# Set your dedyn.io domain name here:
DEDYN_NAME=example.tld

Hi ki9,

Thanks for your message, and welcome to deSEC :slight_smile:

We cannot debug this issue without knowing the domain name in question. If you don’t want to post it publicly, please send us an email.

Stay secure,
Peter

Can you reproduce this problem with your own domain? I think it’s a bug in your hook script. Maybe github issue #7 was never fixed.