Duplicate TXT DNS records required

#1

Hello,

I am trying to enable a letsencrypt cert that has a wildcard host and the apex host in one cert. Since you can’t use their normal validation with a host fronted with cloudflare, the dns method is suggested. In order to do this you have to add a dns TXT record for _acme-challenge for every name on the cert in separate TXT records.

That all works fine when I use the wildcard domain, but when you add the apex domain letsencrypt requires 2 TXT records, one for each host name, which is allowed by the dns specification.

When I add the second one, cloudflare just silently discards it.

Anybody know a workaround?

#2

What do you mean by this? Can you post a screenshot?

#3

I can’t post a screenshot of a negative. :slight_smile: But you can duplicate it like this.

  1. create a DNS TXT record for _acme-challenge and put in any string, say “ABC” (you must enter the quotes or cloudflare silently ignore it.
  2. Create a second DNS TXT record for _acme-challenge (this is allowed by the DNS specification) and enter another string for value, say “DEF”.

The second one is silently ignored by cloudflare, and you still have only “ABC”.

#4

I meant a screenshot of the record you are trying to add :joy:

I have just tried adding it, even without the quotes, both the TXT records show on a lookup.

image
image.png1054×267 9.9 KB

image

#5

Wow that is really interesting. I tried a half a dozen times, but the actual strings required by letsencrypt are long and contains hyphens and underscores. In my case, only the first one is saved. Subsequent ones are silently discarded. I did see a bug in the interface - if you omit the quotes, your edit is silently discarded with no warning. Maybe the special characters have something to do with it, based on your results I will start experimenting with different strings and see if I can narrow down the issue. Thanks!

#6

Just attempted the same as @domjh and used actual values and it appeared to work as well. Maybe a typo in the name of the other value? :man_shrugging:t2:

#7

Thanks to the folks that replied. I think now what was happening was, I saw a service alert that there was an outage yesterday and that during that time dns updates were not propagated. :slight_smile:

I just tried it again, and sure enough, its all good. So thanks again if I hadn’t heard from anyone I would have just assumed it was a bug and given up and tried something else.