I love that lead to some fun... So I moved eagerly to Let's Encrypt when the tooling supported Windows reasonably well, and set myself up with a certificate with multiple SANs authenticated via their "HTTP proofs" mechanism, and it all worked fine, despite it being a bit of a pain that I had to expose port 80 for sites I only wanted accessible via port 443.
But I realised recently that they now offer wildcard certs that would make my life simpler, and that there is now decent support for DNS-based proof-of-ownership. So recently I tried moving my server over to this model – and there was a bit of friction. Entirely PEBCAK though – so I'm writing this down for the next time I forget how DNS works 😉
As a user of Windows servers, the Certify client is the easiest way to set up this sort of thing. So I started by downloading the latest instance of that – which worked easily enough.
From there you can request a new certificate for "*.yourdomain.com". You also have to tell it that you're using a DNS challenge. Depending on your DNS provider, you may be lucky enough to have support for automatically updating DNS with the challenge data. That worked for me with one domain, which was hosted via CloudFlare. But it wasn't available for me with another domain – which is where I had a little confusion.
If automation isn't supported for your DNS provider you have to select the "manual" update mechanism... Then, when you request the certificate, Certify tells you about the TXT record(s) you need to create. You get something like this from the UI and logs:
2019-06-22 14:24:06.261 +01:00 [INF] DNS: (Update DNS Manually) :: Please login to your DNS control panel for the domain '*.mydomain.co.uk' and create a new TXT record named: _acme-challenge.mydomain.co.uk with the value: a-ELrRGO72uAYDPxb8YpyzDrHkC8n71Yc67sW7HX1bX
So you log in to your DNS provider, and copy/paste these values into a TXT record...
Don't make the silly mistake I did intially – remember how DNS works...
You do not log in to your DNS portal and paste "_acme-challenge.mydomain.co.uk" into a new TXT record's Name field – you create a TXT record named "_acme-challenge" under your domain "mydomain.co.uk":
Seems very obvious in retrospect, but it this caught me out because it seems some DNS providers will recognise the mistake here, and strip the DNS suffix off the name of your new TXT record. Cloudflare, for example, are wise to this mistake. But some will not – including my other provider.
And if you do make this copy/paste mistake the Let's Encrypt validation will not work, because it will not be able to find the "right" TXT record. And then you'll spend half an hour carefully comparing the challenge value, wondering if you got that random string of nonsense wrong...
Must remember not to make this mistake next time.