Wildcard SSL with LetsEncrypt gives error
Solution 1:
Please note you have to wait for a while until changes in your DNS zone will be updated on servers worldwide. Your problem is that you're trying to check if changes are applied to the DNS too fast. There is a good way out from this case and it requires using DNS provider's API. If you use for instance OVH, you can use their API for DNS changes and certbot will be able to check changes immediately. There is a list of all API plugins here: https://certbot.eff.org/docs/using.html?highlight=dns#dns-plugins
If your DNS provider doesn't support this, try moving your DNS zone to Cloudflare. It's super easy and you'll get that service for free. Also, by using DNS API you'll be able to renew wildcard certificates for free by leaving a single command in cron like this:
0 1 20 * * root certbot certonly --non-interactive -d example.com -d '*.example.com' --dns-cloudflare --dns-cloudflare-credentials /my/secret/api/key/location
Solution 2:
Note that in a zone file, names not ending with a dot .
are relative, usually to the current domain.
So an entry for _acme-challenge.db.example.com
inside the zone for db.example.com
actually means an entry for _acme-challenge.db.example.com.db.example.com.
To make sure you have the right entry, you can either:
Add a dot a the end:
_acme-challenge.db.example.com.
Or not include the domain:
_acme-challenge
This is based on the zone being for db.example.com
, things would be slightly different is the zone were for example.com
instead.
Also don't forget to update the serial of the zone (in the SOA record) when you update it, and reload the zone.
This is of course based on the registered name servers for your domain being your own server (and a secondary).
When querying using nslookup
or dig
you can tell them which server to ask the answer from. Always start by checking your primary, then your secondary, then other servers. And don't forget some types of updates may take a while (especially changes which are subject to TTL of the previous record, and additions subject to the negative cache TTL of the domain).