Error during automated certificate renewal wildcard letsencrypt

[Potusek]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

LetsEncrypt request successful

What did you see instead?

Failed to issue new certificate

How do you use lego?

Binary

Reproduction steps

There has been a configuration of several domains in directadmin for several years and the problems probably appeared in version lego_v4.14.2-SNAPSHOT-cd63b325_linux_amd64.tar.gz - a newer version is not yet available for DA

DNS Zone in ovh

$TTL 3600
@	IN SOA dns14.ovh.net. tech.ovh.net. (2024020200 86400 3600 3600000 60)
        IN NS     dns14.ovh.net.
        IN NS     ns14.ovh.net.
        IN MX     10 wawer-plaza.com.pl.
     60 IN A     146.59.66.209
     60 IN CAA     0 issuewild "letsencrypt.org"
*     60 IN CNAME     wawer-plaza.com.pl.

Version of lego

lego version 4.14.2-SNAPSHOT-cd63b325 linux/amd64

Logs

Found wildcard domain name and http challenge type, switching to dns-01 validation.
2024/02/24 00:11:52 [INFO] [*.wawer-plaza.com.pl, wawer-plaza.com.pl] acme: Obtaining SAN certificate
2024/02/24 00:11:53 [INFO] [*.wawer-plaza.com.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169577
2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169587
2024/02/24 00:11:53 [INFO] [*.wawer-plaza.com.pl] acme: use dns-01 solver
2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] acme: Could not find solver for: tls-alpn-01
2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] acme: Could not find solver for: http-01
2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] acme: use dns-01 solver
2024/02/24 00:11:53 [INFO] [*.wawer-plaza.com.pl] acme: Preparing to solve DNS-01
2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.wawer-plaza.com.pl.": "wawer-plaza.com.pl."
2024/02/24 00:11:53 refusing to create DNS challenge record 'wawer-plaza.com.pl', missing _acme-challenge prefix

2024/02/24 00:11:53 [INFO] [*.wawer-plaza.com.pl] acme: Cleaning DNS-01 challenge
2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.wawer-plaza.com.pl.": "wawer-plaza.com.pl."
2024/02/24 00:11:53 refusing to remove DNS challenge record 'wawer-plaza.com.pl', missing _acme-challenge prefix

2024/02/24 00:11:53 [WARN] [*.wawer-plaza.com.pl] acme: cleaning up failed: exec: exit status 1 
2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] acme: Preparing to solve DNS-01
2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.wawer-plaza.com.pl.": "wawer-plaza.com.pl."
2024/02/24 00:11:53 refusing to create DNS challenge record 'wawer-plaza.com.pl', missing _acme-challenge prefix

2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] acme: Cleaning DNS-01 challenge
2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.wawer-plaza.com.pl.": "wawer-plaza.com.pl."
2024/02/24 00:11:53 refusing to remove DNS challenge record 'wawer-plaza.com.pl', missing _acme-challenge prefix

2024/02/24 00:11:53 [WARN] [wawer-plaza.com.pl] acme: cleaning up failed: exec: exit status 1 
2024/02/24 00:11:53 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169577
2024/02/24 00:11:54 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169587
2024/02/24 00:11:54 Could not obtain certificates:
	error: one or more domains had a problem:
[*.wawer-plaza.com.pl] [*.wawer-plaza.com.pl] acme: error presenting token: exec: exit status 1
[wawer-plaza.com.pl] [wawer-plaza.com.pl] acme: error presenting token: exec: exit status 1
Failed to issue new certificate

Go environment (if applicable)

$ go version && go env
# paste output here

[ldez]

Hello,

lego_v4.14.2-SNAPSHOT-cd63b325_linux_amd64.tar.gz - a newer version is not yet available for DA

lego v4.15.0 is available for one month, can you try it?

[ldez]

Can you provide more explanation about your context?
What was the version of the latest working lego?
You are using a CNAME, do you have the right entry for ACME?
Since v4.9, the CNAMEs are followed by default.
You can disable the CNAME support by setting the env var LEGO_DISABLE_CNAME_SUPPORT to true.

cd63b32 is a dangling commit, related to nothing in the lego tree, so you are using a custom version based on PR #1501.
What is the link between DirectAdmin and this PR?

[Potusek]

I store the dns zone in ovh and have minimal entries (which have worked so far) ie:

domain.com. A 123.123.123.123	
*.domain.com.  CNAME domain.com.

I have the detailed subdomains described in the dns zone managed by directadmin and mostly within one IP address.

After adding LEGO_DISABLE_CNAME_SUPPORT=true it returned to the original functioning i.e. I get the wildcard certificate.
Now it remains to "convince" directadmin to be able to set such a variable permanently.

So, it is indeed not a bug.