[BUG] Certbot fails to generate Porkbun DNS certificate for subdomain and wildcard of said subdomain

[hoang-himself]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Certbot command fails if left to run automatically, but running the command manually works

docker-swag/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run

Line 346 in 7e7e227

certbot certonly --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --renew-by-default

Downgrading to 3.3.0-ls374, or use mods to install certbot-dns-porkbun v0.9.1 also works

Expected Behavior

>>> podman container exec -ti swag certbot certonly --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --renew-by-default 
Saving debug log to /config/log/letsencrypt/letsencrypt.log
Requesting a certificate for test.example.com and *.test.example.com
Unsafe permissions on credentials configuration file: /config/dns-conf/porkbun.ini
Unsafe permissions on credentials configuration file: /config/dns-conf/porkbun.ini
The propagation time is less than Porkbun DNS TTL minimum of 600 seconds. Subsequent challenges for same domain may fail. Try increasing the propagation time if you encounter issues.
Waiting 60 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /config/etc/letsencrypt/live/test.example.com/fullchain.pem
Key is saved at:         /config/etc/letsencrypt/live/test.example.com/privkey.pem
This certificate expires on 2025-07-22.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The container works as expected after restarting

Steps To Reproduce

See below

Environment

- OS: CentOS Stream 9
- How docker service was installed: Podman via dnf

>>> podman container exec -ti swag cat /config/etc/letsencrypt/cli.ini
agree-tos=true
server=https://acme-v02.api.letsencrypt.org/directory
domains=test.example.com,*.test.example.com
register-unsafely-without-email=true
preferred-challenges=dns
authenticator=dns-porkbun
dns-porkbun-credentials=/config/dns-conf/porkbun.ini
dns-porkbun-propagation-seconds=60

CPU architecture

x86-64

Docker creation

podman container run -dti --name swag --rm --replace \
  -v ./porkbun.ini:/config/dns-conf/porkbun.ini \
  -e URL=example.com \
  -e SUBDOMAINS=test, \
  -e EXTRA_DOMAINS='*.test.example.com' \
  -e ONLY_SUBDOMAINS=true \
  -e VALIDATION=dns \
  -e DNSPLUGIN=porkbun \
  -e PROPAGATION=60 \
  lscr.io/linuxserver/swag:latest

Container logs

[migrations] started
[migrations] 01-nginx-site-confs-default: executing...
[migrations] 01-nginx-site-confs-default: succeeded
[migrations] 02-swag-old-certbot-paths: executing...
[migrations] 02-swag-old-certbot-paths: succeeded
[migrations] done
usermod: no changes
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    911
User GID:    911
───────────────────────────────────────
Linuxserver.io version: 4.0.0-ls378
Build-date: 2025-04-19T03:33:37+00:00
───────────────────────────────────────
    
Setting resolver to  169.254.1.1 8.8.8.8 8.8.4.4
Setting worker_processes to 2
generating self-signed keys in /config/keys, you can replace these with your own keys if required
REDACTED
-----
Variables set:
PUID=
PGID=
TZ=
URL=example.com
SUBDOMAINS=test,
EXTRA_DOMAINS=*.test.example.com
ONLY_SUBDOMAINS=true
VALIDATION=dns
CERTPROVIDER=
DNSPLUGIN=porkbun
EMAIL=
STAGING=

Created .donoteditthisfile.conf
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Sub-domains processed are: test.example.com
EXTRA_DOMAINS entered, processing
Extra domains processed are: *.test.example.com
No e-mail address entered or address invalid
dns validation via porkbun plugin is selected
Generating new certificate
Saving debug log to /config/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for test.example.com and *.test.example.com
Unsafe permissions on credentials configuration file: /config/dns-conf/porkbun.ini
Unsafe permissions on credentials configuration file: /config/dns-conf/porkbun.ini
The propagation time is less than Porkbun DNS TTL minimum of 600 seconds. Subsequent challenges for same domain may fail. Try increasing the propagation time if you encounter issues.
The propagation time is less than Porkbun DNS TTL minimum of 600 seconds. Subsequent challenges for same domain may fail. Try increasing the propagation time if you encounter issues.
Waiting 60 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-porkbun). The Certificate Authority reported these problems:
  Domain: test.example.com
  Type:   unauthorized
  Detail: Incorrect TXT record "q5-8E9a0pm0k4_xzc5D9rWTqKje2ITnGe9hGXO78QWc" found at _acme-challenge.test.example.com

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-porkbun. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-porkbun-propagation-seconds (currently 60 seconds).

No challenge TXT record found for domain test.example.com with value RNDRV9bPy_ClV0yGrlrob6K5fBV3JiiQS-a8s5TNOR0
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /config/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/porkbun.ini file.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[alexta69]

@hoang-himself has this issue been resolved? Is it working now? I was having the same problem...

[hoang-himself]

@alexta69 I only found workarounds, the folks at lscr are probably not interested because certbot-dns-porkbun is external, and downgrading certbot-dns-porkbun works

Running certbot manually should be enough. If you want something more automated then use mods to downgrade certbot-dns-porkbun to 0.9.1 or downgrade swag to 3.3.0

[alexta69]

@hoang-himself can you help me install the right version of the porkbun plugin? I followed the instructions here, and added this to my docker-compose.yml:

      - DOCKER_MODS=linuxserver/mods:universal-package-install
      - INSTALL_PIP_PACKAGES=certbot-dns-porkbun@0.9.1

However I'm getting this in the container logs:

[mod-init] Downloading linuxserver/mods:universal-package-install from lscr.io
[mod-init] (ERROR) Invalid tarball for linuxserver/mods:universal-package-install, skipping

and then:

**** Installing requested dns plugins ****
/etc/s6-overlay/s6-rc.d/init-certbot-config/run: line 29: /etc/s6-overlay/s6-rc.d/init-mod-universal-package-install-add-package/run: No such file or directory

Is there another way to do it? How did you do it?
Thanks!

[hoang-himself]

@alexta69 I cannot reproduce the error. It's likely a connection issue on your side. Add DOCKER_MODS_DEBUG=true and check logs.

[hoang-himself]

certbot-dns-porkbun v0.10.1 fixed it.