[BUG] Wildcard tries to request for *.co.uk

[helpquick]

What happened?

Let's encrypt tries to request a certificate for *.co.uk

Scheduler log: Invalid identifiers requested :: Cannot issue for "*.co.uk": Domain name is a wildcard for an ICANN TLD (and 1 more problems. Refer to sub-problems for more information.)

How to reproduce?

create new service specifying a .co.uk domain with and without the www in the server name (space separated)

e.g.

helpquick.co.uk www.helpquick.co.uk

Let's Encrypt wildcard enabled.

Configuration file(s) (yaml or .env)

Service config

IS_DRAFT=no
SERVER_NAME=helpquick.co.uk www.helpquick.co.uk
USE_TEMPLATE=low
BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 429 444
BAD_BEHAVIOR_THRESHOLD=30
BAD_BEHAVIOR_BAN_TIME=3600
USE_CORS=yes
CORS_ALLOW_ORIGIN=*
KEEP_UPSTREAM_HEADERS=*
CONTENT_SECURITY_POLICY=frame-ancestors 'none' upgrade-insecure-requests
REFERRER_POLICY=no-referrer-when-downgrade
PERMISSIONS_POLICY=
COOKIE_FLAGS=* SameSite=Lax
AUTO_LETS_ENCRYPT=yes
EMAIL_LETS_ENCRYPT=admin@<removed>
LETS_ENCRYPT_CHALLENGE=dns
LETS_ENCRYPT_DNS_PROVIDER=rfc2136
LETS_ENCRYPT_DNS_PROPAGATION=10
USE_LETS_ENCRYPT_WILDCARD=yes
LETS_ENCRYPT_DNS_CREDENTIAL_ITEM=server <removed>
LETS_ENCRYPT_DNS_CREDENTIAL_ITEM_1=name <removed>
LETS_ENCRYPT_DNS_CREDENTIAL_ITEM_2=secret <removed>
LIMIT_CONN_MAX_HTTP1=25
LIMIT_CONN_MAX_HTTP2=200
LIMIT_CONN_MAX_HTTP3=200
LIMIT_REQ_RATE=5r/s
MAX_CLIENT_SIZE=100m
USE_REVERSE_PROXY=yes
REVERSE_PROXY_HOST=https://<removed>
REVERSE_PROXY_KEEPALIVE=yes

Relevant log output

[2025-04-29 13:26:21 +0100] [LETS-ENCRYPT.NEW] [1670284] [ℹ️ ] - Service helpquick.co.uk is using wildcard, the propagation time will be the provider's default and the email will be the same as the first domain that created the group...
[2025-04-29 13:26:21 +0100] [LETS-ENCRYPT.NEW] [1670284] [ℹ️ ] - Successfully saved service helpquick.co.uk's credentials file in cache
[2025-04-29 13:26:21 +0100] [LETS-ENCRYPT.NEW] [1670284] [ℹ️ ] - Asking wildcard certificates for domain(s) : *.co.uk,*.helpquick.co.uk,co.uk,helpquick.co.uk (email = [email protected]) with dns challenge...
[2025-04-29 13:26:22 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Saving debug log to /var/log/bunkerweb/letsencrypt/letsencrypt.log
[2025-04-29 13:26:22 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Saving debug log to /var/log/bunkerweb/letsencrypt/letsencrypt.log
[2025-04-29 13:26:22 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - An unexpected error occurred:
[2025-04-29 13:26:22 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - An unexpected error occurred:
[2025-04-29 13:26:22 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Invalid identifiers requested :: Cannot issue for "*.co.uk": Domain name is a wildcard for an ICANN TLD (and 1 more problems. Refer to sub-problems for more information.)
[2025-04-29 13:26:22 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Invalid identifiers requested :: Cannot issue for "*.co.uk": Domain name is a wildcard for an ICANN TLD (and 1 more problems. Refer to sub-problems for more information.)
[2025-04-29 13:26:23 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/bunkerweb/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[2025-04-29 13:26:23 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/bunkerweb/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[2025-04-29 13:26:23 +0100] [LETS-ENCRYPT.NEW] [1670284] [❌] - Certificate generation failed for domain(s) *.co.uk,*.helpquick.co.uk,co.uk,helpquick.co.uk ...
[2025-04-29 13:26:23 +0100] [LETS-ENCRYPT.NEW] [1670284] [❌] - Exception while running certbot-new.py :
[Errno 2] No such file or directory: '/var/cache/bunkerweb/letsencrypt/helpquick.co.uk'

BunkerWeb version

1.6.2-rc1

What integration are you using?

Linux

Linux distribution (if applicable)

Debian bookworm

Removed private data

• I have removed all private data from the configuration file and the logs

Code of Conduct

• I agree to follow this project's Code of Conduct

[helpquick]

removing the with-www part, so it's just the bare domain and saving results in no attempt to create a cert at all.

letsencrypt log does not show anything new, since the failed attempt above.

updating the service, and changing propagation delay to 15 (to force a save), makes the schedular pick it up, and again, tries to request a wildcard for *.co.uk

[2025-04-29 14:02:04 +0100] [LETS-ENCRYPT.NEW] [1670284] [ℹ️ ] - Service helpquick.co.uk is using wildcard, the propagation time will be the provider's default and the email will be the same as the first domain that created the group...
[2025-04-29 14:02:04 +0100] [LETS-ENCRYPT.NEW] [1670284] [ℹ️ ] - Service helpquick.co.uk's wildcard credentials file has already been generated
[2025-04-29 14:02:04 +0100] [LETS-ENCRYPT.NEW] [1670284] [ℹ️ ] - Asking wildcard certificates for domain(s) : *.co.uk,co.uk (email = [email protected]) with dns challenge...
[2025-04-29 14:02:04 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Saving debug log to /var/log/bunkerweb/letsencrypt/letsencrypt.log
[2025-04-29 14:02:04 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Saving debug log to /var/log/bunkerweb/letsencrypt/letsencrypt.log
[2025-04-29 14:02:05 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - An unexpected error occurred:
[2025-04-29 14:02:05 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - An unexpected error occurred:
[2025-04-29 14:02:05 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Invalid identifiers requested :: Cannot issue for "*.co.uk": Domain name is a wildcard for an ICANN TLD (and 1 more problems. Refer to sub-problems for more information.)
[2025-04-29 14:02:05 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Invalid identifiers requested :: Cannot issue for "*.co.uk": Domain name is a wildcard for an ICANN TLD (and 1 more problems. Refer to sub-problems for more information.)
[2025-04-29 14:02:05 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/bunkerweb/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[2025-04-29 14:02:05 +0100] [LETS-ENCRYPT.NEW.CERTBOT] [1670284] [ℹ️ ] - Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/bunkerweb/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[2025-04-29 14:02:05 +0100] [LETS-ENCRYPT.NEW] [1670284] [❌] - Certificate generation failed for domain(s) *.co.uk,co.uk ...
[2025-04-29 14:02:05 +0100] [LETS-ENCRYPT.NEW] [1670284] [❌] - Exception while running certbot-new.py :
[Errno 2] No such file or directory: '/var/cache/bunkerweb/letsencrypt/helpquick.co.uk'

Also, why are log lines duplicated?

[TheophileDiot]

Hi, the wildcard will always be generated from a common first suffix -> helpquick.co.uk = *.co.uk,co.uk

[helpquick]

So this affects all 2nd level domains? e.g. .co.uk, .org.uk, .uk.com, etc.? so i can't create a service with helpquick.co.uk, and select wildcard, as it will try to generate wildcard for *.co.uk.

[TheophileDiot]

Indeed, this is useful when using multiple services with the same suffix

[helpquick]

Yes, but .co.uk is the country wide effective TLD for the uk, other prefixes are available such as .org.uk, .me.uk, .ltd.uk, etc.

Although nominet released the use of bare .uk domains, there's a lot of domains out there with .co.uk, and it'll never be possible to create a *.co.uk wildcard.

It may be worth catching these cases, so that bunkerweb won't attempt to create these wildcards, in the same way it won't try to create a *.com wildcard (or will it? I've not tried to be fair)

[TheophileDiot]

This is already in the loop, we get the blacklist from here: https://publicsuffix.org/list/public_suffix_list.dat