Skip to content

dns-01: some CAs may return the same challenge token for several authorizations #2821

New issue
New issue
Open
#2828
Open
dns-01: some CAs may return the same challenge token for several authorizations#2821
#2828
Labels
area/dnsproviderbugwaiting-for/contrib-feedbackAwaiting feedback from the contributor.
@go-goll

Description

@go-goll
go-goll
opened on Jan 28, 2026

Welcome

  • Yes, I've searched for similar issues on GitHub and didn't find any.

How do you use lego?

Library

Effective version of lego

latest

Detailed Description

Problem

When requesting both a base domain and wildcard domain simultaneously (e.g., example.com and *.example.com), some CAs (like LiteSSL) may return the same challenge token for both authorizations.

Since both authorizations have the same Identifier.Value (example.com) and the same Token, they would require setting identical TXT records at _acme-challenge.example.com.

This causes issues because:

  1. Many DNS providers fail when trying to create a duplicate TXT record
  2. Or the second Present() call overwrites the first one

Expected Behavior

The solver should detect duplicate challenges (same Identifier.Value + Token) and skip redundant PreSolve and CleanUp calls.

Proposed Solution

Add deduplication logic in challenge/resolver/prober.go to track presented challenges and skip duplicates in both parallelSolve and sequentialSolve functions.

I have a working implementation ready to submit as a PR once this issue is approved.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/dnsproviderbugwaiting-for/contrib-feedbackAwaiting feedback from the contributor.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions