[Aliyun] third-level domain name wildcard verification failed InvalidDomainName.NoExist

[LEIRONGHUA]

Describe the bug
Third-level domain name wildcard certificate verification failed, Alibaba Cloud error code: InvalidDomainName.NoExist,
The correct domain name is: example.com, but the domain name of the dns interface parameter is: api.cjh.example.com

To Reproduce

A simple Windows ACMEv2 client (WACS)
Software version 2.2.8.1635 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task looks healthy
Please report issues at https://github.com/win-acme/win-acme

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (5 total)
O: More options...
Q: Quit

Please choose from the menu: N

Running in mode: Interactive, Simple

Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma-separated) to filter by those
sites, or alternatively leave the input empty to scan *all* websites.

4: Example.AuthServer (3 bindings)
3: Example.HttpApi (2 bindings)
2: Example.Web (3 bindings)

Site identifier(s) or <Enter> to choose all: 3

1: api.cjh.example.com (Site 3)
2: *.api.cjh.example.com (Site 3)

Listed above are the bindings found on the selected site(s). By default all
of them will be included, but you may either pick specific ones by typing the
host names or identifiers (comma-separated) or filter them using one of the
options from the menu.

P: Pick bindings based on a search pattern
A: Pick *all* bindings

Binding identifiers(s) or menu option: A

1: api.cjh.example.com
2: *.api.cjh.example.com

Please pick the main host, which will be presented as the subject of the certificate: 2

1: api.cjh.example.com (Site 3)
2: *.api.cjh.example.com (Site 3)

Continue with this selection? (y*/n) - yes

Source generated using plugin IIS: *.api.cjh.example.com and 1 alternatives
Validation plugin SelfHosting not available: HTTP validation cannot be used for wildcard identifiers (e.g. *.example.com)
Validation plugin FileSystem not available: HTTP validation cannot be used for wildcard identifiers (e.g. *.example.com)

The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup *and* for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard identifiers the latter is the only option.
Various additional plugins are available from
https://github.com/win-acme/win-acme/.

1: [http] Save verification files on (network) path
2: [http] Serve verification files from memory
3: [http] Upload verification files via FTP(S)
4: [http] Upload verification files via SSH-FTP
5: [http] Upload verification files via WebDav
6: [dns] Create verification records in ALiYun DNS
7: [dns] Create verification records manually (auto-renew not possible)
8: [dns] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
9: [dns] Create verification records with your own script
10: [tls-alpn] Answer TLS verification request from win-acme
<Enter>: Abort

How would you like prove ownership for the domain(s)?: 6

Description:         DNS Server Domain Name
                    Refer: https://api.aliyun.com/product/Alidns
Argument:            dns.aliyuncs.com (press <Enter> to use this)

ALiYun Domain Server: <Enter>

Description:         API ID for ALiYun.

1: Type/paste in console
2: Search in vault

Choose from the menu: 2

1: vault://json/api
2: vault://json/key
<Enter>: Cancel

Which vault secret do you want to use?: 1

Description:         API Secret for ALiYun.

1: Type/paste in console
2: Search in vault

Choose from the menu: 2

1: vault://json/api
2: vault://json/key
<Enter>: Cancel

Which vault secret do you want to use?: 2

Plugin IIS generated source *.api.cjh.example.com with 2 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
No challenge of type dns-01 available
[api.cjh.example.com] Cached authorization result: valid
[*.api.cjh.example.com] Authorizing...
[*.api.cjh.example.com] Authorizing using dns-01 validation (ALiYun)
code: 400, The specified domain name does not exist. Refresh the page and try again. request id: 14E5C602-B130-5127-9E0E-BBC27F84AEE5
Unable to add ALiYunDNS record: code: 400, The specified domain name does not exist. Refresh the page and try again. request id: 14E5C602-B130-5127-9E0E-BBC27F84AEE5
[*.api.cjh.example.com] Error preparing for challenge answer
[*.api.cjh.example.com] Deactivating pending authorization

Create certificate failed, retry? (y/n*)

Log

2024-03-04 18:32:20.504 +08:00 [DBG] [*.api.cjh.example.com] Attempting to create DNS record under _acme-challenge.api.cjh.example.com...
2024-03-04 18:32:20.899 +08:00 [ERR] Unable to add ALiYunDNS record: code: 400, The specified domain name does not exist. Refresh the page and try again. request id: 14E5C602-B130-5127-9E0E-BBC27F84AEE5
2024-03-04 18:32:20.899 +08:00 [DBG] [*.api.cjh.example.com] Failed to create record under _acme-challenge.api.cjh.example.com
2024-03-04 18:32:20.919 +08:00 [ERR] [*.api.cjh.example.com] Error preparing for challenge answer
System.Exception: [*.api.cjh.example.com] Unable to prepare for challenge answer
   at PKISharp.WACS.Plugins.ValidationPlugins.DnsValidation`1.PrepareChallenge(ValidationContext context, Dns01ChallengeValidationDetails challenge)
   at PKISharp.WACS.Plugins.ValidationPlugins.Validation`1.PrepareChallenge(ValidationContext context)
   at PKISharp.WACS.RenewalValidator.Prepare(ValidationContext context, RunLevel runLevel)
2024-03-04 18:32:20.920 +08:00 [VRB] Starting post-validation cleanup
2024-03-04 18:32:20.921 +08:00 [DBG] DNS record cleanup finalized
2024-03-04 18:32:20.921 +08:00 [VRB] Post-validation cleanup was succesful
2024-03-04 18:32:20.923 +08:00 [INF] [*.api.cjh.example.com] Deactivating pending authorization

Platform:

• OS: Windows Server 2022 Datacenter 21H2
• Version: 2.2.8.1635.x64.pluggable

Additional context
aliyun AccessKey Audit log：
Event Name:DescribeDomainRecords
Event Last Time:2024-03-04 18:32:20
Event Details:

{
  "acsRegion": "cn-hangzhou",
  "additionalEventData": {
    "CallerBid": "26842"
  },
  "apiVersion": "2015-01-09",
  "errorCode": "InvalidDomainName.NoExist",
  "errorMessage": "The specified domain name does not exist. Refresh the page and try again.",
  "eventCategory": "Management",
  "eventId": "14E5C602-B130-5127-9E0E-BBC27F84AEE5",
  "eventName": "DescribeDomainRecords", // 事件名称
  "eventRW": "Read",
  "eventSource": "dns.aliyuncs.com",
  "eventTime": "2024-03-04T10:32:20Z",
  "eventType": "ApiCall",
  "eventVersion": "1",
  "recipientAccountId": "xxxx",
  "requestId": "14E5C602-B130-5127-9E0E-BBC27F84AEE5",
  "requestParameters": {
    "ClientPort": 64826,
    "X-Acs-Public-Access": true,
    "AcsProduct": "Alidns",
    "DomainName": "api.cjh.example.com"
  },
  "serviceName": "Alidns", // 服务名称
  "sourceIpAddress": "8.8.8.8", // 源IP地址
  "userAgent": "Alibaba Cloud (Microsoft Windows NT 10.0.20348.0) RuntimeNotFound Core/0.1.14.0 TeaDSL/1",
  "userIdentity": {
    "accessKeyId": "xxxx",
    "accountId": "xxxx", // 账号ID
    "principalId": "xxxx",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2024-03-04T10:32:20Z"
      }
    },
    "type": "root-account", // 阿里云主账号
    "userName": "root"
  }
}

[zgcwkj]

The issue has been received and will be resolved later by submitting a PR.

[flyspirit99]

I have the same issue.

[zgcwkj]

I have the same issue.

It's fixed, you can try the output file below!
#2538 : https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49387500/artifacts

[flyspirit99]

I have the same issue.

It's fixed, you can try the output file below! #2538 : https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49387500/artifacts

Tried and it works. Thank you!

[WouterTinus]

This has been released in 2.2.9