Update dns api to support v2 wildcard cert #1261
Comments
|
@wpk- Please update the rm function of dns_ad hook. |
|
@baiyangliu please support the rm function for dns_ali hook. |
|
@martgras please make sure dns_azure hook works in this way. |
|
@boyanpeychev please update dns_cloudns hook |
|
@boyanpeychev accepted, please go ahead. |
|
@pho3nixf1re please update dns_dnsimple hook |
|
@dkerr64 please update dns_freedns.sh |
|
@fcrozat please update dns_gandi_livedns.sh |
|
@justmwa please update dns_me.sh |
|
@justmwa please also update dns_nsone.sh |
|
@magna-z please update dns_pdns.sh |
|
@Aarup please update dns_unoeuro.sh |
|
aws work. Thanks a lot |
|
I don't think any changes are needed but will double check next week when I'm back
…________________________________
From: drybalkadk <notifications@github.com>
Sent: Wednesday, February 14, 2018 4:49:57 PM
To: Neilpang/acme.sh
Cc: Martin Grasruck; Mention
Subject: Re: [Neilpang/acme.sh] Update dns api to support v2 wildcard cert (#1261)
aws work. Thanks a lot
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#1261 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AYjgXW3X7a88xrFvZiuuvKzzoVXrt3oaks5tUwCkgaJpZM4SDoO5>.
|
|
@martgras thank you. |
|
no changes needed for dns_cloudns.sh |
|
@boyanpeychev There is an updating logic in the dns_cloudns_add() function. Please make sure this case is passing: acme.sh --issue --test -d example.com -d *.example.com |
|
Works as is because there's only one TXT sent from what I can see in logs. And since LE accepts it, they changed their mind about the double TXT record ? |
|
Message to those who think it works "as is", try with a subdomain ;) (unless it's not officially supported?) |
|
@justmwa no, never. acme.sh --issue -d sub.domain.com -d *.sub.domain.com |
|
Fixed the Azure hook only 1 DNS record was added: #1287 |
|
@Neilpang, yes, it is tested with completely new domain and sub-domain for Let's Encrypt and it works both for the root domain name and with a sub-domain. The records are added successfully. However, I do see one problem not related to the cloudns.net api - sometimes the given token is not accepted by Let's Encrypt, even it is resolved absolutely properly. Here is example log: The TXT records requested to be added is with token: GUFN5HSXlmothHwsZWbCZW-SfgCaQYCTTB874fZ6Ijw |
|
I don't understand the cloudns api well enough but I suspect you run into the the same problem I had with Azure in #1287 therefore the validation failed Basically I have to use a Json body like this for the Azure DNS REST API call {
"properties": {
"TTL": 10,
"TXTRecords": [
{ "value": ["DyLeOblvCb1I9DqZ2BlB0fdQYsA3or4WVdZN139KaHg"] },
{ "value": ["GUFN5HSXlmothHwsZWbCZW-SfgCaQYCTTB874fZ6Ijw"] }
]
}
}you should see something like this when checking with dig |
|
Thanks for the hint. Fixed. Pull request submitted. |
|
@boyanpeychev It's not enough yet. But the |
|
@Neilpang the same is true for Azure but why does it matter? first call to dns_azure_rm : second call: so yes the first call removes the record already but I don't see the problem with this approach |
|
@martgras Yes, it doesn't matter if it's only you that use the domain to verify the cert. So, it's strongly recommended that you only remove the txt record added by you. |
Using Gandi for a domain.tld & *.domain.tld cert. It works, but I have to launch acme.sh two times in "quick" burst : it fails first, and pass on second time. Same with renewal cron job. |
|
same for us @saymonz using GandLiveDNS, it randomly fails, running it a second time "fixes" it. |
|
I ran into a similar problem with FreeDNS and had to code around it. Not sure if you are running into exactly the same reasons for the "required twice" but see comment in the code for dns_freedns.sh around line 59... https://github.com/Neilpang/acme.sh/blob/c31db83b26afa1468aa00aafd63c64f2c410811d/dnsapi/dns_freedns.sh#L59-L63 David |
Gandi supports setting multiple entries by setting multiple array items for the rrset_values field in their API. Modify the dns_gandi_livedns.sh script so that it checks for existing entries, appends new ones if needed, and removes existing ones individually. This enabled wildcard certificate support on Gandi. Fixes the dns_gandi_livedns part of acmesh-official#1261. Tested for creating a multidomain, multiple wild-card certificate on Gandi and using a test script executing only the dns_gandi_livedns_add and dns_gandi_livedns_rm functions.
Gandi supports setting multiple entries by setting multiple array items for the rrset_values field in their API. Modify the dns_gandi_livedns.sh script so that it checks for existing entries, appends new ones if needed, and removes existing ones individually. This enabled wildcard certificate support on Gandi. Fixes the dns_gandi_livedns part of acmesh-official#1261. Tested for creating a multidomain, multiple wild-card certificate on Gandi and using a test script executing only the dns_gandi_livedns_add and dns_gandi_livedns_rm functions.
Gandi supports setting multiple entries by setting multiple array items for the rrset_values field in their API. Modify the dns_gandi_livedns.sh script so that it checks for existing entries, appends new ones if needed, and removes existing ones individually. This enabled wildcard certificate support on Gandi. Fixes the dns_gandi_livedns part of acmesh-official#1261. Tested for creating a multidomain, multiple wild-card certificate on Gandi and using a test script executing only the dns_gandi_livedns_add and dns_gandi_livedns_rm functions.
Gandi supports setting multiple entries by setting multiple array items for the rrset_values field in their API. Modify the dns_gandi_livedns.sh script so that it checks for existing entries, appends new ones if needed, and removes existing ones individually. This enabled wildcard certificate support on Gandi. Fixes the dns_gandi_livedns part of acmesh-official#1261. Tested for creating a multidomain, multiple wild-card certificate on Gandi and using a test script executing only the dns_gandi_livedns_add and dns_gandi_livedns_rm functions.
Gandi supports setting multiple entries by setting multiple array items for the rrset_values field in their API. Modify the dns_gandi_livedns.sh script so that it checks for existing entries, appends new ones if needed, and removes existing ones individually. This enabled wildcard certificate support on Gandi. Fixes the dns_gandi_livedns part of acmesh-official#1261. Tested for creating a multidomain, multiple wild-card certificate on Gandi and using a test script executing only the dns_gandi_livedns_add and dns_gandi_livedns_rm functions.
after the merge in 83a0407. |
|
Hi there! I am using https://dyn.com/ They support In a nutshell: In the I wonder if acme gurus could properly implement the feature allowing adding several |
|
I'm trying to get a wildcard certificate using dns_pdns
But as the dns server only shows one value I assume that dns_pdns is not ready for v2 wildcard certs. First post in this report shows dns_pdns not as fixed yet. output of acme.sh sez that the token is "not valid yet" and acme.sh waits for 10s to repeat the check and fails again (in a loop)
But according to the pdns server at least one record for _acme-challenge.REDACTED.ch does exist |
|
did some more diging in dns_pdns code. It seems to me that the script cannot get the list of already existing challenges as the pdns api uri only gives back a "500 Internal server error"
Any pdns user here who can verify if that URI still works or not? I'm using pdns server 4.1.8 |
|
dns_pdns is finally working fine. Was never a acme problem but one with the pdns server. We use mysql backend for pdns and our frontend application inserts TXT records like this @Neilpang |
|
@jahlives Thanks. |
after merging #2852. |
The IONOS DNS API is in beta state, please read [1] on how to get started. PLEASE NOTE: The v2 wildcard certification creation [2] is not yet supported as the IONOS API doesn't allow the creation of multiple TXT records with the same domain name. [1] https://beta.developer.hosting.ionos.de/docs/getstarted [2] acmesh-official#1261
The IONOS DNS API is in beta state, please read [1] on how to get started. PLEASE NOTE: The v2 wildcard certification creation [2] is not yet supported as the IONOS API doesn't allow the creation of multiple TXT records with the same domain name. [1] https://beta.developer.hosting.ionos.de/docs/getstarted [2] acmesh-official#1261
The IONOS DNS API is in beta state, please read [1] on how to get started. PLEASE NOTE: The v2 wildcard certification creation [2] is not yet supported as the IONOS API doesn't allow the creation of multiple TXT records with the same domain name. [1] https://beta.developer.hosting.ionos.de/docs/getstarted [2] acmesh-official#1261
|
|
The same issue (acme.sh --issue --test -d example.com -d *.example.com got error trying to create existent value istead of add key to it) with dns_nsone |
and others
To support v2 wildcard cert, we need to add 2 txt records for the same domain.
for example:
In many dns api hooks, in the
dns_xx_add()function, they try toUPDATEthe existing txt record, instead ofADDa new record.This was a good practice for ACME v1, but it's not good in ACME v2.
In ACME v2, we just need to add new txt record all the time in the
dns_xx_add()function,And in the the
dns_xx_rm()function, we must delete the txt record according to the specified txt value.Test example:
acme.sh --issue --test -d example.com -d *.example.comPlease make sure this works, and the 2 txt records are removed after the cert is issued.
See my changes:
ea25492#diff-51fe23dd1a90a481487dbca5b9c3ae24
72f54ca#diff-d48ca70b90232acffb2b5b9d1ec2938a
584fb29#diff-f272833bc0ccf326ea343539e829f1d3
The text was updated successfully, but these errors were encountered: