Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS CNAME Delegation Bug #44

Closed
JordanPlayz158 opened this issue May 20, 2022 · 2 comments
Closed

DNS CNAME Delegation Bug #44

JordanPlayz158 opened this issue May 20, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@JordanPlayz158
Copy link

JordanPlayz158 commented May 20, 2022
edited
Loading

Describe the bug
When you try to renew a domain name, it fails due to commit 6003a6f which added DNS challenge delegation. This happens because the function expects there to be one and if there isn't, it throws a plugin error and causes the challenge to fail as it either never makes the txt challenge record or it causes the propogation time to be reduced to 0 (as the dns challenge after the error immediately checks for the record and fails).

To Reproduce

  1. Install certbot 1.12.0(-2) (Version 1.12.0 is the version I have installed, I use debian so the exact version for debian is 1.12.0-2)
  2. Install certbot_dns_porkbun via pip by following https://pypi.org/project/certbot-dns-porkbun/
  3. Run this command with the relevant information substituted
    certbot --authenticator=dns-porkbun --dns-porkbun-credentials /path/to/porkbun/dns/api/credentials.ini -d domain.test -d "*.domain.test"

Expected behavior
If the plugin can not find any acme-challenge delegate dns records, don't raise an exception and just let it continue and make a record for the domain you supplied
The command should work, renew the certificate, create the txt record, wait for propogation seconds then check for the record, then you get the cert

Certbot command
certbot --authenticator=dns-porkbun --dns-porkbun-credentials /path/to/porkbun/dns/api/credentials.ini -d domain.test -d "*.domain.test"

Versions (please complete the following version information):

  • certbot: 1.12.0
  • certbot_dns_porkbun: 0.3

Error message
dns.resolver.NXDOMAIN: The DNS query name does not exist: _acme-challenge.domain.test.

Fix
I was able to fix this by replacing line 123 with
return resolver.resolve(f"{domain}", 'A').canonical_name.to_text().rstrip('.')
and line 132 with
return resolver.resolve(f"{domain}", "AAAA").canonical_name.to_text().rstrip('.')
(i.e removing the {ACME_TXT_PREFIX}. part of both)
@JordanPlayz158 JordanPlayz158 added the bug Something isn't working label May 20, 2022
@infinityofspace
Copy link
Owner

Thanks for your error report.

[...] (i.e removing the {ACME_TXT_PREFIX}. part of both)

This solution would prevent a possible delegation of the ACME validation DNS TXT record and would correspond to the original behavior of the versions v0.2x and older. Nevertheless thanks for your effort for a fix idea.

I have been able to locate the error and currently testing a fix.

@JordanPlayz158
Copy link
Author

Yeah, at the end, I said what I did at the moment as I wanted to get autorenew working but up above I explained what I thought was a proper solution, not throwing plugin error if not found so if there is no delegate, it will use domain specified. Glad you found a fix though and will update when you send it out, thank you for maintaining and improving this software! <3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JordanPlayz158 @infinityofspace