Azure DNS record created in subdomain rather than root domain

[amino-backup]

I have installed acme.sh on an Ubuntu 18.04 VM in Azure. I have configured the Tenant ID, Subscription ID, App ID and Secret. Our DNS is hosted by Azure. We have a bunch of domains, plus some subdomains, totalling 72 zones.

My aim is to create a certificate for server.example.com What's happening is the TXT record is being created as server.subdomain.example.com so the verification is failing.

• If I issue a certificate for server.subdomain.example.com then everything works and I get the certificate.
• If I issue a certificate for server.example.co.uk then I get the certificate, as there are no subdomains configured for example.co.uk.
• If I issue a certificate for server.example.online when subdomain.example.online is listed after example.online (alphabetically), then the certificate is issued.

My guess is that the code is just getting the first zone it finds that matches example.com and creating the record there rather than checking to see if it's actually the right zone.

Steps to reproduce

/opt/acme.sh/acme.sh --issue --dns dns_azure --dnssleep 10 --force -d server.example.com --staging

Debug log

In the log I see:

[Tue Sep 18 08:25:18 UTC 2018] Checking domain: _acme-challenge.server.example.com
[Tue Sep 18 08:25:18 UTC 2018] Checking domain: server.example.com
[Tue Sep 18 08:25:18 UTC 2018] Checking domain: example.com
[Tue Sep 18 08:25:18 UTC 2018] _domain_id='/subscriptions/<subscription ID>/resourceGroups/<Group Name>/providers/Microsoft.Network/dnszones/subdomain.example.com'
[Tue Sep 18 08:25:18 UTC 2018] _sub_domain='_acme-challenge.server'
[Tue Sep 18 08:25:18 UTC 2018] _domain='example.com'
[Tue Sep 18 08:25:18 UTC 2018] https://management.azure.com/subscriptions/<subscription ID>/resourceGroups/<Group Name>/providers/Microsoft.Network/dnszones/subdomain.example.com/TXT/_acme-challenge.server?api-version=2017-09-01
[Tue Sep 18 08:25:18 UTC 2018] https://management.azure.com/subscriptions/<subscription ID>/resourceGroups/<Group Name>/providers/Microsoft.Network/dnszones/subdomain.example.com/TXT/_acme-challenge.server?api-version=2017-09-01
[Tue Sep 18 08:25:18 UTC 2018] GET
[Tue Sep 18 08:25:18 UTC 2018] url='https://management.azure.com/subscriptions/<subscription ID>/resourceGroups/<Group Name>/providers/Microsoft.Network/dnszones/subdomain.example.com/TXT/_acme-challenge.server?api-version=2017-09-01'
[Tue Sep 18 08:25:18 UTC 2018] timeout=
[Tue Sep 18 08:25:18 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Tue Sep 18 08:25:18 UTC 2018] ret='0'
[Tue Sep 18 08:25:18 UTC 2018] response {"code":"NotFound","message":"The resource record '_acme-challenge.server' does not exist in resource group '<Group Name>' of subscription '<subscription ID>'."}='[hidden](please add '--output-insecure' to see this value)'
[Tue Sep 18 08:25:18 UTC 2018] http response code 404
[Tue Sep 18 08:25:19 UTC 2018] response {"id":"\/subscriptions\/<subscription ID>\/resourceGroups\/<Group Name>\/providers\/Microsoft.Network\/dnszones\/subdomain.example.com\/TXT\/_acme-challenge.server","name":"_acme-challenge.server","type":"Microsoft.Network\/dnszones\/TXT","etag":"<subscription ID>","properties":{"metadata":{"acmetscheck":"1537259118"},"fqdn":"_acme-challenge.server.subdomain.example.com.","TTL":10,"TXTRecords":[{"value":["<DNS Value>"]}]}}='[hidden](please add '--output-insecure' to see this value)'
[Tue Sep 18 08:25:19 UTC 2018] http response code 201
[Tue Sep 18 08:25:19 UTC 2018] validation value added
[Tue Sep 18 08:25:19 UTC 2018] Sleep 10 seconds for the txt records to take effect
[Tue Sep 18 08:25:30 UTC 2018] ok, let's start to verify
[Tue Sep 18 08:25:30 UTC 2018] Verifying:server.example.com
[Tue Sep 18 08:25:30 UTC 2018] d='server.example.com'

[Tue Sep 18 08:25:33 UTC 2018] response='{"type":"dns-01","status":"invalid","error":{"type":"urn:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.server.example.com","status": 400},
"uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/<snip>/<snip>","token":"<Token>",
"keyAuthorization":"<snip>"}'
[Tue Sep 18 08:25:33 UTC 2018] error='"error":{"type":"urn:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.server.example.com","status": 400'
[Tue Sep 18 08:25:33 UTC 2018] errordetail='DNS problem: NXDOMAIN looking up TXT for _acme-challenge.server.example.com'
[Tue Sep 18 08:25:33 UTC 2018] server.example.com:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.server.example.com

The logs have been snipped a bit for brevity, but you can see that it's a bit all over the place when it comes to figuring out where the TXT record should be created

[peterschen]

+1

Once more than one sub-zone was created always the first is taken. My root is peterschen.de and I have a zone called a.peterschen.de. Validatation records that do not have their own zone (e.g. www.peterschen.de which is simply a CNAME) are created in the first available zone (a.peterschen.de) and not the root (peterschen.de).

[peterschen]

Until the root cause is fixed there is a workaround available. You can use DNS alias mode in acme.sh to write the validation record to a different domain/zone.