Open scheying opened 5 years ago
One Alias per domain WORKS
Yes, if you have different alias for different domains, this is the only correct way.
I think at least an option to automatically follow CNAMEs to get the the validation
Yes, I agree that this would be cool, but it will need dependency to dig
or nslookup
command etc.
acme.sh
is a posix compatible shell script, crossing platforms like: BSD, Linux, Solaris, Mac and even Windows. It will be a lot of work to support all the platforms.
Thanks you for your reply, Neil (and for making acme.sh!). I modified our scripts (that use acme.sh) to use the "one alias per domain" scheme but I still got verification errors. When debugging I came to the conclusion that Domains that are skipped because they are already verified (line 3776) do not increase _alias_index. I added that and now it works. Should I open a PR for that or is that either too easy or not as easy as I think?
@scheying Yes, please send me your PR.
Thanks.
Summary
It seems there is a problem correctly assigning domain aliases to the corresponding domains.
Steps to reproduce
For example if I do this:
I get an "Incorrect TXT record" verify error for the second domain:
Debug log
Observations
I tried several combinations and it seems to me that the following work or don't work:
Exactly one Domain for the first alias and one alias for the remaining domains WORKS ✅
One Alias per domain WORKS ✅
One alias for more than one domain in the beginning DOES NOT WORK ❌
One Alias per domain but reusing domain-alias alias-a-and-c.com DOES NOT WORK ❌
Why not use CNAMEs directly?
One could question if the whole domain alias thing is neccessary at all. In allmost any cases where the _acme-challenge.something.com Record is a CNAME, the thing you want to update is the value of that CNAME. I think at least an option to automatically follow CNAMEs to get the the validation "aliases" would be really cool :-) (Getssl seems to have done that: https://github.com/srvrco/getssl/issues/381)