search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.67k stars 4.91k forks source link

AWS DNS: delegated zone in the same account not found (with pull request) #4120

Open rmalchow opened 2 years ago

rmalchow commented 2 years ago

hi,

we have a situation with the AWS DNS plugin that triggers a bug (i think) - you could probably call this a case of over-optimization.

we have two zones in the same account.

     foo.com (zone_id "A")

and

     bar.foo.com  (zone id "X")

with delegation and everything. that account has a lot of zones. if i request a certificate for 

    *.bar.foo.com

the challenge record should be created in zone X ... however, because of how the iteration is done, and because "X" is not on the first pagination, it falls back to "A" ... which is on the first page, and creates the challenge record in there. but the lookup from outside follows the delegation, so acme-challenge.bar.foo.com is not answered from "A", but from "X".

i am pretty sure this is a bug, and that fixing it would not harm others, and i am trying to turn this into a PR ...

.rm

rmalchow commented 2 years ago

please check this:

https://github.com/acmesh-official/acme.sh/pull/4122

rmalchow commented 2 years ago

hi,

i have created a new merge request:

https://github.com/acmesh-official/acme.sh/pull/4124

i only tested it locally, not with github actions, but it is honestly relatively easy to see what i am doing there, i did not really introduce a lot of new code. i think this is an important bug to fix, but you're free to ignore it, of course. we had a bunch of weird behaviour with acme.sh, and we will probably phase it out for internal use.