github-actions[bot]
commented
5 months ago Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.
I am using the latest version of acme.sh and have found a bug with the dns-alias-mode logic where it will not use the dns alias if there is an existing txt record. Steps to replicate:
Create a CNAME record that looks like
_acme-challenge.domain.comTO_acme-challenge.certissue.comCreate a TXT record that looks like_acme-challenge.domain.comwith contentxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(doesn't really matter, the point is, this was another txt record that was used to generate certs manually at a different time) Use acme.sh to issue a cert with this command:./acme.sh --issue -d *.domain.com --challenge-alias certissue.com --debug 2 --server letsencrypt --dns dns_aws --dnssleep 30You will receive an error saying that the txt record for _acme-challenge.domain.com does not match the txt record created for _acme-challenge.certissue.com because of course it doesn't. LetsEncrypt return:
{ "type": "dns-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Incorrect TXT record \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\" found at _acme-challenge.domain.com", "status": 403 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/redacted", "token": "redacted", "validated": "2024-04-02T22:05:59Z" }Expected behavior: Because challenge-alias is specified, I expect acme.sh to ignore any txt record that may be present and use the cname record rather than picking up the txt record and attempting to use that.
I am able to provide full debug logs but would rather not as it appears that some sensitive info is exposed and it's a lot to go through and redact. The ideal scenario is that someone will attempt to replicate this and succeed, then add the logic needed to use the cname record no matter what when in dns-alias mode