search

ctrlaltcoop / certbot-dns-hetzner

Certbot plugin enabling dns-01 challenge on the Hetzner DNS API
Other
155 stars 24 forks source link

Can not create SAN with *.xyz.de and xyz.de #14

Closed gamma closed 1 year ago

gamma commented 3 years ago

When trying to create the challenge for a configuration with a the wildcard domain and the root domain ( -d "*.xyz.de,xyz.de") two entries are created in the DNS.

As I've learned from https://stackoverflow.com/questions/54654135/letsencrypt-certbot-rejects-dns-txt-record-for-wildcard-certificate it should be so that the same TXT entry is being used with the line separated additional token.

The generated output is as followed:

root@www /var/www # docker run --rm -v /etc/letsencrypt:/etc/letsencrypt -v /var/lib/letsencrypt:/var/lib/letsencrypt  inetsoftware/certbot-dns-hetzner certonly --email contact@xyz.de --agree-tos --authenticator dns-hetzner --dns-hetzner-credentials /etc/letsencrypt/credentials.ini --dns-hetzner-propagation-seconds=10 -d "*.xyz.de,xyz.de"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-hetzner, Installer None
Renewing an existing certificate for *.xyz.de and xyz.de
Performing the following challenges:
dns-01 challenge for xyz.de

Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain xyz.de
dns-01 challenge for xyz.de
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xyz.de
   Type:   unauthorized
   Detail: Incorrect TXT record
   "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" found at
   _acme-challenge.xyz.de

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
gamma commented 3 years ago

I did some more testing - and even implemented updating the record in a fork.

Somehow this is working already - maybe due to a longer DNS propagation time I used. Hetzner is able to create multiple entries by the same name.

Maybe we should consider to incorporate the validation token when deleting an entry - otherwise we may accidentally remove the wrong one.

l0rn commented 3 years ago

I set the help wanted label here, happy to accept PRs, as I am busy currently - but might have a look somewhen in the future

l0rn commented 1 year ago

Will have a look at this one too

l0rn commented 1 year ago

I'd expect this to work with the lexicon implementation of the hetzner client. If you still run into issues please re-open