Handling of sub-domains created on the account

[syserr0r]

Our DA account has domains example.com and bar.example.com

When trying to get a certificate for foo.bar.example.com the DNS record is incorrectly added to example.com and not bar.example.com causing the validation to fail

[syserr0r]

As I run the DA server I was able to move bar.example.com into it's own account, however this did not work -- it still tried to add a record to the top-level domain.

It appears the plugin does not currently support subdomains.

[guisea]

Thanks, it supports subdomains quite fine. What it appears you have is multilevel subdomains.

This is not handled at this time within _get_zone_and_name method. There we try and figure out the correct DirectAdmin zone which to add the records to and this is failing to determine the correct subdomain/domain parts.

I will try and figure a way around this issue. But may take a little time to get to it.

[syserr0r]

I need to test, but it seems it would also fail when trying to verify bar.example.com as it would try to add a record for 'bar' to 'example.com' (it should instead add '.' or 'bar.example.com' to 'bar.example.com', as the subdomain has been delegated)

[guisea]

I use this currently with a configuration/many example somesub.somedomain.com and it works adding the records to somedomain.com.

Works everytime so 100% works with subdomains. I am not sure I exactly understand your use case.

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: Anthony notifications@github.com Sent: Thursday, June 11, 2020 9:47:09 AM To: cybercinch/certbot-dns-directadmin certbot-dns-directadmin@noreply.github.com Cc: Aaron Guise aaron@guise.net.nz; Assign assign@noreply.github.com Subject: Re: [cybercinch/certbot-dns-directadmin] Handling of sub-domains created on the account (#3)

I need to test, but it seems it would also fail when trying to verify bar.example.com as it would try to add a record for 'bar' to 'example.com' (it should instead add '.' or 'bar.example.com' to 'bar.example.com', as the subdomain has been delegated)

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHubhttps://github.com/cybercinch/certbot-dns-directadmin/issues/3#issuecomment-642284973, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA7Q3YFSMY4LNPMTJ43TM63RV75N3ANCNFSM4N2GOGPQ.

[guisea]

New version is being pushed to PyPi - Using version 0.0.14 should resolve this issue for you @syserr0r

[syserr0r]

Thank-you, I'll give it a try.

I might not have explained very well -- I have the subdomain set-up as it's own domain in DA.

So the domains list looks like:

• example.org
• example.net
• example.com
• bar.example.com

In this way any entries for bar.example.com that are added in example.com are ignored (because bar.example.com is delegated to a separate zone), so the entries for bar.example.com have to be made under bar.example.com to work.

I was under time constraints and we only use DA for DNS on this domain so I merged bar.example.com back into example.com.

I will try your changes out on another domain and report back.

[kristianronningen]

Looks like the fix for this has broken the package on at least Debian 9, both for python 2 and 3:

# python2 --version
Python 2.7.13
# PYTHONVER=2 pychecker /usr/local/lib/python3.5/dist-packages/certbot_dns_directadmin/dns_directadmin.py
Processing module dns_directadmin (/usr/local/lib/python3.5/dist-packages/certbot_dns_directadmin/dns_directadmin.py)...
  SyntaxError: invalid syntax (/usr/local/lib/python3.5/dist-packages/certbot_dns_directadmin/dns_directadmin.py, line 133)
                directadmin_zone = "."join(ml.pop(), domain, suffix)
                                         ^

Warnings...

/usr/local/lib/python3.5/dist-packages/certbot_dns_directadmin/dns_directadmin.py:1: NOT PROCESSED UNABLE TO IMPORT

and

# python3 --version
Python 3.5.3
# PYTHONVER=3 pychecker /usr/local/lib/python3.5/dist-packages/certbot_dns_directadmin/dns_directadmin.py
  File "<string>", line 1
    from imp import find_module; print find_module('pychecker/checker')[1]
                                                 ^
SyntaxError: invalid syntax
Unable to find checker.py on Python's module path.

(This last one is probably not a regression though)

[guisea]

Ohh, yes . Sorry I will get that syntax error tidied up and push a new version ASAP.

Regards,

---

From: Kristian Rønningen notifications@github.com Sent: Friday, June 12, 2020 8:51:23 PM To: cybercinch/certbot-dns-directadmin certbot-dns-directadmin@noreply.github.com Cc: Aaron Guise aaron@guise.net.nz; State change state_change@noreply.github.com Subject: Re: [cybercinch/certbot-dns-directadmin] Handling of sub-domains created on the account (#3)

Looks like the fix for this has broken the package on python 3.5:

pychecker /usr/local/lib/python3.5/dist-packages/certbot_dns_directadmin/dns_directadmin.py

Processing module dns_directadmin (/usr/local/lib/python3.5/dist-packages/certbot_dns_directadmin/dns_directadmin.py)... SyntaxError: invalid syntax (/usr/local/lib/python3.5/dist-packages/certbot_dns_directadmin/dns_directadmin.py, line 133) directadmin_zone = "."join(ml.pop(), domain, suffix) ^

Warnings...

/usr/local/lib/python3.5/dist-packages/certbot_dns_directadmin/dns_directadmin.py:1: NOT PROCESSED UNABLE TO IMPORT

This is on Debian 9, and python 3.5.3

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHubhttps://github.com/cybercinch/certbot-dns-directadmin/issues/3#issuecomment-643156379, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA7Q3YEM2W4IJX3O6ZFYHT3RWHUAXANCNFSM4N2GOGPQ.

[kristianronningen]

Missing "." before join on line 133, and missing ":" after else on line 135. ;)

[kristianronningen]

I suspect also that this fix will not work for hostnames with multiple "." in them, for example foo.bar.baz.example.com. I realize that it might be difficult to know which zone in DA to add an entry to, but maybe it would be better to loop until there are no more "." remaining to support any level of subdomains?

I have a case right now where I want to add the challenge for webmail01.osl1.example.com to my example.com zone, for example.

[kristianronningen]

I've been looking into this further (with the syntax fixes above), and it won't work if the DNS zone is 'example.com', and the hostname for the certificate is 'foo.example.com', because record_domain would contain _acme-challenge.foo.example.com, triggering the new if statement, and then assuming the zone to edit is foo.example.com when it in fact is example.com.

[kristianronningen]

In order to both support the 0.0.13 way of assuming all DNS zones are 'example.com' for any level of subdomains (if I'm not mistaken), and also support situations where 'sub.example.com' exists as its own account in DirectAdmin, and thus also has its own DNS zone, I think the plugin would have to query DA to discover the DNS zone that would be appropriate to add the TXT entry to. This would probably cause issues with the username/password you connect as, if you have multiple hostname in your certificate (e.g. bar.example.com that goes in the example.com zone, and sub.example.com that should go into the sub.example.com zone).

[guisea]

Thanks,

I saw those syntax errors, teach me to do a quick edit in the browser. I have another method querying the domains setup in DirectAdmin to find a match.

Will take longer to implement. But I think iterating over domains in the DirectAdmin account is the best way to go.

On Fri, 12 Jun 2020 at 10:48 PM, Kristian Rønningen < notifications@github.com> wrote:

In order to both support the 0.0.13 way of assuming all DNS zones are ' example.com' for any level of subdomains (if I'm not mistaken), and also support situations where 'sub.example.com' exists as its own account in DirectAdmin, and thus also has its own DNS zone, I think the plugin would have to query DA to discover the DNS zone that would be appropriate to add the TXT entry to. This would probably cause issues with the username/password you connect as, if you have multiple hostname in your certificate (e.g. bar.example.com that goes in the example.com zone, and sub.example.com that should go into the sub.example.com zone).

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/cybercinch/certbot-dns-directadmin/issues/3#issuecomment-643207007, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7Q3YE7MFWR6A5FWXUZRHTRWIBXZANCNFSM4N2GOGPQ .

-- LargePrefPlaceholder-XKUz1MEJBwkOM

[guisea]

I hope to squeeze some spanner time in on this today.

If testing goes well new version will be pushed.

In the meantime if you don’t need the subdomain added as it’s own domain in DirectAdmin functionality version 0.0.13 will work.

pip install —upgrade ‘certbot-dns-directadmin==0.0.13’

[guisea]

@syserr0r new version has been pushed to pypi now. Successfully finds subdomains added as separate domains in DirectAdmin now. @kristianronningen This latest version no longer uses the code which had syntax errors and should be the less error prone process

To update should simply be: pip install —no-cache-dir -U certbot-dns-directadmin

Latest version is now 0.0.16

Please report back what you find :)

[syserr0r]

I have now had a chance to revisit this, sorry for the delay.

In DA I have the following domains (on a single account):

• example.com
• bar.example.com (this has many records, so is split off to make management easier)

Trying to request a certificate for the following domains (in a single certificate request) fails:

• test.foo.example.com
• www.test.foo.example.com
• test.bar.example.com
• www.test.bar.example.com

The error provided is NXDOMAIN looking up TXT for test.bar.example.com and www.test.bar.example.com

This suggests (and looking into the logs confirm) that all the TXT records are being added under the example.com domain, where instead 2 should be added under example.com and 2 should be added under bar.example.com

Console output:

$ certbot --authenticator directadmin --directadmin-credentials ~/directadmin.ini -d test.foo.example.com -d www.test.foo.example.com -d test.bar.example.com -d www.test.bar.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator directadmin, Installer nginx
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for test.bar.example.com
dns-01 challenge for www.test.bar.example.com
Successfully added TXT record for _acme-challenge.test.bar.example.com
Successfully added TXT record for _acme-challenge.www.test.bar.example.com
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain test.bar.example.com
Challenge failed for domain www.test.bar.example.com
dns-01 challenge for test.bar.example.com
dns-01 challenge for www.test.bar.example.com
Cleaning up challenges
Successfully removed TXT record for _acme-challenge.test.bar.example.com
Successfully removed TXT record for _acme-challenge.www.test.bar.example.com
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: test.bar.example.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.test.bar.example.com - check that a DNS
   record exists for this domain

   Domain: www.test.bar.example.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.www.test.bar.example.com - check that a
   DNS record exists for this domain

A portion of /var/log/letsencrypt/letsencrypt.log:

2020-10-19 20:27:44,638:DEBUG:certbot_dns_directadmin.dns_directadmin:Record Domain: _acme-challenge.test.foo.example.com
2020-10-19 20:27:44,638:DEBUG:certbot_dns_directadmin.dns_directadmin:Subdomain: _acme-challenge.test.foo
2020-10-19 20:27:44,639:DEBUG:certbot_dns_directadmin.dns_directadmin:Domain: example.com
2020-10-19 20:27:44,639:DEBUG:certbot_dns_directadmin.dns_directadmin:Suffix: com
2020-10-19 20:27:45,209:DEBUG:certbot_dns_directadmin.dns_directadmin:{'error': '0', 'message': 'Record Added'}
2020-10-19 20:27:45,210:INFO:certbot_dns_directadmin.dns_directadmin:Successfully added TXT record for _acme-challenge.test.foo.example.com
2020-10-19 20:27:45,352:DEBUG:certbot_dns_directadmin.dns_directadmin:Record Domain: _acme-challenge.test.bar.example.com
2020-10-19 20:27:45,353:DEBUG:certbot_dns_directadmin.dns_directadmin:Subdomain: _acme-challenge.test.bar
2020-10-19 20:27:45,353:DEBUG:certbot_dns_directadmin.dns_directadmin:Domain: example.com
2020-10-19 20:27:45,353:DEBUG:certbot_dns_directadmin.dns_directadmin:Suffix: com
2020-10-19 20:27:45,562:DEBUG:certbot_dns_directadmin.dns_directadmin:{'error': '0', 'message': 'Record Added'}
2020-10-19 20:27:45,562:INFO:certbot_dns_directadmin.dns_directadmin:Successfully added TXT record for _acme-challenge.test.bar.example.com
2020-10-19 20:27:45,702:DEBUG:certbot_dns_directadmin.dns_directadmin:Record Domain: _acme-challenge.www.test.foo.example.com
2020-10-19 20:27:45,702:DEBUG:certbot_dns_directadmin.dns_directadmin:Subdomain: _acme-challenge.www.test.foo
2020-10-19 20:27:45,702:DEBUG:certbot_dns_directadmin.dns_directadmin:Domain: example.com
2020-10-19 20:27:45,702:DEBUG:certbot_dns_directadmin.dns_directadmin:Suffix: com
2020-10-19 20:27:45,915:DEBUG:certbot_dns_directadmin.dns_directadmin:{'error': '0', 'message': 'Record Added'}
2020-10-19 20:27:45,915:INFO:certbot_dns_directadmin.dns_directadmin:Successfully added TXT record for _acme-challenge.www.test.foo.example.com
2020-10-19 20:27:46,068:DEBUG:certbot_dns_directadmin.dns_directadmin:Record Domain: _acme-challenge.www.test.bar.example.com
2020-10-19 20:27:46,068:DEBUG:certbot_dns_directadmin.dns_directadmin:Subdomain: _acme-challenge.www.test.bar
2020-10-19 20:27:46,068:DEBUG:certbot_dns_directadmin.dns_directadmin:Domain: example.com
2020-10-19 20:27:46,069:DEBUG:certbot_dns_directadmin.dns_directadmin:Suffix: com
2020-10-19 20:27:46,284:DEBUG:certbot_dns_directadmin.dns_directadmin:{'error': '0', 'message': 'Record Added'}
2020-10-19 20:27:46,285:INFO:certbot_dns_directadmin.dns_directadmin:Successfully added TXT record for _acme-challenge.www.test.bar.example.com
2020-10-19 20:27:46,286:INFO:certbot.plugins.dns_common:Waiting 60 seconds for DNS changes to propagate

(Note that further in the log file ACME responses from LE state that [www].test.foo.example.com verified with status 'valid' but [www].test.bar.example.com returned status 'invalid')

TL;DR:

Records should have been inserted under the following domains, like this:

• example.com
  • test.foo
  • www.test.foo
• bar.example.com
  • test
  • www.test

Instead they were inserted like this:

• example.com
  • test.foo
  • www.test.foo
  • test.bar
  • www.test.bar

[syserr0r]

If it helps, the acme.sh DA plugin manages this OK, source is here https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_da.sh