Closed volayvaz closed 10 months ago
I've done some research on the issue.
OTC doesn't support creating multiple recordsets with the same name. But if we need to issue a certificate for multiple domains, we must create multiple _acme_challenage.example.com recordsets with different tokens for each domain. Lego calls out the Present method for every domain it challenges. And in the end, it also calls Cleanup for each domain. Both functions are failing with an error, since, on the second run, Present is trying to create a recordset with the same name as during the previous run, and Cleanup is trying to delete a non-existing recordset.
I managed to fix the issue locally, and I'm testing my own build now, so far I haven't found any issues. Will be happy to share my fix with the community.
Hello,
OTC doesn't support creating multiple recordsets with the same name.
it's surprising because this provider has been around for a long time.
We have 2 modes for DNS provider: sequential and "parallel". The mode cannot be changed it's inside the implementation.
The default is "parallel".
To change this behavior, you just have to add this: https://github.com/go-acme/lego/blob/113648a36817a5d9667b8dd1f1c6c67eeb914916/providers/dns/duckdns/duckdns.go#L107-L111
Good morning!
it's surprising because this provider has been around for a long time.
Yeah, I guess it's not popped up earlier since the OTC provider is not as widely used as others. Thank you for pointing me out on the sequential mode. I didn't know that, and the fix I made was solely focused on making the provider compatible with the default operating mode. I'll try the sequential mode and post here if it works or not!
Thank you!
@ldez Yes, the sequential mode works. The only drawback of it is that obtaining certificates takes more time than parallel. In my case, the minimum SEQUENCE_INTERVAL that worked is 60 secs, so around three minutes overall for a certificate with two domains. Should I create a PR?
Have you try a shorter interval?
Yes you can open a PR.
Have you try a shorter interval?
Yes, I tested several times with 30 and 45-second intervals, and all tests failed.
2023/09/21 14:10:13 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2023/09/21 14:10:13 [INFO] [*.test.example.com] acme: Waiting for DNS record propagation.
2023/09/21 14:10:23 [INFO] [*.test.example.com] The server validated our request
2023/09/21 14:10:23 [INFO] [*.test.example.com] acme: Cleaning DNS-01 challenge
2023/09/21 14:10:24 [INFO] sequence: wait for 45s
2023/09/21 14:11:09 [INFO] [test.example.com] acme: Preparing to solve DNS-01
2023/09/21 14:11:10 [INFO] [test.example.com] acme: Trying to solve DNS-01
2023/09/21 14:11:10 [INFO] [test.example.com] acme: Checking DNS record propagation using [ns1.open-telekom-cloud.com:53]
2023/09/21 14:11:12 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2023/09/21 14:11:12 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2023/09/21 14:11:22 [INFO] [test.example.com] acme: Cleaning DNS-01 challenge
2023/09/21 14:11:24 [INFO] Skipping deactivating of valid auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8419197944
2023/09/21 14:11:24 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8419197954
2023/09/21 14:11:24 Could not obtain certificates:
error: one or more domains had a problem:
[test.example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect TXT record "VYtdH8nOdfHHbXgTqlDAtOwMPFfY-z72iCLJqyh4lDg" found at _acme-challenge.test.example.com
During the test, I also monitored DNS propagation with the dig tool
dig @ns1.open-telekom-cloud.com _acme-challenge.test.example.com txt
and upon the second DNS name validation, I could see that a new record with a new token was propagated. Still, lego fails with an Incorrect TXT record and reveals the previous token from the first challenge. It seems to me like a caching issue, but I haven't embarked on that.
So far, the lowest interval that gives consistent success results is 60 sec.
Yes you can open a PR.
On it
Welcome
What did you expect to see?
I expect corresponding DNS records to be created, certificates issued, and DNS records to be deleted.
What did you see instead?
Process finishes with error
How do you use lego?
Binary
Reproduction steps
Version of lego
Logs
Go environment (if applicable)