search

icing / mod_md

Let's Encrypt (ACME) in Apache httpd
https://icing.github.io/mod_md/
Apache License 2.0
334 stars 28 forks source link

dns-01 challenge data is not provided for teardown #312

Closed domrim closed 1 year ago

domrim commented 1 year ago

The ACME-Standard allows to have multiple challenges for the same FQDN at the same time. (As multiple TXT records can exist for one FQDN)

The described functionality of the MDChallengeDns01 executable has following statement:

/usr/bin/acme-setup-dns teardown mydomain.com
# this needs to remove all existing DNS TXT records for 
# _acme-challenge.mydomain.com

This does not allow to only delete the challenge which was deployed for this apache. This is prevents deployments with redundant web servers (like anycasted ones, ...) using apache and mod_md.

I would suggest to also provide the challenge for the teardown command.

icing commented 1 year ago

Sounds like a reasonable suggestion to me.

icing commented 1 year ago

Just provided this to master, part of the next release. For backward compatibility, one needs to configure MDChallengeDns01Version 2 globally, then the script gets the challenge on teardown.

Thanks for the suggestion.