search

joohoi / acme-dns

Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
MIT License
2.19k stars 233 forks source link

acme-dns treating common-name as domain name #276

Closed laingsc closed 2 years ago

laingsc commented 3 years ago

Heya,

I'm using the acme_certificate terraform resource to provision certificates and using acme-dns because it's a private dns and we don't have a provider for azure private dns. I've created all of the cname records for 6 domains, and wildcard certs work just fine, however when not using a wildcard cert it's expecting a cname record for _acme-challenge at the fqdn level.

I've got the proper cname record at _acme-challenge.dev.ds.ahunga.co.nz which I thought would work, however it wants proof of _acme-challenge.testacme.dev.ds.ahunga.co.nz which isn't a dns zone since it's a hostname which I'm getting a cert for.

I've pre-registered all domains and cname records for use in terraform (storage doesn't persist accross runs). Again this works with *.dev.ds.ahunga.co.nz. Any thoughts?

resource "acme_certificate" "testing_dev_ds_ahunga_co_nz" {
  provider                  = acme.private
  account_key_pem           = acme_registration.acme_reg_private.account_key_pem
  certificate_p12_password  = data.azurerm_key_vault_secret.agw_cert_pw.value
  common_name               = "testacme.dev.ds.ahunga.co.nz"
  key_type                  = 4096

  dns_challenge {
    provider = "acme-dns"
    config   = {
      ACME_DNS_API_BASE     = "https://acme.ds.ahunga.co.nz:443"
      ACME_DNS_STORAGE_PATH = "${path.module}/acme.domains.json"
    }
  }
}
Error: error creating certificate: error: one or more domains had a problem:
[testacme.dev.ds.ahunga.co.nz] [testacme.dev.ds.ahunga.co.nz] acme: error presenting token: 2 errors occurred:
    * acme-dns: new account created for "testacme.dev.ds.ahunga.co.nz". To complete setup for "testacme.dev.ds.ahunga.co.nz" you must provision the following CNAME in your DNS zone and re-run this provider when it is in place:
_acme-challenge.testacme.dev.ds.ahunga.co.nz. CNAME 5e0fc462-21eb-44ae-b66a-19769c06123c.acme.ds.ahunga.co.nz.
    * error encountered while presenting token for DNS challenge: acme-dns: new account created for "testacme.dev.ds.ahunga.co.nz". To complete setup for "testacme.dev.ds.ahunga.co.nz" you must provision the following CNAME in your DNS zone and re-run this provider when it is in place:
_acme-challenge.testacme.dev.ds.ahunga.co.nz. CNAME 5e0fc462-21eb-44ae-b66a-19769c06123c.acme.ds.ahunga.co.nz.
Exagone313 commented 3 years ago

_acme-challenge.foo works for names foo and *.foo only. It's not related to acme-dns but the ACME DNS01 challenge itself.

leggewie commented 2 years ago

This isn't a bug.

@laingsc Please close this ticket if your question has been answered.

laingsc commented 2 years ago

Ah yes, I should've closed this ages ago when I realized how it worked!