search

joohoi / acme-dns

Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
MIT License
2.13k stars 232 forks source link

Acme DNS can issue only 1 subdomain #318

Open b-a-t opened 1 year ago

b-a-t commented 1 year ago

I would like to bring attention to the issue described in the acme.sh repo - https://github.com/acmesh-official/acme.sh/issues/4221

In short, acme-dns for whatever reason limits the number of TXT records in the air to two, which creates trouble issuing and renewing certificates with 3 or more SAN records.

The mentioned issue provides a workaround for this limitation, but I believe it is better to be fixed in the acme-dns itself.

This https://github.com/acmesh-official/acme.sh/issues/4221#issuecomment-1207433691 has a more detailed description of the problem:

The problem with that solution is that you'll need to update your _acme-challenge CNAME record every time you renew (!) and that it'll create a new user account every single time you renew for every subdomain. In your case, after 4 renewals, you'll end up with 12 accounts on the acme-dns server, 9 of them unused.

The cause of this problem is as follows:

* acme-dns https://github.com/joohoi/acme-dns/issues/233#issuecomment-650365900 to only ever return two verification TXT-records per account.
* acme.sh uses a single account to talk to acme-dns's API per certificate (this used to be 1 account globally).
* acme.sh uses acme-dns's API to add all TXT records at the same time.
* if you only verify -d example.com -d www.example.com, two is enough.
* if you only verify -d example.com -d *.example.com, two is enough.
* -d example.com -d foo.example.com -d bar.example.com is one too many. One is silently discarded.
* acme.sh asks the issuer (ZeroSSL / Let's Encrypt / etc) to verify. It only sees two TXT records, so one domain fails.

As credentials are saved per certificate, using multiple config-home directories won't help.

This problem has come up before, but so far I don't think anyone has tackled this issue. It's not specific to subdomains: -d example.com -d example.org -d example.net would cause this, too.

Solutions to this might be:

1. Add one TXT record, verify, and then add the next one. I don't think this is feasible with acme.sh.
2. Add all TXT records, but mod acme-dns to allow more records. There are some forks, but it goes against acme-dns's design. acme.sh's dns_acmedns.sh file also assumes a limit of 2 records: dns_acmedns_rm() is blank as there's no real reason to clean up after itself.
3. Save account credentials per domain, per certificate.

The last option will require some development work and some time testing. I've attached a quick extension to dns_acmedns.sh but it doesn't include automatic registration or saving credentials. You'll need to do both manually.

kkloesener commented 8 months ago

Depending on your Use Case there is another solution. This solution makes the world even more secure:

If your server supports SNI don’t use SAN certificates at all and just issue additional certificates to use them.

All current reverse-proxy and load-balancer like Traefik, nginx, Citrix Netscaler, kemp and f5 support this for HTTPS