search

oGGy990 / certbot-dns-inwx

INWX DNS authenticator plugin for certbot
Apache License 2.0
105 stars 16 forks source link

Race conditions for challenges on the same domain? #2

Closed jkroepke closed 6 years ago

jkroepke commented 6 years ago

Hi,

when I issue a certificat like

certbot certonly -a certbot-dns-inwx:dns-inwx --cert-name _.example.com -d *.example.com -d example.com

i will get this results:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator certbot-dns-inwx:dns-inwx, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
No record _acme-challenge.example.com existing (Unknown record)

Requesting _acme-challenge.example.com while the challenge is running returns one entry instead of two. I also see just on entry on the webinterface.

Requests certificates like certbot certonly -a certbot-dns-inwx:dns-inwx --cert-name _.example.com -d *.example.com are working fine.

oGGy990 commented 6 years ago

Hi,

i see, you are using the new ACMEv2 API which behaves a little different. I updated the plugin according to the issues which were also mentioned at https://github.com/certbot/certbot/issues/5472 .

Note that your nameserver may now get polluted by obsolete _acme_challenge records if any error happens before the cleanup request by certbot is performed. Previously the existing record was replaced. But this matches the behavior of at least some of the bundled dns plugins.

A test on my end using certbot 0.23 ran fine:

sudo certbot --dry-run certonly --cert-name example.com -d "*.example.com" -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Obtain certificates using a DNS TXT record (if you are using INWX for your
domains). (certbot-dns-inwx:dns-inwx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator certbot-dns-inwx:dns-inwx, Installer None
/usr/lib/python3.6/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
jkroepke commented 6 years ago

Works fine for me, too.

Thanks for your support.