Closed alexzorin closed 5 years ago
Thanks for the PR ! I will look at it asap 👍
I originally reported the issue. Diff 313f948 does fix the main problem I had (the certificate is successfully renewed), but it still throws an error:
Unable to find or delete the DNS TXT record: Can't find the DNS record _acme-challenge/TXT in the zone
It seems that the plugin tries to delete the same record twice and it obviously fails the second time:
Cleaning up challenges Starting new HTTPS connection (1): dns.api.gandi.net:443 https://dns.api.gandi.net:443 "GET /api/v5/domains/forcing-project.com HTTP/1.1" 200 547 Starting new HTTPS connection (1): dns.api.gandi.net:443 https://dns.api.gandi.net:443 "DELETE /api/v5/zones/ede74274-195c-11e8-b081-00163e6dc886/records/_acme-challenge/TXT HTTP/1.1" 204 0 Starting new HTTPS connection (1): dns.api.gandi.net:443 https://dns.api.gandi.net:443 "GET /api/v5/domains/forcing-project.com HTTP/1.1" 200 547 Starting new HTTPS connection (1): dns.api.gandi.net:443 https://dns.api.gandi.net:443 "DELETE /api/v5/zones/ede74274-195c-11e8-b081-00163e6dc886/records/_acme-challenge/TXT HTTP/1.1" 404 131
Here's the full log.
The best fix would be for _cleanup
to update the RRSet to remove the specific TXT value that Certbot is requesting, rather than deleting the entire RRSet.
I didn't want to change the behavior of the plugin too much for the sake of this fix.
On reflection that was pretty lazy from me - I've fixed it up from the cleanup side as well now.
Wow, you did a great job! Thank you for catching that :+1: Everything seems fine, let's merge it and update the package :slightly_smiling_face:
Your changes were added in the 1.1.0 release, thank you :+1:
Previously, the plugin would blow away existing TXT records for the same DNS name when adding a TXT record. This means that issuing a certificate for both a base domain and its wildcard could not succeed.
I noticed that your README mentions wildcard support already, but as far as I can tell, it doesn't seem to actually work. For example, in a typical wildcard scenario:
_acme-challenge.example.org 360 IN TXT "xxxx"
is added via_add_txt_record
(which calls_del_txt_record
, wiping out all previous values)._acme-challenge.example.org 360 IN TXT "yyyy"
is added via_add_txt_record
(which calls_del_txt_record
, wiping out all previous values).yyyy
becausexxxx
was deleted in (2). Challenge fails.After this PR, existing TXT values are not removed in
_add_txt_record
.Reported at https://community.letsencrypt.org/t/wildcard-certificate-not-renewed/87698