Closed noseshimself closed 3 weeks ago
fraenki
commented
3 weeks ago If I understand this correctly, you want to use DNS alias mode: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
This is already supported:
noseshimself
commented
3 weeks ago Can you refer to the part of the (ACME plugin) documentation where the necessary handling of input for acme.sh case 4 (see https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode#4-specify-different-aliased-domains-for-each-domain) is shown?
In my specific case the CNAMEs for my challenges have the form
_acme-challenge.FQDN. IN CNAME FQDN.acme-z.one.
and the only way to do so is calling acme.sh as --issue -d x1.example.com --challenge-alias x1.example.com.acme-z.one -d x1.example.net --challenge-alias x1.example.net.acme-z.one; no matter what I'm entering in OPNSense, this is not coming out.
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug If you specify multiple names to be included in a certificate and you use the RFC update mechanism for DNS updates and you use CNAMEs for the _acme-challenges
I don't see any valid way to specify the option to add the individual
--challenge-aliasparameter for every single-dparameter as you would need one per alternative name.A clear and concise description of what the bug is, including last known working version (if any).
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce Steps to reproduce the behavior:
Try creating a certificate using DNS-01 verification with several "Alt Names" where every single of the alternative names has another CNAME pointed to for providing the DNS-01 challenge that needs to be provided to a --challenge-alias parameter in the acme.sh call. You will be missing input fields for them.
Expected behavior Having one input field per name if you use challenge-alias