search

vancluever / terraform-provider-acme

Terraform ACME provider
https://registry.terraform.io/providers/vancluever/acme/latest
Mozilla Public License 2.0
226 stars 73 forks source link

Wildcard cert and subject alternative names zone apex not working together #418

Closed wirepatch closed 5 months ago

wirepatch commented 5 months ago

Following acme_certificate I'm creating a wildcard cert for a zone goik.sdi.hdm-stuttgart.cloud:

resource "acme_certificate" "certificate" {
  account_key_pem           = acme_registration.registration.account_key_pem
  common_name               = "*.goik.sdi.hdm-stuttgart.cloud"

  dns_challenge {
    provider = "rfc2136"

    config = {
      RFC2136_NAMESERVER     = "ns1.sdi.hdm-stuttgart.cloud"
      RFC2136_TSIG_ALGORITHM = "hmac-sha512"
      RFC2136_TSIG_KEY       = "goik.key."
      RFC2136_TSIG_SECRET    = file("../dnsupdatetoken.key")
    }
  }
  depends_on = [acme_registration.registration]
}

The generated cert works well for arbitrary server names including the »obvious« https://www.goik.sdi.hdm-stuttgart.cloud. However I'd like to add zone apex support for https://goik.sdi.hdm-stuttgart.cloud as well:

  ...
  common_name               = "*.goik.sdi.hdm-stuttgart.cloud"
  subject_alternative_names = ["goik.sdi.hdm-stuttgart.cloud"]
  ...
}

This fails:

$ terraform apply
...
acme_certificate.certificate: Creating...
acme_certificate.certificate: Still creating... [10s elapsed]
... 
acme_certificate.certificate: Still creating... [1m30s elapsed]
╷
│ Error: error creating certificate: error: one or more domains had a problem:
│ [*.goik.sdi.hdm-stuttgart.cloud] propagation: time limit exceeded: last error: NS ns1.goik.sdi.hdm-stuttgart.cloud. did not return the expected TXT record [fqdn: _acme-challenge.goik.sdi.hdm-stuttgart.cloud., value: jHdDGst_5S_ne4MzJz0uusRmcvFFKif5zOb7QPeoN_k]: OlOLUcYzCo-BIfb6a0odfAiIlpCPnpIcvnii7b_KogM

Last line's ending shows two expected TXT challenge values jHdDGst_5S_ne4MzJz0uusRmcvFFKif5zOb7QPeoN_k and OlOLUcYzCo-BIfb6a0odfAiIlpCPnpIcvnii7b_KogM. However the Bind 9 DNS server's log during this very terraform execution reveals:

Jun 14 11:57:16 sdiservice named[27800]: client @0x7f4b64c99f68 217.245.243.187#51557/key goik.key: updating zone 'goik.sdi.hdm-stuttgart.cloud/IN': deleting rrset at '_acme-challenge.goik.sdi.hdm-stuttgart.cloud' TXT
Jun 14 11:57:16 sdiservice named[27800]: client @0x7f4b64c99f68 217.245.243.187#51557/key goik.key: updating zone 'goik.sdi.hdm-stuttgart.cloud/IN': adding an RR at '_acme-challenge.goik.sdi.hdm-stuttgart.cloud' TXT "jHdDGst_5S_ne4MzJz0uusRmcvFFKif5zOb7QPeoN_k"
Jun 14 11:57:16 sdiservice named[27800]: client @0x7f4b64c99f68 217.245.243.187#59117/key goik.key: updating zone 'goik.sdi.hdm-stuttgart.cloud/IN': deleting rrset at '_acme-challenge.goik.sdi.hdm-stuttgart.cloud' TXT
Jun 14 11:57:16 sdiservice named[27800]: client @0x7f4b64c99f68 217.245.243.187#59117/key goik.key: updating zone 'goik.sdi.hdm-stuttgart.cloud/IN': adding an RR at '_acme-challenge.goik.sdi.hdm-stuttgart.cloud' TXT "OlOLUcYzCo-BIfb6a0odfAiIlpCPnpIcvnii7b_KogM"

Thus the first token jHdDGst_5S_ne4MzJz0uusRmcvFFKif5zOb7QPeoN_k is being destroyed instantly after creation. Only the second token survives:

dig -t txt @8.8.8.8  _acme-challenge.goik.sdi.hdm-stuttgart.cloud  +short
"OlOLUcYzCo-BIfb6a0odfAiIlpCPnpIcvnii7b_KogM"

On contrary without subject_alternative_names the DNS server's log shows just one challenge txt value. This is then being deleted after successful cert creation as expected.

wirepatch commented 5 months ago

Will create a simplified example

wirepatch commented 5 months ago

closed