Closed robbiet480 closed 6 years ago
Looks good.
@robbiet480 my concern is that the `--replace' fixes previous orphaned challenge entries. Without it an interrupted challenge would probably break then next attempt? Due to the orphaned entry. Or would that get clean up after the first failure it causes and then succeed the subsequent time?
Good questions. My understanding is that yes, the record won't be removed, but the proper values (which from my experience rarely change between certificate renews) will instead be appended to the previously interrupted challenge record. Once that succeeds then the record would be removed as normal.
As an alternative, I can add an extra call to cli53 to ensure the record is deleted before adding it.
BTW, there's no way to combine --append
and --replace
, I tried that first!
The other bad a case would be some sort error loop that kept --append
-ing entries forever.
It sounds like it will be ok though, so long as the clean-up hook gets called by dehydrated, so I am happy to go with it. If you get a chance, test some error cases.
We need to append TXT records instead of replacing so that wildcard domains/SANs are supported.