Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix check failure when there is a wild card CNAME record #668

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix check failure when there is a wild card CNAME record #668

wants to merge 1 commit into from
+0 −3

Conversation

alhashash
Copy link

If there is a wildcard CNAME record "*.domain.com", resolving _acme-challenge.domain.com would yield another domain. Getssl incorrectly updates the check domain with the resolved domain which causes check failure!

Let's Encrypt validation does not follow CNAME of the challenge domain and Getssl should not too.

@alhashash
Fix check failure when there is a wild card CNAME record
d15f4dc 
If there is a wildcard CNAME record "*.domain.com", resolving `_acme-challenge.domain.com` would yield another domain. Getssl incorrectly updates the check domain with the resolved domain which causes check failure! 

Let's Encrypt validation does not follow CNAME of the challenge domain and Getssl should not too.
@timkimber
Copy link
Member

Hi @alhashash

This breaks the automated tests for CNAME domains - can you give an example of the bug you're trying to fix?

Thanks

@timkimber timkimber self-assigned this Jul 20, 2021
@alhashash
Copy link
Author

My use case is:

  1. Create a CNAME record *.mydomain.com that points to server1.mydomain.com.
  2. Try to create a certificate for *.mydomain.com.

This fails because getssl resolves _acme-challenge.domain.com which points to server1.mydomain.com. Then, it tries to check the challenge at server1.mydomain.com TXT record!

Let's Encrypt challenge TXT record is always _acme-challenge.domain.com and it does not follow the CNAME record of that domain.

@timkimber
Copy link
Member

@alhashash thanks for your reply

How are you creating a CNAME for *.mydomain.com?

I'd like to create a similar CNAME so I can reproduce the problem and fix it without breaking the existing tests.

The problem is that none of the DNS servers I have access to allow me to create a CNAME containing a star, I think because rfc1035 states that the only valid characters in a domain name are letters (A-Za-z), digits (0-9), and hyphens (see page 8 of https://datatracker.ietf.org/doc/html/rfc1035)

@alhashash
Copy link
Author

@timkimber I'm using GoDaddy DNS service but I think most DNS servers support wildcard domains including online services like Amazon Route 53.

In bind, you have to use the full domain *.domain.com. not just *.

rfc1035 valid domain name specifications do not apply to * as it is not a domain name and cannot be queried, it is just a convention to configure wildcard domain resolution in DNS records.

@timkimber
Copy link
Member

Hi @alhashash

You're right and I'm wrong. Thanks for correcting me, rfc4592 updated rfc1035 to confirm that wildcard dns entries are valid.

I couldn't find anything when searching the web, but have now, and my hosting provider (Namecheap) has a special interface I need to use to create wildcard cname's, it can't be done using the normal interface.

I'm making some test cleanup at the moment, once that's done I'll look at why the tests are changing after your change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@timkimber timkimber

Labels
needs more information
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@alhashash @timkimber