Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS Alias Mode does not work if txt record exists on main domain #5078

Open
musicderp opened this issue Apr 2, 2024 · 1 comment
Open

DNS Alias Mode does not work if txt record exists on main domain #5078

musicderp opened this issue Apr 2, 2024 · 1 comment

Comments

@musicderp
Copy link

I am using the latest version of acme.sh and have found a bug with the dns-alias-mode logic where it will not use the dns alias if there is an existing txt record.
Steps to replicate:

Create a CNAME record that looks like _acme-challenge.domain.com TO _acme-challenge.certissue.com
Create a TXT record that looks like _acme-challenge.domain.com with content xxxxxxxxxxxxxxxxxxxxxxxxxxxxx (doesn't really matter, the point is, this was another txt record that was used to generate certs manually at a different time)
Use acme.sh to issue a cert with this command: ./acme.sh --issue -d *.domain.com --challenge-alias certissue.com --debug 2 --server letsencrypt --dns dns_aws --dnssleep 30

You will receive an error saying that the txt record for _acme-challenge.domain.com does not match the txt record created for _acme-challenge.certissue.com because of course it doesn't. LetsEncrypt return:
{ "type": "dns-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Incorrect TXT record \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\" found at _acme-challenge.domain.com", "status": 403 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/redacted", "token": "redacted", "validated": "2024-04-02T22:05:59Z" }

Expected behavior:
Because challenge-alias is specified, I expect acme.sh to ignore any txt record that may be present and use the cname record rather than picking up the txt record and attempting to use that.

I am able to provide full debug logs but would rather not as it appears that some sensitive info is exposed and it's a lot to go through and redact. The ideal scenario is that someone will attempt to replicate this and succeed, then add the logic needed to use the cname record no matter what when in dns-alias mode
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 2, 2024

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@musicderp