New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pdns: API endpoint not at URL root resulting in incorrect URL queried and thus failing with error code 404 #2128
Comments
Hello, I'm not sure to understand your problem. As you can see we have dedicated tests on
Your implementation will break everything. And the tests seems to say the opposite of the behavior you described 🤔 . lego/providers/dns/pdns/internal/client_test.go Lines 74 to 80 in 82e9a5e
|
Hi, Thanks for the quick reply! Please find a bit more concrete explanation below. There are four places where With a relative path (well represented by the tests and functional in my use case): lego/providers/dns/pdns/internal/client.go Lines 55 to 58 in 82e9a5e
With a relative path (well represented by the tests and functional in my use case): lego/providers/dns/pdns/internal/client.go Lines 84 to 87 in 82e9a5e
With an absolute path (not represented by the tests and not functional in my use case): lego/providers/dns/pdns/internal/client.go Lines 119 to 122 in 82e9a5e
With an absolute path (not represented by the tests and not functional in my use case): lego/providers/dns/pdns/internal/client.go Lines 135 to 140 in 82e9a5e
Only the first two are used with a ("manually" built) path that is relative to the APIs root path ( The problem is with the latter two usages. Here, the path that is passed to {
"id": "example.com.",
"url": "\/dns\/api\/v1\/servers\/udmedia\/zones\/example.com.",
"name": "example.com.",
"type": "Zone",
<snip> When this path is then passed to My crude solution suggested above for the 3rd and 4th usage above (NOT replacing However, there are also possibly less invasive solutions. If any of them sounds reasonable, please let me know and I can potentially flesh them out some more:
|
Welcome
What did you expect to see?
When requesting a first or renewing an existing certificate via DNS challenge and PowerDNS API with the API endpoint not being located at the URL root (e.g.,
https://login.udmedia.de/dns/api
instead ofhttps://login.udmedia.de/api
), the command should run through without an error.What did you see instead?
When requesting a first or renewing an existing certificate via DNS challenge and PDNS API with the API endpoint not being located at the URL root (e.g.,
https://login.udmedia.de/dns/api
instead ofhttps://login.udmedia.de/api
), the command fails with an error code 404, indicating that an unknown URL was queried.After debugging, this was pinpointed to the URL generated as
endpoint
for updating withinUpdateRecords
inproviders/dns/pdns/internal/client.go
not being the expectedhttps://login.udmedia.de/dns/api/v1/servers/udmedia/zones/example.com.
but insteadhttps://login.udmedia.de/dns/api/v1/dns/api/v1/servers/udmedia/zones/example.com.
(i.e., with duplicateddns/api/v1/
).The reason for that is that the URL of the host to which the path is appended by
joinPath
is already containing the/dns
but the URL of the zone that is returned by the provider's PDNS compatible API (determined viaGetHostedZone
) and AFAIU also by PowerDNS itself (tentative as I don't have a PowerDNS installation to try this out with but see, e.g., discussion here) is an absolute URL path also containing the starting/dns
. Therefore,/dns
of the Host URL is extended by a second/dns
from the Zone URL. Furthermore, injoinPath
for API version != 0, any path to add that is not starting with/api
(which is the case here as the path starts with/dns/api/...
) is also prepended by/api/v1
. This then results in the superfluous/api/v1/dns
being added between the host URL and the Zone URL path.This could be fixed by adding a second join function (e.g.,
joinAbsolutePath
) that removes any remaining path from the Host URL before joining and (as this seems unnecessary in that case to me, but please correct me there if this is actually needed for, e.g., earlier version of PowerDNS or the API) not trying to guess whether/api/v1
needs to be prepended to the URL path. The function could look somewhat like this:and could replace
joinPath
here and here.I can confirm that this fixes the issue at least for my provider. If helpful, I can provide a corresponding PR also including some tests of the new function. However, the caveat here is that I have limited experience with go and PowerDNS in general and don't want to inadvertently break something for someone else.
How do you use lego?
Binary
Reproduction steps
Try requesting a first or renewing an existing certificate via DNS challenge and PDNS API (API version v1) with the API endpoint not being located at the URL root (
PDNS_API_URL
containing a non-empty path, e.g.,https://login.udmedia.de/dns
instead ofhttps://login.udmedia.de
for an API endpoint athttps://login.udmedia.de/dns/api
instead ofhttps://login.udmedia.de/api
).The command used (and environment variables set (except for the API key), see Logs section.
(See also discussion #2122)
For my understanding of the origin of the error after debugging this, see section on "What did you see instead?".
Version of lego
lego version 4.15.0 linux/386
Logs
Command executed to generate the log:
Go environment (if applicable)
The text was updated successfully, but these errors were encountered: