Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A bug about CNAME when i work with a domain hosted in name.com #15

Closed
landall opened this issue Jan 4, 2025 · 8 comments
Closed

A bug about CNAME when i work with a domain hosted in name.com #15

landall opened this issue Jan 4, 2025 · 8 comments

Comments

@landall
Copy link

landall commented Jan 4, 2025

I want to add a cert for *.abcd.com

certbot certonly -a dns-multi --dns-multi-credentials=/etc/letsencrypt/dns-multi.ini -d '*.abcd.com' --agree-tos --email xxxx -v

There is a record in DNS:
CNAME *.abcd.com --> some.efgh.com

The script works wrong.

It said:
[INFO] Found CNAME entry for "_acme-challenge.abcd.com.": "some.efgh.com."
namedotcom: some.efgh.com. is not a subdomain of abcd.com.

Then it fails.
@alexzorin
Copy link
Owner

I need two things if you want help with your problem:

  • Try the same thing using lego directly and report back whether it works or not. If it doesn't work, then you need to take it up with the lego project directly.
  • Use your real domain names when reporting this issue. I don't have the time to try and guess what the problem is from redacted logs.

@landall
Copy link
Author

landall commented Jan 4, 2025 via email

@landall landall closed this as completed Jan 4, 2025
@landall
Copy link
Author

landall commented Jan 4, 2025
edited
Loading

Someone else started an issue 2 days ago in go-acme/lego#2386

@landall
Copy link
Author

landall commented Jan 4, 2025

Someone else started an issue 2 days ago in go-acme/lego#2386

It seems a bit different but refers to the same thing, following the CNAME.

@ldez
Copy link

ldez commented Jan 4, 2025
edited
Loading

It seems a bit different but refers to the same thing, following the CNAME.

This is not "a bit different", this is another topic.

If you want to disable CNAME support: https://go-acme.github.io/lego/usage/cli/options/index.html#lego_disable_cname_support

@landall
Copy link
Author

landall commented Jan 5, 2025

It seems a bit different but refers to the same thing, following the CNAME.

This is not "a bit different", this is another topic.

If you want to disable CNAME support: https://go-acme.github.io/lego/usage/cli/options/index.html#lego_disable_cname_support

I find a way to avoid disable CNAME support which cannot be used in some situations:

  1. add DNS rules below
  • CNAME *.abcd.com -> some.domain.com
  • CNAME _acme-challenge.abcd.com -> some.abcd.com
  • A some.abcd.com -> any IP
  1. wait for some time so that the ACME server can sync the changes. (in my test, it is about one hour)
  2. run acme command as usual.

@ldez
Copy link

ldez commented Jan 5, 2025

  1. This is still not related to the issue inside lego you commented on.
  2. You should express your context clearly, and you are able to do it because you did it in your latest comment.
  3. You can open a dedicated issue on lego, with a clear explanation of your situation (please avoid the word "wrong")

@ldez
Copy link

ldez commented Jan 5, 2025
edited
Loading

This is because the current implementation of the namedotcom provider doesn't follow CNAME.

https://github.com/go-acme/lego/blob/b83c1d5f648a4e01adf247908ab2b5818b938dfb/providers/dns/namedotcom/namedotcom.go#L145

So this is not related to a "wrong way" to follow CNAME.

I will open a PR but I will need you to test it.

FYI, I tested the CNAME behavior and it works as expected (when the provider implementation uses it).

I created 2 CNAMEs:

  • CNAME *.a.com -> example.com
  • CNAME _acme-challenge.a.com -> bar.example.com

If I call _acme-challenge.a.com the answer is bar.example.com.

2025/01/05 18:39:00 [INFO] Found CNAME entry for "_acme-challenge.a.com.": "bar.example.com."

I added some debug logs and forced the usage of foo.a.com instead of _acme-challenge.a.com.

As you can see foo.a.com redirects to example.com:

;; opcode: QUERY, status: NOERROR, id: 39082
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1280

;; QUESTION SECTION:
;foo.a.com.	IN	 CNAME

;; ANSWER SECTION:
foo.a.com.	300	IN	CNAME	example.com.

and _acme-challenge.a.com redirects to bar.example.com:

;; opcode: QUERY, status: NOERROR, id: 37280
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1280

;; QUESTION SECTION:
;_acme-challenge.a.com.	IN	 CNAME

;; ANSWER SECTION:
_acme-challenge.a.com.	300	IN	CNAME	bar.example.com.

@ldez ldez mentioned this issue Jan 5, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexzorin @ldez @landall