Issues with the dns_acmedns.sh in recent acme.sh
b-a-t opened this issue · comments
I'm not sure if that would reach the original author of the dns_acmedns.sh
provider, but ATM it has notable operational issues, please take a look onto: acmesh-official#4221.
Let me repeat my comment there:
I think that @Spekpannenkoek analysis is correct, but at the top of that the current dns_acmedns.sh
script destroys the account information on the first run and, especially if you run self-hosted acme-dns
server, all subsequent runs are creating and using newly created accounts on every run.
One of the indications of such a problem is the line:
[Thu 04 Aug 2022 10:35:29 AM +03] Press enter to continue...
in the debug output.
It comes down to the code in the script:
dns_acmedns_add() {
fulldomain=$1
txtvalue=$2
_info "Using acme-dns"
_debug "fulldomain $fulldomain"
_debug "txtvalue $txtvalue"
#for compatiblity from account conf
ACMEDNS_USERNAME="${ACMEDNS_USERNAME:-$(_readaccountconf_mutable ACMEDNS_USERNAME)}"
_clearaccountconf_mutable ACMEDNS_USERNAME
ACMEDNS_PASSWORD="${ACMEDNS_PASSWORD:-$(_readaccountconf_mutable ACMEDNS_PASSWORD)}"
_clearaccountconf_mutable ACMEDNS_PASSWORD
ACMEDNS_SUBDOMAIN="${ACMEDNS_SUBDOMAIN:-$(_readaccountconf_mutable ACMEDNS_SUBDOMAIN)}"
_clearaccountconf_mutable ACMEDNS_SUBDOMAIN
ACMEDNS_BASE_URL="${ACMEDNS_BASE_URL:-$(_readdomainconf ACMEDNS_BASE_URL)}"
ACMEDNS_USERNAME="${ACMEDNS_USERNAME:-$(_readdomainconf ACMEDNS_USERNAME)}"
ACMEDNS_PASSWORD="${ACMEDNS_PASSWORD:-$(_readdomainconf ACMEDNS_PASSWORD)}"
ACMEDNS_SUBDOMAIN="${ACMEDNS_SUBDOMAIN:-$(_readdomainconf ACMEDNS_SUBDOMAIN)}"
if [ "$ACMEDNS_BASE_URL" = "" ]; then
ACMEDNS_BASE_URL="https://auth.acme-dns.io"
fi
So what happens here is the removal of the acme-dns
account info from the $ACME_HOME/account.conf
file and transition of it to the domain config file $CERT_HOME/domain/domain.conf
for the first domain you happen to add/renew after the upgrade. All subsequent runs won't have that info and will start to create new accounts on the default https://auth.acme-dns.io server.
The cure is also given in the top comments of the script:
# Usage:
# export ACMEDNS_BASE_URL="https://auth.acme-dns.io"
#
# You can optionally define an already existing account:
#
# export ACMEDNS_USERNAME="<username>"
# export ACMEDNS_PASSWORD="<password>"
# export ACMEDNS_SUBDOMAIN="<subdomain>"
Also, for existing domains you can add those lines to the $domain.conf
file:
...
Le_API='https://acme-v02.api.letsencrypt.org/directory'
Le_Keylength='2048'
Le_DNSSleep='15'
Le_CertCreateTime='1659950296'
Le_CertCreateTimeStr='Mon Aug 8 09:18:17 UTC 2022'
Le_NextRenewTimeStr='Fri Oct 7 09:18:16 UTC 2022'
Le_NextRenewTime='1665047896'
ACMEDNS_BASE_URL="https://auth.acme-dns.io"
ACMEDNS_USERNAME="<username>"
ACMEDNS_PASSWORD="<password>"
ACMEDNS_SUBDOMAIN="<subdomain>"