Giters

dampfklon / acme.sh

A pure Unix shell script implementing ACME client protocol

Home Page:https://acme.sh

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Issues with the dns_acmedns.sh in recent acme.sh

b-a-t opened this issue · comments

commented

I'm not sure if that would reach the original author of the dns_acmedns.sh provider, but ATM it has notable operational issues, please take a look onto: acmesh-official#4221.

Let me repeat my comment there:

I think that @Spekpannenkoek analysis is correct, but at the top of that the current dns_acmedns.sh script destroys the account information on the first run and, especially if you run self-hosted acme-dns server, all subsequent runs are creating and using newly created accounts on every run.

One of the indications of such a problem is the line:

[Thu 04 Aug 2022 10:35:29 AM +03] Press enter to continue...

in the debug output.

It comes down to the code in the script:

dns_acmedns_add() {
  fulldomain=$1
  txtvalue=$2
  _info "Using acme-dns"
  _debug "fulldomain $fulldomain"
  _debug "txtvalue $txtvalue"

  #for compatiblity from account conf
  ACMEDNS_USERNAME="${ACMEDNS_USERNAME:-$(_readaccountconf_mutable ACMEDNS_USERNAME)}"
  _clearaccountconf_mutable ACMEDNS_USERNAME
  ACMEDNS_PASSWORD="${ACMEDNS_PASSWORD:-$(_readaccountconf_mutable ACMEDNS_PASSWORD)}"
  _clearaccountconf_mutable ACMEDNS_PASSWORD
  ACMEDNS_SUBDOMAIN="${ACMEDNS_SUBDOMAIN:-$(_readaccountconf_mutable ACMEDNS_SUBDOMAIN)}"
  _clearaccountconf_mutable ACMEDNS_SUBDOMAIN

  ACMEDNS_BASE_URL="${ACMEDNS_BASE_URL:-$(_readdomainconf ACMEDNS_BASE_URL)}"
  ACMEDNS_USERNAME="${ACMEDNS_USERNAME:-$(_readdomainconf ACMEDNS_USERNAME)}"
  ACMEDNS_PASSWORD="${ACMEDNS_PASSWORD:-$(_readdomainconf ACMEDNS_PASSWORD)}"
  ACMEDNS_SUBDOMAIN="${ACMEDNS_SUBDOMAIN:-$(_readdomainconf ACMEDNS_SUBDOMAIN)}"

  if [ "$ACMEDNS_BASE_URL" = "" ]; then
    ACMEDNS_BASE_URL="https://auth.acme-dns.io"
  fi

So what happens here is the removal of the acme-dns account info from the $ACME_HOME/account.conf file and transition of it to the domain config file $CERT_HOME/domain/domain.conf for the first domain you happen to add/renew after the upgrade. All subsequent runs won't have that info and will start to create new accounts on the default https://auth.acme-dns.io server.

The cure is also given in the top comments of the script:

# Usage:
# export ACMEDNS_BASE_URL="https://auth.acme-dns.io"
#
# You can optionally define an already existing account:
#
# export ACMEDNS_USERNAME="<username>"
# export ACMEDNS_PASSWORD="<password>"
# export ACMEDNS_SUBDOMAIN="<subdomain>"

Also, for existing domains you can add those lines to the $domain.conf file:

...
Le_API='https://acme-v02.api.letsencrypt.org/directory'
Le_Keylength='2048'
Le_DNSSleep='15'
Le_CertCreateTime='1659950296'
Le_CertCreateTimeStr='Mon Aug  8 09:18:17 UTC 2022'
Le_NextRenewTimeStr='Fri Oct  7 09:18:16 UTC 2022'
Le_NextRenewTime='1665047896'
ACMEDNS_BASE_URL="https://auth.acme-dns.io"
ACMEDNS_USERNAME="<username>"
ACMEDNS_PASSWORD="<password>"
ACMEDNS_SUBDOMAIN="<subdomain>"