Project

General

Profile

Actions
Copy link

Bug #10642

closed

ACME certificate renewal with DNS-Gandi method fails when using multiple Gandi keys

Added by Oriane Tury over 4 years ago. Updated over 3 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
ACME
Target version:
-
Start date:
06/08/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

With the ACME service, when trying to issue/renew a certificate on 2 domain names (or more) using the DNS-Gandi Live DNS validation method, with each domain name using a distinct Gandi LiveDNS API Key, pfSense will only use the API key registered for the last domain in the Domain SAN list of the certificate. Thus the validation for the first domain fails unexpectedly.

(The whole setup is intended for a HTTPS reverse proxy in front of multiple webservers whose domain names pertain to different people.)

Here is the report printed after trying to issue/renew a certificate with oriane.ink and minuscheri.com (in this order) in the Domain SAN list. Validation method for both is DNS-Gandi LiveDNS, but API keys are distinct.

certificat_bug_reproductible
Renewing certificate 
account: TEST 
server: letsencrypt-staging-2 

/usr/local/pkg/acme/acme.sh  --issue  -d 'oriane.ink' --dns 'dns_gandi_livedns'  -d 'minuscheri.com' --dns 'dns_gandi_livedns'  --home '/tmp/acme/certificat_bug_reproductible/' --accountconf '/tmp/acme/certificat_bug_reproductible/accountconf.conf' --force --reloadCmd '/tmp/acme/certificat_bug_reproductible/reloadcmd.sh' --log-level 3 --log '/tmp/acme/certificat_bug_reproductible/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [GANDI_LIVEDNS_KEY] => <KEY_MINUSCHERI_COM>
)
[Mon Jun  8 21:46:41 CEST 2020] Multi domain='DNS:oriane.ink,DNS:minuscheri.com'
[Mon Jun  8 21:46:41 CEST 2020] Getting domain auth token for each domain
[Mon Jun  8 21:46:45 CEST 2020] Getting webroot for domain='oriane.ink'
[Mon Jun  8 21:46:45 CEST 2020] Getting webroot for domain='minuscheri.com'
[Mon Jun  8 21:46:45 CEST 2020] Adding txt value: 6fwWiw6znabab0nuzw4MUHPOo1l8_qftNOZvWXXXXXX for domain:  _acme-challenge.oriane.ink
[Mon Jun  8 21:46:46 CEST 2020] Error add txt for domain:_acme-challenge.oriane.ink
[Mon Jun  8 21:46:46 CEST 2020] Please check log file for more details: /tmp/acme/certificat_bug_reproductible/acme_issuecert.log

Related issues

Is duplicate of Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/idsNew06/08/2018

Actions
Actions
Copy link

Also available in: Atom PDF