Bug #11614
closed
ACME certificate renewal/creation fails with multiple DNS providers
0%
Description
When trying to issue/renew ACME certificates to multiple different DNS providers with the DNS verification method, the verification fails. In my use case, I am using Dreamhost and Route 53 DNS verification.
When executing the issue/renewal, the ACME script uses the last credentials method's credentials for both verification methods.
If I set up Dreamhost first, then Route 52, then the script sends the AWS API credentials to Dreamhost.
If I set up Route 52 first, then Dreamhost, then the script sends the Dreamhost API credentials to Route 53.
Related issues
Updated by Jim Pingle over 3 years ago
- Status changed from New to Duplicate
Updated by Jim Pingle over 3 years ago
- Related to Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids added
Updated by Jim Pingle over 3 years ago
- Related to deleted (Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids)
Updated by Jim Pingle over 3 years ago
- Is duplicate of Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids added
Updated by Ben Tyger over 3 years ago
Workaround in #8560 does not reliably work for this scenario of the bug. So effectively, there is no workaround.
Updated by Jim Pingle over 3 years ago
Right, and there is also no solution yet, but it's all the same problem with multiple (different) credentials.
Depending on the use case you could make one certificate per domain name instead of combining them into one single certificate. Some software (e.g. haproxy) is more than capable of deciding to use different certificates based on SNI/hostname.
Updated by Sherif Fanous 8 months ago
3 years later and I ran into the same issue and the fix is actually extremely simple.
The logic in the function issue_certificate in acme.inc has a bug
The issue is due to the scope of the $envvariables array. It's being defined inside the foreach loop that iterates over the domains, so it gets reset with each iteration. This means that only the environment variables for the last domain are preserved when the loop finishes.
Here's the problematic part:
<?php
foreach($certificate['a_domainlist']['item'] as $domain) {
// ...
$envvariables = array(); // This line is the problem
// ...
}
?>
To fix this, the $envvariables array should be initialized before the foreach loop starts. This way, the environment variables for each domain will be preserved across iterations. Here's the simple fix
<?php
$envvariables = array(); // Initialize the array here
foreach($certificate['a_domainlist']['item'] as $domain) {
// ...
}
?>
While this fixes the exact issue described here and my issue where I want to issue a single certificate with domains spanning across Route53 and Cloudflare it doesn't solve the issue of dealing with a single certificate spanning across multiple accounts of the same provider (e.g. 2 domains belonging to 2 different Cloudflare accounts).
This however is a limitation in acme.sh itself so no code change in the acme package can fix it. However there is a workaround which is to use DNS alias mode as explained in https://docs.netgate.com/pfsense/en/latest/packages/acme/settings-dnsalias.html