Project

General

Profile

Actions

Bug #11614

closed

ACME certificate renewal/creation fails with multiple DNS providers

Added by Ben Tyger about 3 years ago. Updated 2 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
ACME
Target version:
-
Start date:
03/03/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.4.5-p1
Affected Plus Version:
Affected Architecture:

Description

When trying to issue/renew ACME certificates to multiple different DNS providers with the DNS verification method, the verification fails. In my use case, I am using Dreamhost and Route 53 DNS verification.

When executing the issue/renewal, the ACME script uses the last credentials method's credentials for both verification methods.

If I set up Dreamhost first, then Route 52, then the script sends the AWS API credentials to Dreamhost.

If I set up Route 52 first, then Dreamhost, then the script sends the Dreamhost API credentials to Route 53.


Related issues

Is duplicate of Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/idsNew06/08/2018

Actions
Actions #1

Updated by Jim Pingle about 3 years ago

  • Status changed from New to Duplicate

Same root problem as #10642 and #8560

Actions #2

Updated by Jim Pingle about 3 years ago

  • Related to Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids added
Actions #3

Updated by Jim Pingle about 3 years ago

  • Related to deleted (Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids)
Actions #4

Updated by Jim Pingle about 3 years ago

  • Is duplicate of Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids added
Actions #5

Updated by Ben Tyger about 3 years ago

Workaround in #8560 does not reliably work for this scenario of the bug. So effectively, there is no workaround.

Actions #6

Updated by Jim Pingle about 3 years ago

Right, and there is also no solution yet, but it's all the same problem with multiple (different) credentials.

Depending on the use case you could make one certificate per domain name instead of combining them into one single certificate. Some software (e.g. haproxy) is more than capable of deciding to use different certificates based on SNI/hostname.

Actions #7

Updated by Sherif Fanous 2 months ago

3 years later and I ran into the same issue and the fix is actually extremely simple.

The logic in the function issue_certificate in acme.inc has a bug

The issue is due to the scope of the $envvariables array. It's being defined inside the foreach loop that iterates over the domains, so it gets reset with each iteration. This means that only the environment variables for the last domain are preserved when the loop finishes.

Here's the problematic part:

<?php
foreach($certificate['a_domainlist']['item'] as $domain) {
    // ...
    $envvariables = array(); // This line is the problem
    // ...
}
?>

To fix this, the $envvariables array should be initialized before the foreach loop starts. This way, the environment variables for each domain will be preserved across iterations. Here's the simple fix

<?php
$envvariables = array(); // Initialize the array here
foreach($certificate['a_domainlist']['item'] as $domain) {
    // ...
}
?>

While this fixes the exact issue described here and my issue where I want to issue a single certificate with domains spanning across Route53 and Cloudflare it doesn't solve the issue of dealing with a single certificate spanning across multiple accounts of the same provider (e.g. 2 domains belonging to 2 different Cloudflare accounts).

This however is a limitation in acme.sh itself so no code change in the acme package can fix it. However there is a workaround which is to use DNS alias mode as explained in https://docs.netgate.com/pfsense/en/latest/packages/acme/settings-dnsalias.html

Actions

Also available in: Atom PDF