Project

General

Profile

Actions

Bug #11614

closed

ACME certificate renewal/creation fails with multiple DNS providers

Added by Ben Tyger 9 months ago. Updated 9 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
ACME
Target version:
-
Start date:
03/03/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.4.5-p1
Affected Plus Version:
Affected Architecture:

Description

When trying to issue/renew ACME certificates to multiple different DNS providers with the DNS verification method, the verification fails. In my use case, I am using Dreamhost and Route 53 DNS verification.

When executing the issue/renewal, the ACME script uses the last credentials method's credentials for both verification methods.

If I set up Dreamhost first, then Route 52, then the script sends the AWS API credentials to Dreamhost.

If I set up Route 52 first, then Dreamhost, then the script sends the Dreamhost API credentials to Route 53.


Related issues

Is duplicate of Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/idsNew06/08/2018

Actions
Actions #1

Updated by Jim Pingle 9 months ago

  • Status changed from New to Duplicate

Same root problem as #10642 and #8560

Actions #2

Updated by Jim Pingle 9 months ago

  • Related to Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids added
Actions #3

Updated by Jim Pingle 9 months ago

  • Related to deleted (Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids)
Actions #4

Updated by Jim Pingle 9 months ago

  • Is duplicate of Bug #8560: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids added
Actions #5

Updated by Ben Tyger 9 months ago

Workaround in #8560 does not reliably work for this scenario of the bug. So effectively, there is no workaround.

Actions #6

Updated by Jim Pingle 9 months ago

Right, and there is also no solution yet, but it's all the same problem with multiple (different) credentials.

Depending on the use case you could make one certificate per domain name instead of combining them into one single certificate. Some software (e.g. haproxy) is more than capable of deciding to use different certificates based on SNI/hostname.

Actions

Also available in: Atom PDF