https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-03-03T13:25:05ZpfSense bugtrackerpfSense Packages - Bug #11614: ACME certificate renewal/creation fails with multiple DNS providershttps://redmine.pfsense.org/issues/11614?journal_id=518942021-03-03T13:25:05ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Duplicate</i></li></ul><p>Same root problem as <a class="issue tracker-1 status-11 priority-4 priority-default closed" title="Bug: ACME certificate renewal with DNS-Gandi method fails when using multiple Gandi keys (Duplicate)" href="https://redmine.pfsense.org/issues/10642">#10642</a> and <a class="issue tracker-1 status-1 priority-4 priority-default" title="Bug: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API key... (New)" href="https://redmine.pfsense.org/issues/8560">#8560</a></p> pfSense Packages - Bug #11614: ACME certificate renewal/creation fails with multiple DNS providershttps://redmine.pfsense.org/issues/11614?journal_id=519002021-03-03T13:25:42ZJim Pingle
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-1 priority-4 priority-default" href="/issues/8560">Bug #8560</a>: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids</i> added</li></ul> pfSense Packages - Bug #11614: ACME certificate renewal/creation fails with multiple DNS providershttps://redmine.pfsense.org/issues/11614?journal_id=519022021-03-03T13:25:51ZJim Pingle
<ul><li><strong>Related to</strong> deleted (<i><a class="issue tracker-1 status-1 priority-4 priority-default" href="/issues/8560">Bug #8560</a>: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids</i>)</li></ul> pfSense Packages - Bug #11614: ACME certificate renewal/creation fails with multiple DNS providershttps://redmine.pfsense.org/issues/11614?journal_id=519032021-03-03T13:25:59ZJim Pingle
<ul><li><strong>Is duplicate of</strong> <i><a class="issue tracker-1 status-1 priority-4 priority-default" href="/issues/8560">Bug #8560</a>: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API keys/ids</i> added</li></ul> pfSense Packages - Bug #11614: ACME certificate renewal/creation fails with multiple DNS providershttps://redmine.pfsense.org/issues/11614?journal_id=519752021-03-05T14:04:23ZBen Tyger
<ul></ul><p>Workaround in <a class="issue tracker-1 status-1 priority-4 priority-default" title="Bug: ACME: can't update DNS records in DNSMadeEasy registar for several domains with different API key... (New)" href="https://redmine.pfsense.org/issues/8560">#8560</a> does not reliably work for this scenario of the bug. So effectively, there is no workaround.</p> pfSense Packages - Bug #11614: ACME certificate renewal/creation fails with multiple DNS providershttps://redmine.pfsense.org/issues/11614?journal_id=519762021-03-05T14:18:43ZJim Pingle
<ul></ul><p>Right, and there is also no solution yet, but it's all the same problem with multiple (different) credentials.</p>
<p>Depending on the use case you could make one certificate per domain name instead of combining them into one single certificate. Some software (e.g. haproxy) is more than capable of deciding to use different certificates based on SNI/hostname.</p> pfSense Packages - Bug #11614: ACME certificate renewal/creation fails with multiple DNS providershttps://redmine.pfsense.org/issues/11614?journal_id=727212024-03-23T15:42:37ZSherif Fanous
<ul></ul><p>3 years later and I ran into the same issue and the fix is actually extremely simple.</p>
<p>The logic in the function <code>issue_certificate</code> in <code>acme.inc</code> has a bug</p>
<p>The issue is due to the scope of the <code>$envvariables</code> array. It's being defined inside the foreach loop that iterates over the domains, so it gets reset with each iteration. This means that only the environment variables for the last domain are preserved when the loop finishes.</p>
<p>Here's the problematic part:</p>
<pre><code class="php syntaxhl"><span class="cp"><?php</span>
<span class="k">foreach</span><span class="p">(</span><span class="nv">$certificate</span><span class="p">[</span><span class="s1">'a_domainlist'</span><span class="p">][</span><span class="s1">'item'</span><span class="p">]</span> <span class="k">as</span> <span class="nv">$domain</span><span class="p">)</span> <span class="p">{</span>
<span class="c1">// ...</span>
<span class="nv">$envvariables</span> <span class="o">=</span> <span class="k">array</span><span class="p">();</span> <span class="c1">// This line is the problem</span>
<span class="c1">// ...</span>
<span class="p">}</span>
<span class="cp">?></span>
</code></pre>
<p>To fix this, the $envvariables array should be initialized before the foreach loop starts. This way, the environment variables for each domain will be preserved across iterations. Here's the simple fix</p>
<pre><code class="php syntaxhl"><span class="cp"><?php</span>
<span class="nv">$envvariables</span> <span class="o">=</span> <span class="k">array</span><span class="p">();</span> <span class="c1">// Initialize the array here</span>
<span class="k">foreach</span><span class="p">(</span><span class="nv">$certificate</span><span class="p">[</span><span class="s1">'a_domainlist'</span><span class="p">][</span><span class="s1">'item'</span><span class="p">]</span> <span class="k">as</span> <span class="nv">$domain</span><span class="p">)</span> <span class="p">{</span>
<span class="c1">// ...</span>
<span class="p">}</span>
<span class="cp">?></span>
</code></pre>
<p>While this fixes the exact issue described here and my issue where I want to issue a single certificate with domains spanning across Route53 and Cloudflare it doesn't solve the issue of dealing with a single certificate spanning across multiple accounts of the same provider (e.g. 2 domains belonging to 2 different Cloudflare accounts).</p>
<p>This however is a limitation in <code>acme.sh</code> itself so no code change in the <code>acme</code> package can fix it. However there is a workaround which is to use <code>DNS alias mode</code> as explained in <a class="external" href="https://docs.netgate.com/pfsense/en/latest/packages/acme/settings-dnsalias.html">https://docs.netgate.com/pfsense/en/latest/packages/acme/settings-dnsalias.html</a></p>