Bug #9665
closedacme.sh deleting A record for domain along with TXT record for _acme-challenge
0%
Description
I was trying to set up a LetsEncrypt certificate for my domain using Linode's v4 DNS API. I was able to generate the certificate using the staging server, but I also noticed that acme.sh is removing the A record for my domain along with the TXT record for the _acme-challenge domain.
Here's the logs (https://privatebin.net/?9fb794675d24cb23#2sHK56cUjtb2AfqqnNAqqvquoDHC1EVP8BbExu1ZBFgh) for the DNS record deletions from acme_issuecert.log. I have sanitized the logs for privacy purposes. 11111111 is the record ID for pfsense.my.domain.com and 22222222 is the record ID for _acme-challenge.pfsense.my.domain.com.
After LetsEncrypt verifies the TXT record, acme.sh calls _clearupwebbroot , which in turn calls _findHook to verify that the DNS script exists and then deletes the DNS record for the domain . As far as I can tell, this deletion should only happen if we use VTYPE_HTTP as the verification type. The part where the TXT record is cleared happens after _clearupwebbroot is called (in the _clearupdns function).
I looked up the acme.sh script in the official repository and it did not have the "h_api" stuff inside the _clearupwebbroot function where the A record deletion is happening. The "h_api" code was added in this commit: https://github.com/pfsense/FreeBSD-ports/commit/89d58d6676807a2a6090c993b4899407e7b42d7a. If we can check "$vtype" before going into the "h_api" section, like how we are doing before calling the addcommand function , then the A record won't be deleted when using VTYPE_DNS. I have verified that adding the if gate before entering the h_api section in _clearupwebbroot function does fix the issue. I've attached my patch to acme.sh.
Files
Updated by Jim Pingle over 4 years ago
- Category set to ACME
- Assignee set to Jim Pingle
Updated by Jim Pingle over 4 years ago
- Status changed from New to Feedback
This should be fixed in ACME pkg version 0.6 which will be up as soon as it builds.
Updated by Ronnie Thomas over 4 years ago
Sorry for the late response. But I can confirm that ACME 0.6 does fix the issue for me. This ticket can be closed now.