Project

General

Profile

Bug #9665

acme.sh deleting A record for domain along with TXT record for _acme-challenge

Added by Ronnie Thomas 4 months ago. Updated 22 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
ACME
Target version:
-
Start date:
08/04/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:
All

Description

I was trying to set up a LetsEncrypt certificate for my domain using Linode's v4 DNS API. I was able to generate the certificate using the staging server, but I also noticed that acme.sh is removing the A record for my domain along with the TXT record for the _acme-challenge domain.

Here's the logs (https://privatebin.net/?9fb794675d24cb23#2sHK56cUjtb2AfqqnNAqqvquoDHC1EVP8BbExu1ZBFgh) for the DNS record deletions from acme_issuecert.log. I have sanitized the logs for privacy purposes. 11111111 is the record ID for pfsense.my.domain.com and 22222222 is the record ID for _acme-challenge.pfsense.my.domain.com.

After LetsEncrypt verifies the TXT record, acme.sh calls _clearupwebbroot , which in turn calls _findHook to verify that the DNS script exists and then deletes the DNS record for the domain . As far as I can tell, this deletion should only happen if we use VTYPE_HTTP as the verification type. The part where the TXT record is cleared happens after _clearupwebbroot is called (in the _clearupdns function).

I looked up the acme.sh script in the official repository and it did not have the "h_api" stuff inside the _clearupwebbroot function where the A record deletion is happening. The "h_api" code was added in this commit: https://github.com/pfsense/FreeBSD-ports/commit/89d58d6676807a2a6090c993b4899407e7b42d7a. If we can check "$vtype" before going into the "h_api" section, like how we are doing before calling the addcommand function , then the A record won't be deleted when using VTYPE_DNS. I have verified that adding the if gate before entering the h_api section in _clearupwebbroot function does fix the issue. I've attached my patch to acme.sh.

h_api-fix.patch (1.61 KB) h_api-fix.patch Ronnie Thomas, 08/04/2019 03:58 PM

History

#1 Updated by Jim Pingle 4 months ago

  • Category set to ACME
  • Assignee set to Jim Pingle

#2 Updated by Jim Pingle 4 months ago

  • Status changed from New to Feedback

This should be fixed in ACME pkg version 0.6 which will be up as soon as it builds.

#3 Updated by Ronnie Thomas 22 days ago

Sorry for the late response. But I can confirm that ACME 0.6 does fix the issue for me. This ticket can be closed now.

#4 Updated by Jim Pingle 22 days ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF