Project

General

Profile

Actions

Bug #9665

closed

acme.sh deleting A record for domain along with TXT record for _acme-challenge

Added by Ronnie Thomas over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
ACME
Target version:
-
Start date:
08/04/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

I was trying to set up a LetsEncrypt certificate for my domain using Linode's v4 DNS API. I was able to generate the certificate using the staging server, but I also noticed that acme.sh is removing the A record for my domain along with the TXT record for the _acme-challenge domain.

Here's the logs (https://privatebin.net/?9fb794675d24cb23#2sHK56cUjtb2AfqqnNAqqvquoDHC1EVP8BbExu1ZBFgh) for the DNS record deletions from acme_issuecert.log. I have sanitized the logs for privacy purposes. 11111111 is the record ID for pfsense.my.domain.com and 22222222 is the record ID for _acme-challenge.pfsense.my.domain.com.

After LetsEncrypt verifies the TXT record, acme.sh calls _clearupwebbroot , which in turn calls _findHook to verify that the DNS script exists and then deletes the DNS record for the domain . As far as I can tell, this deletion should only happen if we use VTYPE_HTTP as the verification type. The part where the TXT record is cleared happens after _clearupwebbroot is called (in the _clearupdns function).

I looked up the acme.sh script in the official repository and it did not have the "h_api" stuff inside the _clearupwebbroot function where the A record deletion is happening. The "h_api" code was added in this commit: https://github.com/pfsense/FreeBSD-ports/commit/89d58d6676807a2a6090c993b4899407e7b42d7a. If we can check "$vtype" before going into the "h_api" section, like how we are doing before calling the addcommand function , then the A record won't be deleted when using VTYPE_DNS. I have verified that adding the if gate before entering the h_api section in _clearupwebbroot function does fix the issue. I've attached my patch to acme.sh.


Files

h_api-fix.patch (1.61 KB) h_api-fix.patch Ronnie Thomas, 08/04/2019 03:58 PM
Actions #1

Updated by Jim Pingle over 4 years ago

  • Category set to ACME
  • Assignee set to Jim Pingle
Actions #2

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Feedback

This should be fixed in ACME pkg version 0.6 which will be up as soon as it builds.

Actions #3

Updated by Ronnie Thomas over 4 years ago

Sorry for the late response. But I can confirm that ACME 0.6 does fix the issue for me. This ticket can be closed now.

Actions #4

Updated by Jim Pingle over 4 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF