Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Acme DNS can issue only 1 subdomain #318

Open
b-a-t opened this issue Oct 10, 2022 · 1 comment
Open

Acme DNS can issue only 1 subdomain #318

b-a-t opened this issue Oct 10, 2022 · 1 comment

Comments

@b-a-t
Copy link

b-a-t commented Oct 10, 2022
edited
Loading

I would like to bring attention to the issue described in the acme.sh repo - acmesh-official/acme.sh#4221

In short, acme-dns for whatever reason limits the number of TXT records in the air to two, which creates trouble issuing and renewing certificates with 3 or more SAN records.

The mentioned issue provides a workaround for this limitation, but I believe it is better to be fixed in the acme-dns itself.

This acmesh-official/acme.sh#4221 (comment) has a more detailed description of the problem:

The problem with that solution is that you'll need to update your _acme-challenge CNAME record every time you renew (!) and that it'll create a new user account every single time you renew for every subdomain. In your case, after 4 renewals, you'll end up with 12 accounts on the acme-dns server, 9 of them unused.

The cause of this problem is as follows:

* acme-dns https://github.com/joohoi/acme-dns/issues/233#issuecomment-650365900 to only ever return two verification TXT-records per account.
* acme.sh uses a single account to talk to acme-dns's API per certificate (this used to be 1 account globally).
* acme.sh uses acme-dns's API to add all TXT records at the same time.
* if you only verify -d example.com -d www.example.com, two is enough.
* if you only verify -d example.com -d *.example.com, two is enough.
* -d example.com -d foo.example.com -d bar.example.com is one too many. One is silently discarded.
* acme.sh asks the issuer (ZeroSSL / Let's Encrypt / etc) to verify. It only sees two TXT records, so one domain fails.

As credentials are saved per certificate, using multiple config-home directories won't help.

This problem has come up before, but so far I don't think anyone has tackled this issue. It's not specific to subdomains: -d example.com -d example.org -d example.net would cause this, too.

Solutions to this might be:

1. Add one TXT record, verify, and then add the next one. I don't think this is feasible with acme.sh.
2. Add all TXT records, but mod acme-dns to allow more records. There are some forks, but it goes against acme-dns's design. acme.sh's dns_acmedns.sh file also assumes a limit of 2 records: dns_acmedns_rm() is blank as there's no real reason to clean up after itself.
3. Save account credentials per domain, per certificate.

The last option will require some development work and some time testing. I've attached a quick extension to dns_acmedns.sh but it doesn't include automatic registration or saving credentials. You'll need to do both manually.
@kkloesener
Copy link

Depending on your Use Case there is another solution. This solution makes the world even more secure:

If your server supports SNI don’t use SAN certificates at all and just issue additional certificates to use them.

All current reverse-proxy and load-balancer like Traefik, nginx, Citrix Netscaler, kemp and f5 support this for HTTPS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@b-a-t @kkloesener