rewrote challenge validation to iterate over authorizations instead of altnames (fixes some acmev2 validation edgecases), also removed broken test-script (for now)

2026-03-23 17:41:02 +01:00 · 2018-01-28 05:02:18 +01:00
parent 6f3fed496d
commit 0f69481e2b
4 changed files with 138 additions and 392 deletions
--- a/docs/hook_chain.md
+++ b/docs/hook_chain.md
@@ -61,3 +61,14 @@ HOOK: deploy_cert lukas.im /etc/dehydrated/certs/lukas.im/privkey.pem /etc/dehyd
 + Done!
 ```

+# Problem with wildcard certificates
+
+For wildcard certificates the upper level domain is used for verification, e.g.
+`*.foo.example.com` will be verified at `foo.example.com`.
+
+In cases where both `foo.example.com` and `*.foo.example.com` would have to be
+validated there would be a conflict since both will have different tokens but
+both are expected to be resolved under `_acme-challenge.foo.example.com`.
+
+If dehydrated detects this kind of configuration it will automatically fall back
+to non-chaining behaviour (until the next certificate).