starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

DNS-01 challenges for multi-domain cert #102

New Issue
Closed
opened 2025-12-29 00:24:51 +01:00 by adam · 15 comments
adam commented 2025-12-29 00:24:51 +01:00
Owner
Copy Link

Originally created by @captainwasabi on GitHub (May 20, 2016).

It would be nice if instead of processing domains one at a time it would hand the txt challenge for ALL the domains to me at once, then I could create all the txt records at once, and it would plow through them all. As it is it is taking about an hour for each to propagate, so my 9 domain cert is going to take all day. That would save me a LOT of time.

Originally created by @captainwasabi on GitHub (May 20, 2016). It would be nice if instead of processing domains one at a time it would hand the txt challenge for ALL the domains to me at once, then I could create all the txt records at once, and it would plow through them all. As it is it is taking about an hour for each to propagate, so my 9 domain cert is going to take all day. That would save me a LOT of time.
adam closed this issue 2025-12-29 00:24:52 +01:00
adam commented 2025-12-29 00:24:52 +01:00
Author
Owner
Copy Link

@extremeshok commented on GitHub (May 20, 2016):

Imagine when u have 2500 domains, 5 dns servers and most of the domains
hosted via on private cdn;s or geo located servers

. https://eXtremeSHOK.com .

On 20-May-16 8:15 PM, captainwasabi wrote:

It would be nice if instead of processing domains one at a time it
would hand the txt challenge for ALL the domains to me at once, then I
could create all the txt records at once, and it would plow through
them all. As it is it is taking about an hour for each to propagate,
so my 9 domain cert is going to take all day. That would save me a LOT
of time.


You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
https://github.com/lukas2511/letsencrypt.sh/issues/203

@extremeshok commented on GitHub (May 20, 2016): Imagine when u have 2500 domains, 5 dns servers and most of the domains hosted via on private cdn;s or geo located servers __________________________________. https://eXtremeSHOK.com .__________________________________ On 20-May-16 8:15 PM, captainwasabi wrote: > It would be nice if instead of processing domains one at a time it > would hand the txt challenge for ALL the domains to me at once, then I > could create all the txt records at once, and it would plow through > them all. As it is it is taking about an hour for each to propagate, > so my 9 domain cert is going to take all day. That would save me a LOT > of time. > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly or view it on GitHub > https://github.com/lukas2511/letsencrypt.sh/issues/203
adam commented 2025-12-29 00:24:52 +01:00
Author
Owner
Copy Link

@extremeshok commented on GitHub (May 20, 2016):

Imagine when u have 2500 domains, 5 dns servers and most of the domains
hosted via on private cdn;s or geo located servers.

. https://eXtremeSHOK.com .

On 20-May-16 8:15 PM, captainwasabi wrote:

It would be nice if instead of processing domains one at a time it
would hand the txt challenge for ALL the domains to me at once, then I
could create all the txt records at once, and it would plow through
them all. As it is it is taking about an hour for each to propagate,
so my 9 domain cert is going to take all day. That would save me a LOT
of time.


You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
https://github.com/lukas2511/letsencrypt.sh/issues/203

@extremeshok commented on GitHub (May 20, 2016): Imagine when u have 2500 domains, 5 dns servers and most of the domains hosted via on private cdn;s or geo located servers. __________________________________. https://eXtremeSHOK.com .__________________________________ On 20-May-16 8:15 PM, captainwasabi wrote: > It would be nice if instead of processing domains one at a time it > would hand the txt challenge for ALL the domains to me at once, then I > could create all the txt records at once, and it would plow through > them all. As it is it is taking about an hour for each to propagate, > so my 9 domain cert is going to take all day. That would save me a LOT > of time. > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly or view it on GitHub > https://github.com/lukas2511/letsencrypt.sh/issues/203
adam commented 2025-12-29 00:24:53 +01:00
Author
Owner
Copy Link

@captainwasabi commented on GitHub (May 20, 2016):

I wouldn't do that with dns-01 then unless I could write an automatic hook script to add it to the bind server. I'm currently only having to go through this because I'm currently using a wildcard cert that it won't use. It would be faster if network solutions (I hates em but it ain't my call) propagated faster. "A" and CNAME records don't seem to take this long to get out there.

@captainwasabi commented on GitHub (May 20, 2016): I wouldn't do that with dns-01 then unless I could write an automatic hook script to add it to the bind server. I'm currently only having to go through this because I'm currently using a wildcard cert that it won't use. It would be faster if network solutions (I hates em but it ain't my call) propagated faster. "A" and CNAME records don't seem to take this long to get out there.
adam commented 2025-12-29 00:24:53 +01:00
Author
Owner
Copy Link

@MJDSys commented on GitHub (May 20, 2016):

@captainwasabi @extremeshok Take a look at: https://github.com/lukas2511/letsencrypt.sh/blob/master/docs/hook_chain.md . That should allow you to deploy all the challenges at once, instead of one at a time.

@MJDSys commented on GitHub (May 20, 2016): @captainwasabi @extremeshok Take a look at: https://github.com/lukas2511/letsencrypt.sh/blob/master/docs/hook_chain.md . That should allow you to deploy all the challenges at once, instead of one at a time.
adam commented 2025-12-29 00:24:54 +01:00
Author
Owner
Copy Link

@captainwasabi commented on GitHub (May 20, 2016):

AHH! trying it. Nope, but I think that's because the first ones still existed from the run I was making. So I'll wait for those to clear out then try again.

@captainwasabi commented on GitHub (May 20, 2016): AHH! trying it. Nope, but I think that's because the first ones still existed from the run I was making. So I'll wait for those to clear out then try again.
adam commented 2025-12-29 00:24:54 +01:00
Author
Owner
Copy Link

@captainwasabi commented on GitHub (May 20, 2016):

hmm, when my hook prints the deploy challenge it's just showing the first domain listed in domains.txt

domain.txt is like:

domain.com cloud.domain.com mail.domain.com smtp.domain.com imap.domain.com ....

Am I doing something wrong?

This is my config.sh
CA="https://acme-v01.api.letsencrypt.org/directory"
CHALLENGETYPE="dns-01"
HOOK="./hooks/hook"
HOOK_CHAIN="yes"
CONTACT_EMAIL=myemail@mydomain.com

My hook script:

    #!/bin/bash
    if [ "$1" == "deploy_challenge" ] ; then
        echo $1
        echo $2
        echo $4
        echo '-----'
    fi

The results print the challenge for domain.com then

+ Responding to challenge for domain.com...
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
...
@captainwasabi commented on GitHub (May 20, 2016): hmm, when my hook prints the deploy challenge it's just showing the first domain listed in domains.txt domain.txt is like: domain.com cloud.domain.com mail.domain.com smtp.domain.com imap.domain.com .... Am I doing something wrong? This is my config.sh CA="https://acme-v01.api.letsencrypt.org/directory" CHALLENGETYPE="dns-01" HOOK="./hooks/hook" HOOK_CHAIN="yes" CONTACT_EMAIL=myemail@mydomain.com My hook script: ``` #!/bin/bash if [ "$1" == "deploy_challenge" ] ; then echo $1 echo $2 echo $4 echo '-----' fi ``` The results print the challenge for domain.com then ``` + Responding to challenge for domain.com... ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "dns-01", "status": "invalid", ... ```
adam commented 2025-12-29 00:24:55 +01:00
Author
Owner
Copy Link

@germeier commented on GitHub (May 20, 2016):

Please read https://github.com/lukas2511/letsencrypt.sh/blob/master/docs/hook_chain.md again. X*Y paramters are provided to your hook script if you use HOOK_CHAIN

Add echo "$@" to your script and you will see all parameters.

HTH!

@germeier commented on GitHub (May 20, 2016): Please read https://github.com/lukas2511/letsencrypt.sh/blob/master/docs/hook_chain.md again. X*Y paramters are provided to your hook script if you use HOOK_CHAIN Add `echo "$@"` to your script and you will see all parameters. HTH!
adam commented 2025-12-29 00:24:55 +01:00
Author
Owner
Copy Link

@captainwasabi commented on GitHub (May 20, 2016):

ah, duh. Thanks!

@captainwasabi commented on GitHub (May 20, 2016): ah, duh. Thanks!
adam commented 2025-12-29 00:24:56 +01:00
Author
Owner
Copy Link

@captainwasabi commented on GitHub (May 20, 2016):

sigh. I don't get it. Well, I got all we're talking about here. But while I wait for the TTL to time out again I wrote a script to watch the dns entries. Most of them are rock solid but one of them returns "Not Found" almost half the time. Tried to go forward anyway and of course it failed on that one (which was the last one). So I'm trying one more time. It's very weird as the TTL times out, the challenge txt strings start bouncing between the two values rather than just flipping to the new one like I'd expect.

Does anyone know what dns server the letsencrypt server is using to check? I'd prefer to check against that server if possible and only go forward once they are stable there.

I need this to work because not all the services I want to use this cert with use https :(

@captainwasabi commented on GitHub (May 20, 2016): sigh. I don't get it. Well, I got all we're talking about here. But while I wait for the TTL to time out again I wrote a script to watch the dns entries. Most of them are rock solid but one of them returns "Not Found" almost half the time. Tried to go forward anyway and of course it failed on that one (which was the last one). So I'm trying one more time. It's very weird as the TTL times out, the challenge txt strings start bouncing between the two values rather than just flipping to the new one like I'd expect. Does anyone know what dns server the letsencrypt server is using to check? I'd prefer to check against that server if possible and only go forward once they are stable there. I need this to work because not all the services I want to use this cert with use https :(
adam commented 2025-12-29 00:24:57 +01:00
Author
Owner
Copy Link

@germeier commented on GitHub (May 20, 2016):

See: https://community.letsencrypt.org/t/dns-challenge-is-in-staging/8322/18

If the responses are "bouncing" between values, there are most likely multiple servers involved which are not (yet) in sync. If you can access all servers directly you have to check all servers with your script. If the servers are behind some kind of load balancer you are out of luck. You can only guess how long it takes until all servers have the new information.

@germeier commented on GitHub (May 20, 2016): See: https://community.letsencrypt.org/t/dns-challenge-is-in-staging/8322/18 If the responses are "bouncing" between values, there are most likely multiple servers involved which are not (yet) in sync. If you can access all servers directly you have to check all servers with your script. If the servers are behind some kind of load balancer you are out of luck. You can only guess how long it takes until all servers have the new information.
adam commented 2025-12-29 00:24:57 +01:00
Author
Owner
Copy Link

@captainwasabi commented on GitHub (May 21, 2016):

Yup, using google's dns. gonna change my script to use the dig command.

Thanks again!

@captainwasabi commented on GitHub (May 21, 2016): Yup, using google's dns. gonna change my script to use the dig command. Thanks again!
adam commented 2025-12-29 00:24:57 +01:00
Author
Owner
Copy Link

@ktwalrus commented on GitHub (May 21, 2016):

I'm also having intermittent failure with DNS-01 and Cloudflare DNS. I am using the hook:

https://github.com/RoliSoft/LetsEncrypt-CloudFlare-Hook

which doesn't support HOOK_CHAIN="yes" so it deploys the challenges one by one and waits for each challenge to propagate before returning to letsencrypt.sh. Problem is that the TXT record occasionally has not propagated to the LE server when the letsencrypt.sh calls to do the challenge. The domain I am trying to generate the certs for has 69 alt names so I have been unable to get completely through all 69 challenges before the script encounters a problem.

The best solution would be for the hook.sh script to support HOOK_CHAIN="yes", deploy all challenges and them wait for the challenges to propagate to my server and then maybe wait a little longer to increase the odds that the LE server sees the challenges and doesn't error out.

But, maybe you could make a change in the letsencrypt.sh script to repeatedly call the deploy_challenge hook even if HOOK_CHAIN="no", wait an optionally number of seconds, and then re-loop through the challenges sending them to LE server (possibly retrying the challenge if the challenge wasn't propagated to the LE resolver).

Also, I ran the letsencrypt.sh script multiple times to generate this 70 name cert and it error'd out so many times that I must have hit some pending challenges limit so I can no longer run this script (I guess I will have to wait a week or so to see if the LE server clears out those pending challenges so I can generate new ones and finally make it through to the end and get a cert for my domain).

It would be nice if the script cleared out those pending challenges before it exits with an error.

@ktwalrus commented on GitHub (May 21, 2016): I'm also having intermittent failure with DNS-01 and Cloudflare DNS. I am using the hook: https://github.com/RoliSoft/LetsEncrypt-CloudFlare-Hook which doesn't support HOOK_CHAIN="yes" so it deploys the challenges one by one and waits for each challenge to propagate before returning to letsencrypt.sh. Problem is that the TXT record occasionally has not propagated to the LE server when the letsencrypt.sh calls to do the challenge. The domain I am trying to generate the certs for has 69 alt names so I have been unable to get completely through all 69 challenges before the script encounters a problem. The best solution would be for the hook.sh script to support HOOK_CHAIN="yes", deploy all challenges and them wait for the challenges to propagate to my server and then maybe wait a little longer to increase the odds that the LE server sees the challenges and doesn't error out. But, maybe you could make a change in the letsencrypt.sh script to repeatedly call the deploy_challenge hook even if HOOK_CHAIN="no", wait an optionally number of seconds, and then re-loop through the challenges sending them to LE server (possibly retrying the challenge if the challenge wasn't propagated to the LE resolver). Also, I ran the letsencrypt.sh script multiple times to generate this 70 name cert and it error'd out so many times that I must have hit some pending challenges limit so I can no longer run this script (I guess I will have to wait a week or so to see if the LE server clears out those pending challenges so I can generate new ones and finally make it through to the end and get a cert for my domain). It would be nice if the script cleared out those pending challenges before it exits with an error.
adam commented 2025-12-29 00:24:57 +01:00
Author
Owner
Copy Link

@captainwasabi commented on GitHub (May 21, 2016):

I used the hook from this Gist: https://gist.github.com/nneul/76a38010313f55db0f7a

It doesn't directly support the hook_chain but it does print out all the return values, the last one in each set is the deploy challenge, then it waits until you hit return to move forward.

Good luck.

I used this command to check propagation for each domain:

dig -t txt _acme-challenge.domain.com +trace | grep _acme | grep -v DiG

@captainwasabi commented on GitHub (May 21, 2016): I used the hook from this Gist: https://gist.github.com/nneul/76a38010313f55db0f7a It doesn't directly support the hook_chain but it does print out all the return values, the last one in each set is the deploy challenge, then it waits until you hit return to move forward. Good luck. I used this command to check propagation for each domain: ` dig -t txt _acme-challenge.domain.com +trace | grep _acme | grep -v DiG `
adam commented 2025-12-29 00:24:57 +01:00
Author
Owner
Copy Link

@captainwasabi commented on GitHub (May 22, 2016):

This is what I'm using now.

https://gist.github.com/captainwasabi/8622e485a70ae4345c0f727e93eab006

@captainwasabi commented on GitHub (May 22, 2016): This is what I'm using now. https://gist.github.com/captainwasabi/8622e485a70ae4345c0f727e93eab006
adam commented 2025-12-29 00:24:58 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (May 26, 2016):

From what I see your problem is solved, so I'm closing this issue.

@lukas2511 commented on GitHub (May 26, 2016): From what I see your problem is solved, so I'm closing this issue.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#102
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?