Problem with dns validation #329

New Issue

Closed

opened 2025-12-29 01:22:48 +01:00 by adam · 12 comments

adam commented 2025-12-29 01:22:48 +01:00

Owner

Copy Link

Originally created by @it-can on GitHub (Apr 14, 2018).

Hi,

I am testing with the DNS validation method (i have domains with http-01 and dns-01 validation). All other domains are HTTP-01 validation, but my test domain has dns validation. I have added a config file with this:

CHALLENGETYPE="dns-01"
HOOK="${BASEDIR}/hook_dns.sh"

This is my hook_dns.sh script (I only show the methods that are relevant).

deploy_challenge() {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

    /etc/dehydrated/hook.php "deploy_challenge" "${DOMAIN}" "${TOKEN_VALUE}"
}

clean_challenge() {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

    /etc/dehydrated/hook.php "clean_challenge" "${DOMAIN}" "${TOKEN_VALUE}"
}

When running the dehydrated client I see the dns gets updated, and the script will check every minute if the dns is updated on 8.8.8.8 and 8.8.4.4 and will retry until the dns is updated. This works correct, but after the dns is correct it wil re-run the hook script with a different token_value... I cannot reproduce this.

my domains.txt file

example.com *.example.com > star_example_com

This shows in my log file:

=========================================================
--    14-04-2018 16:30:54    --
=========================================================
# INFO: Using main config file /etc/dehydrated/config
Processing example.com with alternative names: *.example.com
 + Using certificate specific config file!
   + CHALLENGETYPE = dns-01
   + HOOK = /etc/dehydrated/hook_dns.sh
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for example.com
 + Handling authorization for example.com
 + 2 pending challenge(s)
 + Deploying challenge tokens...

14-04-2018 16:30:56 Executing hook with params: /etc/dehydrated/hook.php deploy_challenge example.com weFUjCk5Q3V_cu5_YoVS2VxzQKKOGNpXBjiAh_N9N-M
DEPLOY_CHALLENGE with tokenvalue: 'weFUjCk5Q3V_cu5_YoVS2VxzQKKOGNpXBjiAh_N9N-M' on zone: 'example.com' and record: '_acme-challenge'

DNS updated

Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1
Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4
Result not ready, retrying in 60 seconds
Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1
Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4
Result not ready, retrying in 60 seconds
Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1
Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4
Result not ready, retrying in 60 seconds
Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1
Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4
Result not ready, retrying in 60 seconds
Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1
Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4
Result not ready, retrying in 60 seconds
Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1
Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8
Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4
Done!

14-04-2018 16:35:58 Executing hook with params: /etc/dehydrated/hook.php deploy_challenge example.com Pbx4zLy3AbkQFVbyVmgbPH8YylQ5d5JOjCbq72ODlTs
DEPLOY_CHALLENGE with tokenvalue: 'Pbx4zLy3AbkQFVbyVmgbPH8YylQ5d5JOjCbq72ODlTs' on zone: 'example.com' and record: '_acme-challenge'

DNS updated

Can somebody help me? I have an other server with only DNS validation and I never had this issue, could it be a problem with combining HTTP-01 and DNS-01 validations?

Originally created by @it-can on GitHub (Apr 14, 2018). Hi, I am testing with the DNS validation method (i have domains with http-01 and dns-01 validation). All other domains are HTTP-01 validation, but my test domain has dns validation. I have added a config file with this: ``` CHALLENGETYPE="dns-01" HOOK="${BASEDIR}/hook_dns.sh" ``` This is my ```hook_dns.sh``` script (I only show the methods that are relevant). ``` deploy_challenge() { local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" /etc/dehydrated/hook.php "deploy_challenge" "${DOMAIN}" "${TOKEN_VALUE}" } clean_challenge() { local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" /etc/dehydrated/hook.php "clean_challenge" "${DOMAIN}" "${TOKEN_VALUE}" } ``` When running the dehydrated client I see the dns gets updated, and the script will check every minute if the dns is updated on 8.8.8.8 and 8.8.4.4 and will retry until the dns is updated. This works correct, but after the dns is correct it wil re-run the hook script with a different token_value... I cannot reproduce this. my domains.txt file ``` example.com *.example.com > star_example_com ``` This shows in my log file: ``` ========================================================= -- 14-04-2018 16:30:54 -- ========================================================= # INFO: Using main config file /etc/dehydrated/config Processing example.com with alternative names: *.example.com + Using certificate specific config file! + CHALLENGETYPE = dns-01 + HOOK = /etc/dehydrated/hook_dns.sh + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for example.com + Handling authorization for example.com + 2 pending challenge(s) + Deploying challenge tokens... 14-04-2018 16:30:56 Executing hook with params: /etc/dehydrated/hook.php deploy_challenge example.com weFUjCk5Q3V_cu5_YoVS2VxzQKKOGNpXBjiAh_N9N-M DEPLOY_CHALLENGE with tokenvalue: 'weFUjCk5Q3V_cu5_YoVS2VxzQKKOGNpXBjiAh_N9N-M' on zone: 'example.com' and record: '_acme-challenge' DNS updated Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1 Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4 Result not ready, retrying in 60 seconds Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1 Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4 Result not ready, retrying in 60 seconds Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1 Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4 Result not ready, retrying in 60 seconds Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1 Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4 Result not ready, retrying in 60 seconds Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1 Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4 Result not ready, retrying in 60 seconds Checking DNS: dig +short TXT _acme-challenge.example.com @1.1.1.1 Checking DNS: dig +short TXT _acme-challenge.example.com @1.0.0.1 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.8.8 Checking DNS: dig +short TXT _acme-challenge.example.com @8.8.4.4 Done! 14-04-2018 16:35:58 Executing hook with params: /etc/dehydrated/hook.php deploy_challenge example.com Pbx4zLy3AbkQFVbyVmgbPH8YylQ5d5JOjCbq72ODlTs DEPLOY_CHALLENGE with tokenvalue: 'Pbx4zLy3AbkQFVbyVmgbPH8YylQ5d5JOjCbq72ODlTs' on zone: 'example.com' and record: '_acme-challenge' DNS updated ``` Can somebody help me? I have an other server with only DNS validation and I never had this issue, could it be a problem with combining HTTP-01 and DNS-01 validations?

adam closed this issue 2025-12-29 01:22:48 +01:00

adam commented 2025-12-29 01:22:49 +01:00

Author

Owner

Copy Link

@jobe1986 commented on GitHub (Apr 14, 2018):

When using wild card certs, validation for "example.com" and for "*.example.com" are seperate from each other, even though they both validate using "_acme-challenge.example.com". I'm not entirely sure why that is but either way that is the case. So as a result you will see two tokens set for the same name when using wild card certs like that.

@jobe1986 commented on GitHub (Apr 14, 2018): When using wild card certs, validation for "example.com" and for "*.example.com" are seperate from each other, even though they both validate using "_acme-challenge.example.com". I'm not entirely sure why that is but either way that is the case. So as a result you will see two tokens set for the same name when using wild card certs like that.

adam commented 2025-12-29 01:22:50 +01:00

Author

Owner

Copy Link

@it-can commented on GitHub (Apr 14, 2018):

Okay but how do I prevent this? I have a other server with only dns validation and then it works perfectly...

@it-can commented on GitHub (Apr 14, 2018): Okay but how do I prevent this? I have a other server with only dns validation and then it works perfectly...

adam commented 2025-12-29 01:22:51 +01:00

Author

Owner

Copy Link

@jobe1986 commented on GitHub (Apr 14, 2018):

It's normal behaviour, you don't prevent it, you simply allow it. You may need to update your script to account for multiple values with the same name.

@jobe1986 commented on GitHub (Apr 14, 2018): It's normal behaviour, you don't prevent it, you simply allow it. You may need to update your script to account for multiple values with the same name.

adam commented 2025-12-29 01:22:51 +01:00

Author

Owner

Copy Link

@it-can commented on GitHub (Apr 14, 2018):

Yeah but after the second token value update on the dns, the first value is overwritten and won't validate with LE...

@it-can commented on GitHub (Apr 14, 2018): Yeah but after the second token value update on the dns, the first value is overwritten and won't validate with LE...

adam commented 2025-12-29 01:22:51 +01:00

Author

Owner

Copy Link

@jobe1986 commented on GitHub (Apr 14, 2018):

Then that would be an issue with your choice of DNS update method replacing a value instead of adding an additional value.

@jobe1986 commented on GitHub (Apr 14, 2018): Then that would be an issue with your choice of DNS update method replacing a value instead of adding an additional value.

adam commented 2025-12-29 01:22:52 +01:00

Author

Owner

Copy Link

@it-can commented on GitHub (Apr 14, 2018):

But I cannot have 2 TXT records like this right? _acme-challenge.example.com, that's what it's giving me...

@it-can commented on GitHub (Apr 14, 2018): But I cannot have 2 TXT records like this right? ```_acme-challenge.example.com```, that's what it's giving me...

adam commented 2025-12-29 01:22:53 +01:00

Author

Owner

Copy Link

@txr13 commented on GitHub (Apr 14, 2018):

@it-can You absolutely can have multiple TXT records for the same name. Totally allowable, and commonly used (eg. one TXT for a mail server’s SPF record, and another TXT for the DKIM record).

@txr13 commented on GitHub (Apr 14, 2018): @it-can You absolutely can have multiple TXT records for the same name. Totally allowable, and commonly used (eg. one TXT for a mail server’s SPF record, and another TXT for the DKIM record).

adam commented 2025-12-29 01:22:53 +01:00

Author

Owner

Copy Link

@it-can commented on GitHub (Apr 14, 2018):

@txr13 I know, but with the same subdomain name?

_acme-challenge.example.com > weFUjCk5Q3V_cu5_YoVS2VxzQKKOGNpXBjiAh_N9N-M

_acme-challenge.example.com > Pbx4zLy3AbkQFVbyVmgbPH8YylQ5d5JOjCbq72ODlTs

@it-can commented on GitHub (Apr 14, 2018): @txr13 I know, but with the same subdomain name? ``` _acme-challenge.example.com > weFUjCk5Q3V_cu5_YoVS2VxzQKKOGNpXBjiAh_N9N-M _acme-challenge.example.com > Pbx4zLy3AbkQFVbyVmgbPH8YylQ5d5JOjCbq72ODlTs ```

adam commented 2025-12-29 01:22:53 +01:00

Author

Owner

Copy Link

@it-can commented on GitHub (Apr 14, 2018):

@lukas2511 Is there a bug in Dehydrated with dns validation and combining http-01 and dns-01 validation?

@it-can commented on GitHub (Apr 14, 2018): @lukas2511 Is there a bug in Dehydrated with dns validation and combining http-01 and dns-01 validation?

adam commented 2025-12-29 01:22:54 +01:00

Author

Owner

Copy Link

@txr13 commented on GitHub (Apr 14, 2018):

@it-can Yes, absolutely. Look at the TXT records for google.com, for example.

@txr13 commented on GitHub (Apr 14, 2018): @it-can Yes, absolutely. Look at the TXT records for google.com, for example.

adam commented 2025-12-29 01:22:54 +01:00

Author

Owner

Copy Link

@it-can commented on GitHub (Apr 14, 2018):

I see this issue, has the same problem https://github.com/lukas2511/dehydrated/issues/504 will try that...

@it-can commented on GitHub (Apr 14, 2018): I see this issue, has the same problem https://github.com/lukas2511/dehydrated/issues/504 will try that...

adam commented 2025-12-29 01:22:54 +01:00

Author

Owner

Copy Link

@it-can commented on GitHub (Apr 14, 2018):

Found the problem, my clean_challenge function was deleting all _acme-challenge TXT records, not checking for the tokenvalue...

@it-can commented on GitHub (Apr 14, 2018): Found the problem, my clean_challenge function was deleting all ```_acme-challenge``` TXT records, not checking for the tokenvalue...

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

sudo-env

testing

rfc8738

jsonsh

v0.7.2

v0.7.1

v0.7.0

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.1

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels

Complicated

bug

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

suggestions wanted

testing

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#329