starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-03-03 14:40:00 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Discussion: Bad DNS provider APIs #341

New Issue
Closed
opened 2025-12-29 01:23:23 +01:00 by adam · 4 comments
adam commented 2025-12-29 01:23:23 +01:00
Owner
Copy Link

Originally created by @lukas2511 on GitHub (May 1, 2018).

Some DNS providers only allow a single TXT record per domain. This can currently result in problems when trying to use domain sets like example.org *.example.org where two challenges are verified on the same domain.

!!!!!!!!!!!!!!!!!!!!!
Read the troubleshooting guide before commenting on this thread!!!!!!!
!!!!!!!!!!!!!!!!!!!!!

If (and only if!) you are using one of those providers and there is no way to fix your hook-script, your DNS-provider doesn't want to change their API and you can't easily change to a different DNS provider please leave a comment on this thread containing your DNS provider and a link to the API documentation so I can verify the issue.

Please also check if somebody else already commented with that provider and in that case just give that post a thumbs-up or something.

(This ticket is closed intentionally as this is not really a dehydrated bug, I just want to get some feedback)

Originally created by @lukas2511 on GitHub (May 1, 2018). Some DNS providers only allow a single TXT record per domain. This can currently result in problems when trying to use domain sets like `example.org *.example.org` where two challenges are verified on the same domain. !!!!!!!!!!!!!!!!!!!!! Read [the troubleshooting guide](https://github.com/lukas2511/dehydrated/blob/master/docs/troubleshooting.md#dns-invalid-challenge-since-dehydrated-060--why-are-dns-challenges-deployed-first-and-verified-later) before commenting on this thread!!!!!!! !!!!!!!!!!!!!!!!!!!!! If (and only if!) you are using one of those providers and there is no way to fix your hook-script, your DNS-provider doesn't want to change their API and you can't easily change to a different DNS provider please leave a comment on this thread containing your DNS provider and a link to the API documentation so I can verify the issue. Please also check if somebody else already commented with that provider and in that case just give that post a thumbs-up or something. (This ticket is closed intentionally as this is not really a dehydrated bug, I just want to get some feedback)
adam closed this issue 2025-12-29 01:23:23 +01:00
adam commented 2025-12-29 01:23:24 +01:00
Author
Owner
Copy Link

@wpyoga commented on GitHub (May 26, 2021):

Hi, I have a workaround for this problem, with GoDaddy API. This provider does not let us add new TXT records with the same name, it always overwrites all existing records with the data from the latest PUT API call.

It's not perfect, because it creates a throwaway certificate in the process. So, without having to handle existing _acme-challenge records, we should have two lines in domains.txt:

*.example.com > example_com
*.example.com example.com > example_com

This works for simple personal servers, but will likely fail if the server has too many domains on it. What will happen is:

  1. dehydrated will read the first line request a certificate with CN=*.example.com, and it will complete 1 single challenge
  2. dehydrated will read the first line and checks the existing certificate, which has a different set of domains, so it will force a renew
  3. dehydrated will request the new certificate, and it will receive 1 single challenge for example.com because the domain *.example.com has been authorized recently
  4. certificate renewal will succeed

What do you guys think?

Notes: For GoDaddy, the proper solution requires a more advanced hook script. For some DNS providers like Duck DNS mentioned in #553 , this might be helpful... or not?

@wpyoga commented on GitHub (May 26, 2021): Hi, I have a workaround for this problem, with GoDaddy API. This provider does not let us add new TXT records with the same name, it always overwrites all existing records with the data from the latest PUT API call. It's not perfect, because it creates a throwaway certificate in the process. So, without having to handle existing `_acme-challenge` records, we should have two lines in domains.txt: ```txt *.example.com > example_com *.example.com example.com > example_com ``` This works for simple personal servers, but will likely fail if the server has too many domains on it. What will happen is: 1. dehydrated will read the first line request a certificate with `CN=*.example.com`, and it will complete 1 single challenge 1. dehydrated will read the first line and checks the existing certificate, which has a different set of domains, so it will force a renew 1. dehydrated will request the new certificate, and it will receive 1 single challenge for `example.com` because the domain `*.example.com` has been authorized recently 1. certificate renewal will succeed What do you guys think? Notes: For GoDaddy, the proper solution requires a more advanced hook script. For some DNS providers like Duck DNS mentioned in #553 , this might be helpful... or not?
adam commented 2025-12-29 01:23:25 +01:00
Author
Owner
Copy Link

@marcomsousa commented on GitHub (Aug 19, 2021):

duckdns.org only allow a single TXT record per domain.

Since my scenario are:

  • example1.com CNAME b.duckdns.org
  • example2.com CNAME b.duckdns.org
  • example3.com CNAME b.duckdns.org
  • example4.com CNAME b.duckdns.org
  • _acme-challenge.example1.com CNAME _acme-challenge.b.duckdns.org
  • _acme-challenge.example2.com CNAME _acme-challenge.b.duckdns.org
  • _acme-challenge.example3.com CNAME _acme-challenge.b.duckdns.org
  • _acme-challenge.example4.com CNAME _acme-challenge.b.duckdns.org

Since 0.6.0 if I execute dehydrated with all the domains included:
dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com --domain example2.com --domain example3.com --domain example4.com --domain b.duckdns.org
Dehydrated try to deploy the all the challenges at the same time. Only after, will responding the challenge for all the domains. (parallel) FAIL

I can only validate if I can force dehydrated to do sequential validations.
Deploy 1 challenge, validate 1 challenge, clean the challange, repeat for all the domains.

Since 0.6.0 it may work if I execute dehydrated three times :
dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com
dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com --domain example2.com
dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com --domain example2.com --domain example3.com
dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com --domain example2.com --domain example3.com --domain example4.com
dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com --domain example2.com --domain example3.com --domain example4.com --domain b.duckdns.org

But doesn't make sense? @lukas2511

@marcomsousa commented on GitHub (Aug 19, 2021): duckdns.org only allow a single TXT record per domain. Since my scenario are: - example1.com CNAME b.duckdns.org - example2.com CNAME b.duckdns.org - example3.com CNAME b.duckdns.org - example4.com CNAME b.duckdns.org - _acme-challenge.example1.com CNAME _acme-challenge.b.duckdns.org - _acme-challenge.example2.com CNAME _acme-challenge.b.duckdns.org - _acme-challenge.example3.com CNAME _acme-challenge.b.duckdns.org - _acme-challenge.example4.com CNAME _acme-challenge.b.duckdns.org Since 0.6.0 if I execute dehydrated with all the domains included: `dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com --domain example2.com --domain example3.com --domain example4.com --domain b.duckdns.org` Dehydrated try to deploy the all the challenges at the same time. Only after, will responding the challenge for all the domains. (parallel) FAIL I can only validate if I can force dehydrated to do sequential validations. Deploy 1 challenge, validate 1 challenge, clean the challange, repeat for all the domains. Since 0.6.0 it may work if I execute dehydrated three times : `dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com` `dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com --domain example2.com` `dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com --domain example2.com --domain example3.com` `dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com --domain example2.com --domain example3.com --domain example4.com` `dehydrated --cron --hook ./hooks.sh --challenge dns-01 --domain example1.com --domain example2.com --domain example3.com --domain example4.com --domain b.duckdns.org` But doesn't make sense? @lukas2511
adam commented 2025-12-29 01:23:25 +01:00
Author
Owner
Copy Link

@marcomsousa commented on GitHub (Aug 19, 2021):

Our need is supported by https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode

@marcomsousa commented on GitHub (Aug 19, 2021): Our need is supported by https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
adam commented 2025-12-29 01:23:25 +01:00
Author
Owner
Copy Link

@jcastle-gh commented on GitHub (Jan 18, 2024):

Big fan of dehydrated, been using it for years. Thanks for a great tool!

But... this problem keeps biting me. Adding to the providers mentioned above,
Hurricane Electric is affected (see description on their DNS home page https://dns.he.net).

In the dehydrated repo, hook_chain.md still documents HOOK_CHAIN as handling exactly this problem, but is seems HOOK_CHAIN now actually does something different. So hook_chain.md should be updated or removed.

Also in your repo I see a "fix_dns_challenge_validation" branch where between dehydrated 0.65 and 0.70 you fixed it - first restored HOOK_CHAIN to the original documented behavior and then reverted that and instead added a new HOOK_SEQ feature to address this problem. But that branch was never merged and was left behind.

Comments here show people are switching from dehydrated to acme.sh or certbot because of this. Please reconsider fixing it.

@jcastle-gh commented on GitHub (Jan 18, 2024): Big fan of dehydrated, been using it for years. Thanks for a great tool! But... this problem keeps biting me. Adding to the providers mentioned above, Hurricane Electric is affected (see description on their DNS home page https://dns.he.net). In the dehydrated repo, hook_chain.md still documents HOOK_CHAIN as handling exactly this problem, but is seems HOOK_CHAIN now actually does something different. So hook_chain.md should be updated or removed. Also in your repo I see a "fix_dns_challenge_validation" branch where between dehydrated 0.65 and 0.70 you fixed it - first restored HOOK_CHAIN to the original documented behavior and then reverted that and instead added a new HOOK_SEQ feature to address this problem. But that branch was never merged and was left behind. Comments here show people are switching from dehydrated to acme.sh or certbot because of this. Please reconsider fixing it.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#341
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?