deploy and validate one-by-one #543

New Issue

adam · 2025-12-29T01:27:02+01:00

adam commented

2025-12-29 01:27:02 +01:00

Originally created by @Yannik on GitHub (Jul 16, 2021).

Hi,

currently, all challenges are deployed, and then all validations are done.

When using the same acme-dns CNAME for multiple subdomains, this breaks validation, because the first challenge token is overwritten by latter ones.

Therefore, I'd like to propose a change that for each domain, the challenge is deployed and then validated.

Originally created by @Yannik on GitHub (Jul 16, 2021). Hi, currently, all challenges are deployed, and then all validations are done. When using the same [acme-dns](https://github.com/joohoi/acme-dns) CNAME for multiple subdomains, this breaks validation, because the first challenge token is overwritten by latter ones. Therefore, I'd like to propose a change that for each domain, the challenge is deployed and then validated.

adam closed this issue

2025-12-29 01:27:03 +01:00

adam commented

2025-12-29 01:27:03 +01:00

@lukas2511 commented on GitHub (Jul 16, 2021):

If acme-dns overrides arguments instead of appending new ones that is broken behavior in acme-dns and not really a dehydrated issue.

See https://github.com/dehydrated-io/dehydrated/blob/master/docs/troubleshooting.md#dns-invalid-challenge-since-dehydrated-060--why-are-dns-challenges-deployed-first-and-verified-later

@lukas2511 commented on GitHub (Jul 16, 2021): If acme-dns overrides arguments instead of appending new ones that is broken behavior in acme-dns and not really a dehydrated issue. See https://github.com/dehydrated-io/dehydrated/blob/master/docs/troubleshooting.md#dns-invalid-challenge-since-dehydrated-060--why-are-dns-challenges-deployed-first-and-verified-later

adam commented

2025-12-29 01:27:04 +01:00

@Yannik commented on GitHub (Jul 16, 2021):

Thanks, that link was helpful. I will have a look at what exactly acme-dns is doing that leads to this.

@Yannik commented on GitHub (Jul 16, 2021): Thanks, that link was helpful. I will have a look at what exactly acme-dns is doing that leads to this.

adam commented

2025-12-29 01:27:04 +01:00

@Yannik commented on GitHub (Jul 16, 2021):

For reference, the amount of txt records is limited to 2 by acme-dns (source).

As a letsencrypt certificate can contain 100 domain names at most, upping this limit to 100 would support all usecases.
It would unfortunately also return old records.
Do you think this would be a reasonable change or is there a better alternative?

@Yannik commented on GitHub (Jul 16, 2021): For reference, the amount of txt records is limited to 2 by acme-dns ([source](https://github.com/joohoi/acme-dns/blob/v0.8/db.go#L256)). As a letsencrypt certificate can contain 100 domain names at most, upping this limit to 100 would support all usecases. It would unfortunately also return old records. Do you think this would be a reasonable change or is there a better alternative?

adam commented

2025-12-29 01:27:04 +01:00

@lukas2511 commented on GitHub (Jul 16, 2021):

With basically all other DNS implementations the flow would be to deploy tokens (either one or many, doesn't really matter), let them validate, and remove them afterwards. If acme-dns simply replaces/rotates old entries then it just sounds broken to me.

@lukas2511 commented on GitHub (Jul 16, 2021): With basically all other DNS implementations the flow would be to deploy tokens (either one or many, doesn't really matter), let them validate, and remove them afterwards. If acme-dns simply replaces/rotates old entries then it just sounds broken to me.

adam referenced this issue

2025-12-29 01:29:42 +01:00

[PR #543] [CLOSED] Update logo to better quality #861

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#543