mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-01-14 15:43:35 +01:00
Registration to CA requires a DNS hook if config has CHALLENGETYPE="dns-01" set #639
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @GTAXL on GitHub (May 11, 2025).
Hello, I was attempting to register an account with Google Trust Services as a secondary CA (already have an account with Let's Encrypt) and noticed that when using the --register command it required me to pass a DNS hook. I have the default CHALLENGETYPE set to dns-01 in my config file. I don't believe we even use the DNS hook, or any challenge type when just registering an account. dehydrated should ignore that when just registering alone. A minor bug I believe, but I thought I would let you know about it so it can be fixed.
Off topic, but another thing I noticed was dehydrated doesn't have an --email flag so you can't pass a unique e-mail per CA. I had to temporarily change the CONTACT_EMAIL in my config to my gmail address.
Cheers!
@GTAXL commented on GitHub (May 17, 2025):
I needed to specify the DNS hook script just to display the ACME TOS too.
@lukas2511 commented on GitHub (May 18, 2025):
Dehydrated validates its config and having set a default validation type of dns-01 without having a hook script defined is seen as an invalid configuration, so its kinda intentional that it fails at this point, even though the requested operation might not need every part of the config to make sense. I don't think it makes sense to change this behaviour (and run into potential issues with that in the future) for an edge-case like yours.
Setting a contact email via cli parameter could make sense in some situations i guess, but wouldn't you also need a way to set the eab parameters? I'll keep this in mind but going to close this issue anyway since its mostly about the config-validation-behaviour.
@GTAXL commented on GitHub (May 18, 2025):
I understand the validation part, when the hook is required. I'm in the process of writing a program that uses your ACME client. We provide a customized dehydrated config that sets DNS01 as the default method as that's what our program will use with a variety of DNS providers we wrote custom hooks for. For the registration process, I find it odd to put in my README to instruct the user to provide a path to a DNS hook, whichever that may be. I would have to say to register use dehydrated --register --accept-terms --ca zerossl -k '/usr/lib/certdeploy/dns-hooks/cloudflare/hook.sh'. I could get around this by not having the user interact directly with dehydrated at all, and just have my program put a fake dns hook to make dehydrated happy. That's probably what I'll end up doing.
In regards to adding an email cli parameter, it would be nice because our program will allow easy use to simultaneous CA support. I wouldn't want to the user to have to edit in an email in the dehydrated config, and you may want to use a different one for Google than say Let's Encrypt. I haven't verified this, but Google being Google is probably more happy you use the gmail address tied to your Google Cloud account than some other email address, which is why I used it specifically for my GTS ACME registration.
Being able to pass the EAB KID and HMAC as cli arguments would be nice too for the handful of CA's that require it. It would appear most paid commercial CA's require it anyway to tie the ACME account to their corporate user account. I don't like having to hard code in an EAB KID and HMAC in the dehydrated config when it's a one-off for a particular registration.
I'm not sure if you've noticed yet, but I recently sponsored your project. We incorporate dehydrated into our business and stand behind it's support and backing. We appreciate what you do, and I'd be perfectly fine even throwing a lot more money your way. I was quite disappointed in this response and the rush to close this issue without further dialog first. Thanks!
@lukas2511 commented on GitHub (May 18, 2025):
Sorry, it's already a bit late here (currently 02:00 in the middle of the night) and I was more concentrated at getting a new release out right now. I've re-checked the config validation and spotted that I was already doing a very specific excemption during registration with http-01 validation, so I've rewritten that part of the validation in a way where it should only run when necessary.
Could you please open a separate issue about the email (and eab) parameters?
And thanks for becoming a sponsor :) If you are looking for discussion the issue tracker of this project just isn't really a great point to start at. There are a lot of todos here and quite a bit of noise of non-issues, so I might treat some tickets as those while not knowing what's actually going on. Feel free to contact me via irc or mail (hi@lukas.im).
@GTAXL commented on GitHub (May 18, 2025):
Thanks for the prompt reply. I understand you're across the ocean and it's late there. No worries. It looks like with your latest commit you've addressed my concern anyway, so I'm pleased with that. Thank you!
I will open a ticket regarding those CLI parameters shortly.
Thanks for providing your email address, I'll keep that in mind when I come across other things that I might want to discuss potential improvements or changes as I more tightly integrate dehydrated. I'm also on IRC as well under my handle GTAXL.
Thanks again, have a good night and get some rest! :)