EasyEngine/easyengine

SSL with DNS challenge fails due to propagation but ee thinks it renewed

GreenLondon opened this issue · 2 comments

GreenLondon commented

Due to cloudflare we are using the DNS challenge method in order to renew the letsencrypt certificate of the site.

Even though the renewal has failed due to DNS records not being propagated, easyengine thinks that the SSL certificate has been renewed causing issues later on.

Issues such as not renewing the certificate when needed so the certificate expires. Not allowing to force renew so we have to delete the site and re-upload it.

All the issues cost money because of the time spend.

`ee site ssl-renew www.example.com
Starting SSL cert renewal
Loading current certificate for www.example.com
Loading current certificate for www.example.com
Created DNS record: _acme-challenge.example.com. with value 4l5Sq1y5bUzcDcmcIPTOj6aP1zzUOQYoSjR7CT_0pmA.
Created DNS record: _acme-challenge.www.example.com. with value zGav80pE1TgvEKR94QSemDq7wFA2qz1LnutSzdBNDaE.

Waiting for DNS entry propagation.
Starting SSL verification.
Warning: The dns entries have not yet propogated. Manually check:
host -t TXT _acme-challenge.www.example.com
Before retrying ee site ssl www.example.com
Warning: Check logs and retry ee site ssl-verify www.example.com once the issue is resolved.
Starting site's services.
Success: SSL renewal completed.`

prionkor commented

A recent incident. Where one of my client changed dns to their sites. As ee renews all sites in a single command this broken ssl for all other sites. here is how:

  1. ee starts renewing one after another.
  2. if dns is changed at any moment. le just times out and thorws error. This exists the renew process. leaving all others sites below un-renewed.
  3. this keeps happening and eventually ssl for all sites below is expired and sites broken.

This needs to be fixed. Possible solution: Check DNS before renew.

prionkor commented

A recent incident. Where one of my client changed dns to their sites. As ee renews all sites in a single command this broken ssl for all other sites. here is how:

  1. ee starts renewing one after another.
  2. if dns is changed at any moment. le just times out and thorws error. This exists the renew process. leaving all others sites below un-renewed.
  3. this keeps happening and eventually ssl for all sites below is expired and sites broken.

This needs to be fixed. Possible solution: Check DNS before renew.