caddyserver/certmagic

When using ZeroSSL and RFC2136, the CNAME content for the validation is wrong

Closed this issue · 8 comments

QuentinC commented

Hello,

I'm trying to move from https://github.com/caddy-dns/lego-deprecated to https://github.com/caddy-dns/rfc2136 using ZeroSSL and a Bind9 nameserver.

When the CNAME record is added, there seems to be an error in the "nsupdate" command on this line:

certmagic/zerosslissuer.go

Line 149 in 1ff1ad8

zr, err := iss.CNAMEValidation.createRecord(ctx, verifyInfo.CnameValidationP1, "CNAME", verifyInfo.CnameValidationP2)

The string "verifyInfo.CnameValidationP2" doens't contains the ending ".", so Bind9 adds the domain name part.

I'm ending with validation issues like this:

{
	"cname_found":1,
	"record_correct":0,
	"target_host":"_69E344F05C4C88DC869F7F8ABDCE6702",
	"target_record":"7D4F656AA48FDFB78D15970C4C16E900.5ADEC3FAE3C500FAFD12033CA2DC1715.82A618D2F94D3C5.COMODOCA.COM",
	"actual_record":"7D4F656AA48FDFB78D15970C4C16E900.5ADEC3FAE3C500FAFD12033CA2DC1715.82A618D2F94D3C5.COMODOCA.COM.X.YZ"
}

where x.yz is my domain name.

For now I am unable to use ZeroSSL with RFC2136...

Best regards !

mholt commented

I see, so we need to append +"." after CnameValidationP2?

QuentinC commented

I think so !
If you have a way to test before commit let me know !

mholt commented

Go ahead and try the latest commit, and let me know please. 😃

QuentinC commented

I'm not quite sure of how to test the fix...
After building Caddy I still have the issue, here are the debug log:

{
	"level":"debug",
	"ts":1722646163.5176134,
	"logger":"tls.issuance.zerossl.cname.dns_manager",
	"msg":"creating DNS record",
	"dns_name":"_8143FF7D368F8FCAD34198DA5D620D11.abc.x.yz",
	"zone":"x.yz.",
	"record_name":"_8143FF7D368F8FCAD34198DA5D620D11.abc",
	"record_type":"CNAME",
	"record_value":"FECD59BEE036472244887D79AEBED8C8.1714F52F9C46E66FB0007AC30E5434D1.a6db877099d5408.comodoca.com",
	"record_ttl":0
}

There is still no "." at the end of the CNAME value...

Here is my build command (docker):

FROM caddy:builder AS builder

RUN xcaddy build \
    --with github.com/caddyserver/caddy/v2=github.com/QuentinC/caddy/v2@706dbd9c \
    --with github.com/caddy-dns/rfc2136

FROM caddy:latest

COPY --from=builder /usr/bin/caddy /usr/bin/caddy
mholt commented

I think you want to use --with github.com/caddyserver/certmagic=github.com/caddyserver/certmagic@master instead of --with github.com/caddyserver/caddy/v2=github.com/QuentinC/caddy/v2@706dbd9c

QuentinC commented

I think you want to use --with github.com/caddyserver/certmagic=github.com/caddyserver/certmagic@master instead of --with github.com/caddyserver/caddy/v2=github.com/QuentinC/caddy/v2@706dbd9c

That worked ! Thanks !

  • 👍1
QuentinC commented

Can you update https://github.com/caddyserver/caddy/blob/master/go.mod to have the new version ?

mholt commented

Yeah, been preparing a few enhancements before I update.