Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--allow-subset-of-names removes wildcard domains #7470

Open
Daniel15 opened this issue Oct 28, 2019 · 1 comment

Comments

@Daniel15
Copy link

@Daniel15 Daniel15 commented Oct 28, 2019

My operating system is (include version):

Debian bullseye (testing)

I installed Certbot with (certbot-auto, OS package manager, pip, etc):

certbot 0.39.0, installed via OS package manager

I ran this command and it produced this output:

I wanted to remove one deleted domain from a certificate (the one I use on https://d.sb/), so I ran this command:

sudo certbot renew --allow-subset-of-names

It removed the deleted domain, but also removed all the wildcard subdomains too. I had to re-run certbot certonly with the list of domains to fix it.

Certbot's behavior differed from what I expected because:

I expected it to keep the wildcard subdomains.

Here is a Certbot log showing the issue (if available):

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/dan.cx.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for removed-domain.example.id.au
Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
Waiting for verification...
Challenge failed for domain removed-domain.example.id.au
dns-01 challenge for removed-domain.example.id.au
Cleaning up challenges
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx
Output from deploy-hook command 01-reload-nginx:
Testing nginx configuration:.
Reloading nginx configuration (via systemctl): nginx.service.
...
The following certs were successfully renewed:
  /etc/letsencrypt/live/dan.cx/fullchain.pem (success)
...
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: removed-domain.example.id.au
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.removed-domain.example.id.au

Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:

N/A

@adferrand

This comment has been minimized.

Copy link
Contributor

@adferrand adferrand commented Oct 29, 2019

Hello!

Thanks for your report. I confirm the bug. Steps to reproduce it:

# Assuming to be in the certbot GIT repository root
python tools/venv.py
source venv/bin/activate
rm -rf .certbot_test_workspace
echo '#!/bin/bash' > test.sh
chmod +x test.sh
PEBBLE_VA_ALWAYS_VALID=1 run_acme_server &
certbot_test register
certbot_test certonly --manual --manual-auth-hook="$(pwd)/test.sh" --manual-cleanup-hook="$(pwd)/test.sh" --preferred-challenge=dns-01 -d *.example.com -d example.com -d *.example.net -d example.net

# Notice "DNS:*.example.com, DNS:example.com, DNS:*.example.net, DNS:example.net" in the next command for the initial certificate
openssl x509 -in .certbot_test_workspace/conf/archive/example.com/cert1.pem -text -noout | grep "X509v3 Subject Alternative Name:" -A1

certbot_test renew --allow-subset-of-names

# Notice "DNS:example.com, DNS:example.net" in the next command for the renewed certificate while this should be:
# "DNS:*.example.com, DNS:example.com, DNS:*.example.net, DNS:example.net"
openssl x509 -in .certbot_test_workspace/conf/archive/example.com/cert2.pem -text -noout | grep "X509v3 Subject Alternative Name:" -A1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.