New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bunny: Support delegated sub-domains #2123
Conversation
The splitDomain algorithm assumes the apex domain is of "length" 2 and disregards where the SOA is found. This might have been the only way this provider could work in the past, but at this time it seems bunny responds with a correct SOA-RR. Virtual ( pseudo) sub-domain with A-RR continue to function.
The split was introduced in #2012 because of #2011 So theoretically, this PR will create a regression. ping @TECHNOFAB11 |
To merge this PR I need something that confirms that Bunny has changed their SOA policy/bug. I take a look at JessThrysoee/synology-letsencrypt#13 and the discussion seems unfinished. |
It would be nice if someone would corroborate my tests, but it doesn't seem like the workaround is necessary. Perhaps I'm missing something? Here is some staging output: The $ dig subtest.example.com +all
; <<>> DiG 9.18.24 <<>> subtest.example.com +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13936
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (good)
;; QUESTION SECTION:
;subtest.example.com. IN A
;; AUTHORITY SECTION:
subtest.example.com. 900 IN SOA kiki.bunny.net. hostmaster.bunny.net. 2020643963 7200 900 1209600 86400
;; Query time: 215 msec
;; SERVER: 10.0.10.53#53(10.0.10.53) (UDP)
;; WHEN: Thu Feb 29 21:08:42 CET 2024
;; MSG SIZE rcvd: 137 $ BUNNY_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
/tmp/legorepo/main \
--server=https://acme-staging-v02.api.letsencrypt.org/directory \
--email postmaster@example.com --dns bunny --domains subtest.example.com run
2024/02/29 20:57:20 [INFO] [subtest.example.com] acme: Obtaining bundled SAN certificate
2024/02/29 20:57:20 [INFO] [subtest.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11399874203
2024/02/29 20:57:20 [INFO] [subtest.example.com] acme: authorization already valid; skipping challenge
2024/02/29 20:57:20 [INFO] [subtest.example.com] acme: Validations succeeded; requesting certificates
2024/02/29 20:57:24 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2024/02/29 20:57:25 [INFO] [subtest.example.com] Server responded with a certificate. For a pseudo sub-domain $ dig b.sub.subtest.example.com +all
; <<>> DiG 9.18.24 <<>> b.sub.subtest.example.com +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9697
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (good)
;; QUESTION SECTION:
;b.sub.subtest.example.com. IN A
;; ANSWER SECTION:
b.sub.subtest.example.com. 300 IN A 10.10.10.10
;; Query time: 240 msec
;; SERVER: 10.0.10.53#53(10.0.10.53) (UDP)
;; WHEN: Thu Feb 29 21:09:50 CET 2024
;; MSG SIZE rcvd: 98 $ BUNNY_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
/tmp/legorepo/main \
--server=https://acme-staging-v02.api.letsencrypt.org/directory \
--email postmaster@example.com --dns bunny --domains b.sub.subtest.example.com run
2024/02/29 21:01:47 [INFO] [b.sub.subtest.example.com] acme: Obtaining bundled SAN certificate
2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11435783593
2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: Could not find solver for: tls-alpn-01
2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: Could not find solver for: http-01
2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: use dns-01 solver
2024/02/29 21:01:48 [INFO] [b.sub.subtest.example.com] acme: Preparing to solve DNS-01
2024/02/29 21:01:51 [INFO] [b.sub.subtest.example.com] acme: Trying to solve DNS-01
2024/02/29 21:01:51 [INFO] [b.sub.subtest.example.com] acme: Checking DNS record propagation. [nameservers=10.0.10.53:53,1.1.1.1:53,1.0.0.1:53]
2024/02/29 21:01:53 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2024/02/29 21:02:16 [INFO] [b.sub.subtest.example.com] The server validated our request
2024/02/29 21:02:16 [INFO] [b.sub.subtest.example.com] acme: Cleaning DNS-01 challenge
2024/02/29 21:02:17 [INFO] [b.sub.subtest.example.com] acme: Validations succeeded; requesting certificates
2024/02/29 21:02:17 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2024/02/29 21:02:18 [INFO] [b.sub.subtest.example.com] Server responded with a certificate. |
As you can see the previous behavior was unexpected: The important information is the response to an SOA call, the authority section is not used. |
@ldez I'm not sure I follow. I have delegated
|
Sorry, I put the wrong link in my previous message (I edited it). |
After re-reading, I think the split is useless, I think that the root of the problem was just a bad configuration of the domain. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The splitDomain algorithm assumes the apex domain is of "length" 2 and disregards where the SOA is found. This might have been the only way this provider could work in the past, but at this time it seems bunny responds with a correct SOA-RR.
Virtual ( pseudo) sub-domain with A-RR continue to function.