You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just stumbled on this when trying to issue a certificate for 'g.berlight.de'. Took me a minute to debug.
Steps to reproduce
Try to issue a certificate with --dns dns_inwx active and use a subdomain 'g', like -d g.berlight.de or -d g.domain.com, ...
Debug log
Traceable in the normal log, the following entries are of interest:
[Thu May 2 12:30:23 UTC 2024] h='g.berlight.de'
[Thu May 2 12:30:23 UTC 2024] _sub_domain='_acme-challenge'
[Thu May 2 12:30:23 UTC 2024] _domain='g.berlight.de'
[Thu May 2 12:30:23 UTC 2024] Adding record: domain=g.berlight.de sub=_acme-challenge
Notice how a -d g.berlight.de gets to be Adding record: domain=g.berlight.de sub=_acme-challenge - it should be Adding record: domain=berlight.de sub=_acme-challenge.g.
I traced it to the _contains function in acme.sh, which looks like this:
Now the INWX api returns XML by default and has type hints in it. In this particular case, you can find, among a lot of other stuff, the string <string>berlight.de</string> in it, on which _contains "...XML..." "g.berlight.de" returns a hit as it uses regular expressions: g>berlight.de matches (confirmed on Fedora and Alpine).
I was able to issue my certificate by altering _contains to use grep -F, though I am not sure if that would be a generally acceptable solution, or if that might break some feature I am not using.
Another idea might be to alter dns_inwx.sh to replace dots in it's _get_root function with a \. so it will match actual dots, and not "any character".
It is an edge case and thus probably not very important, just wanted to point it out.
Thanks for all the work!
The text was updated successfully, but these errors were encountered:
mandrakey
changed the title
Edge case: _contains using grep with regex matches incorrectly for
Edge case: _contains using grep with regex matches incorrectly for 'g.domain.com', at least for INWX api
May 2, 2024
Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.
Hi team,
I just stumbled on this when trying to issue a certificate for 'g.berlight.de'. Took me a minute to debug.
Steps to reproduce
--dns dns_inwx
active and use a subdomain 'g', like-d g.berlight.de
or-d g.domain.com
, ...Debug log
Traceable in the normal log, the following entries are of interest:
Notice how a
-d g.berlight.de
gets to beAdding record: domain=g.berlight.de sub=_acme-challenge
- it should beAdding record: domain=berlight.de sub=_acme-challenge.g
.I traced it to the
_contains
function in acme.sh, which looks like this:Now the INWX api returns XML by default and has type hints in it. In this particular case, you can find, among a lot of other stuff, the string
<string>berlight.de</string>
in it, on which_contains "...XML..." "g.berlight.de"
returns a hit as it uses regular expressions:g>berlight.de
matches (confirmed on Fedora and Alpine).I was able to issue my certificate by altering _contains to use
grep -F
, though I am not sure if that would be a generally acceptable solution, or if that might break some feature I am not using.Another idea might be to alter
dns_inwx.sh
to replace dots in it's_get_root
function with a\.
so it will match actual dots, and not "any character".It is an edge case and thus probably not very important, just wanted to point it out.
Thanks for all the work!
The text was updated successfully, but these errors were encountered: