From a995cca418e8357440f9e62d3627c9a9fab81780 Mon Sep 17 00:00:00 2001 From: Oleksandr Kovalchuk Date: Fri, 20 Dec 2019 19:17:53 +0200 Subject: [PATCH] Perform domain normalization for wildcard domains Perform domain normalization for wildcard domains, so we do query TXT records for _acme-challenge.example.domain instead of _acme-challenge.*.example.domain when performing DNS-01 challenge. In this way the behavior is consistent with letsencrypt and records queried are in sync with the ones that are shown in certbot manual mode. --- acme/challenge.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/acme/challenge.go b/acme/challenge.go index 4fa39668..687f3f3c 100644 --- a/acme/challenge.go +++ b/acme/challenge.go @@ -385,11 +385,21 @@ func (dc *dns01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo validat return dc, nil } - txtRecords, err := vo.lookupTxt("_acme-challenge." + dc.Value) + // Normalize domain for wildcard DNS names + // This is done to avoid making TXT lookups for domains like + // _acme-challenge.*.example.com + // Instead perform txt lookup for _acme-challenge.example.com + domain := dc.Value + if strings.HasPrefix(domain, "*") { + domain = strings.TrimPrefix(domain, "*.") + } + + txtRecords, err := vo.lookupTxt("_acme-challenge." + domain) + fmt.Printf("Lookup TXT for _acme-challenge." + domain) if err != nil { if err = dc.storeError(db, DNSErr(errors.Wrapf(err, "error looking up TXT "+ - "records for domain %s", dc.Value))); err != nil { + "records for domain %s", domain))); err != nil { return nil, err } return dc, nil