[GH-ISSUE #276] acme-dns treating common-name as domain name #139

New issue

Closed

opened 2026-03-13 15:55:31 +03:00 by kerem · 3 comments

kerem commented

2026-03-13 15:55:31 +03:00

Owner

Originally created by @laingsc on GitHub (Sep 8, 2021).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/276

Heya,

I'm using the acme_certificate terraform resource to provision certificates and using acme-dns because it's a private dns and we don't have a provider for azure private dns. I've created all of the cname records for 6 domains, and wildcard certs work just fine, however when not using a wildcard cert it's expecting a cname record for _acme-challenge at the fqdn level.

I've got the proper cname record at _acme-challenge.dev.ds.ahunga.co.nz which I thought would work, however it wants proof of _acme-challenge.testacme.dev.ds.ahunga.co.nz which isn't a dns zone since it's a hostname which I'm getting a cert for.

I've pre-registered all domains and cname records for use in terraform (storage doesn't persist accross runs). Again this works with *.dev.ds.ahunga.co.nz. Any thoughts?

resource "acme_certificate" "testing_dev_ds_ahunga_co_nz" {
  provider                  = acme.private
  account_key_pem           = acme_registration.acme_reg_private.account_key_pem
  certificate_p12_password  = data.azurerm_key_vault_secret.agw_cert_pw.value
  common_name               = "testacme.dev.ds.ahunga.co.nz"
  key_type                  = 4096

  dns_challenge {
    provider = "acme-dns"
    config   = {
      ACME_DNS_API_BASE     = "https://acme.ds.ahunga.co.nz:443"
      ACME_DNS_STORAGE_PATH = "${path.module}/acme.domains.json"
    }
  }
}

Error: error creating certificate: error: one or more domains had a problem:
[testacme.dev.ds.ahunga.co.nz] [testacme.dev.ds.ahunga.co.nz] acme: error presenting token: 2 errors occurred:
	* acme-dns: new account created for "testacme.dev.ds.ahunga.co.nz". To complete setup for "testacme.dev.ds.ahunga.co.nz" you must provision the following CNAME in your DNS zone and re-run this provider when it is in place:
_acme-challenge.testacme.dev.ds.ahunga.co.nz. CNAME 5e0fc462-21eb-44ae-b66a-19769c06123c.acme.ds.ahunga.co.nz.
	* error encountered while presenting token for DNS challenge: acme-dns: new account created for "testacme.dev.ds.ahunga.co.nz". To complete setup for "testacme.dev.ds.ahunga.co.nz" you must provision the following CNAME in your DNS zone and re-run this provider when it is in place:
_acme-challenge.testacme.dev.ds.ahunga.co.nz. CNAME 5e0fc462-21eb-44ae-b66a-19769c06123c.acme.ds.ahunga.co.nz.

Originally created by @laingsc on GitHub (Sep 8, 2021). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/276 Heya, I'm using the acme_certificate terraform resource to provision certificates and using acme-dns because it's a private dns and we don't have a provider for azure private dns. I've created all of the cname records for 6 domains, and wildcard certs work just fine, however when not using a wildcard cert it's expecting a cname record for _acme-challenge at the fqdn level. I've got the proper cname record at _acme-challenge.dev.ds.ahunga.co.nz which I thought would work, however it wants proof of _acme-challenge.testacme.dev.ds.ahunga.co.nz which isn't a dns zone since it's a hostname which I'm getting a cert for. I've pre-registered all domains and cname records for use in terraform (storage doesn't persist accross runs). Again this works with *.dev.ds.ahunga.co.nz. Any thoughts? ``` resource "acme_certificate" "testing_dev_ds_ahunga_co_nz" { provider = acme.private account_key_pem = acme_registration.acme_reg_private.account_key_pem certificate_p12_password = data.azurerm_key_vault_secret.agw_cert_pw.value common_name = "testacme.dev.ds.ahunga.co.nz" key_type = 4096 dns_challenge { provider = "acme-dns" config = { ACME_DNS_API_BASE = "https://acme.ds.ahunga.co.nz:443" ACME_DNS_STORAGE_PATH = "${path.module}/acme.domains.json" } } } ``` ``` Error: error creating certificate: error: one or more domains had a problem: [testacme.dev.ds.ahunga.co.nz] [testacme.dev.ds.ahunga.co.nz] acme: error presenting token: 2 errors occurred: * acme-dns: new account created for "testacme.dev.ds.ahunga.co.nz". To complete setup for "testacme.dev.ds.ahunga.co.nz" you must provision the following CNAME in your DNS zone and re-run this provider when it is in place: _acme-challenge.testacme.dev.ds.ahunga.co.nz. CNAME 5e0fc462-21eb-44ae-b66a-19769c06123c.acme.ds.ahunga.co.nz. * error encountered while presenting token for DNS challenge: acme-dns: new account created for "testacme.dev.ds.ahunga.co.nz". To complete setup for "testacme.dev.ds.ahunga.co.nz" you must provision the following CNAME in your DNS zone and re-run this provider when it is in place: _acme-challenge.testacme.dev.ds.ahunga.co.nz. CNAME 5e0fc462-21eb-44ae-b66a-19769c06123c.acme.ds.ahunga.co.nz. ```

kerem closed this issue

2026-03-13 15:55:36 +03:00

kerem commented

2026-03-13 15:55:42 +03:00

Author

Owner

@Exagone313 commented on GitHub (Sep 14, 2021):

_acme-challenge.foo works for names foo and *.foo only. It's not related to acme-dns but the ACME DNS01 challenge itself.

@Exagone313 commented on GitHub (Sep 14, 2021): `_acme-challenge.foo` works for names `foo` and `*.foo` only. It's not related to acme-dns but the ACME DNS01 challenge itself.

kerem commented

2026-03-13 15:55:47 +03:00

Author

Owner

@leggewie commented on GitHub (Jan 17, 2022):

This isn't a bug.

@laingsc Please close this ticket if your question has been answered.

@leggewie commented on GitHub (Jan 17, 2022): This isn't a bug. @laingsc Please close this ticket if your question has been answered.

kerem commented

2026-03-13 15:55:52 +03:00

Author

Owner

@laingsc commented on GitHub (Jan 17, 2022):

Ah yes, I should've closed this ages ago when I realized how it worked!

@laingsc commented on GitHub (Jan 17, 2022): Ah yes, I should've closed this ages ago when I realized how it worked!

kerem referenced this issue

2026-03-13 16:17:24 +03:00

[PR #139] [MERGED] Fix test not to assume preset UseHeaders value #319