[PR #225] Base the server's own name on "nsname", not "domain" #349

New issue

Open

opened 2026-03-13 16:19:02 +03:00 by kerem · 0 comments

kerem commented

2026-03-13 16:19:02 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/acme-dns/acme-dns/pull/225
Author: @blkeller
Created: 4/28/2020
Status: 🔄 Open

Base: master ← Head: nsname-is-own-name

📝 Commits (2)

a438311 Base the server's own name on nsname, not domain
51788ce Merge branch 'master' into nsname-is-own-name

📊 Changes

3 files changed (+16 additions, -11 deletions)

View changed files

📝 dns.go (+7 -2)
📝 main.go (+8 -8)
📝 main_test.go (+1 -1)

📄 Description

Summary:

When nsname and domain in the config are not identical, and the API is set to use Let's Encrypt for its own HTTPS needs, the API is unusable because it gets a cert for the name given in domain, but the API is accessed at nsname. All connections to the API then fail because the API cannot locate its own cert in the filesystem, though the cert would be invalid even if it could be located. Setting the api_domain config variable has no effect because this setting has been deprecated.

This bug is masked whenever nsname == domain, so the problem would not be noticeable in this very common case.

This PR fixes the problem by using nsname instead of domain for the API's Let's Encrypt cert's CN and SAN.

Examples:

Where the config file includes these entries:

[general]
# domain name to serve the requests off of
domain = "certs.mydomain.com"
# zone name server
nsname = "ns1.certs.mydomain.com"

[api]
# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
tls = "letsencrypt"

Without this patch:

$ sudo ls /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org/sites
certs.mydomain.com

$ sudo openssl x509 -in /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org/sites/certs.mydomain.com/certs.mydomain.com.crt -nocert -subject -ext subjectAltName
subject=CN = certs.mydomain.com
X509v3 Subject Alternative Name:
    DNS:certs.mydomain.com

With this patch:

$ sudo ls /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org/sites
ns1.certs.mydomain.com

$ sudo openssl x509 -in /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org/sites/ns1.certs.mydomain.com/ns1.certs.mydomain.com.crt -nocert -subject -ext subjectAltName
subject=CN = ns1.certs.mydomain.com
X509v3 Subject Alternative Name:
    DNS:ns1.certs.mydomain.com

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/acme-dns/acme-dns/pull/225 **Author:** [@blkeller](https://github.com/blkeller) **Created:** 4/28/2020 **Status:** 🔄 Open **Base:** `master` ← **Head:** `nsname-is-own-name` --- ### 📝 Commits (2) - [`a438311`](https://github.com/acme-dns/acme-dns/commit/a4383117a85553a942aa6b3a2f42059c71da578d) Base the server's own name on nsname, not domain - [`51788ce`](https://github.com/acme-dns/acme-dns/commit/51788ce9fd6ba445649b0102c4d3d3a29cff5bc3) Merge branch 'master' into nsname-is-own-name ### 📊 Changes **3 files changed** (+16 additions, -11 deletions) <details> <summary>View changed files</summary> 📝 `dns.go` (+7 -2) 📝 `main.go` (+8 -8) 📝 `main_test.go` (+1 -1) </details> ### 📄 Description ### Summary: When `nsname` and `domain` in the config are not identical, and the API is set to use Let's Encrypt for its own HTTPS needs, the API is unusable because it gets a cert for the name given in `domain`, but the API is accessed at `nsname`. All connections to the API then fail because the API cannot locate its own cert in the filesystem, though the cert would be invalid even if it could be located. Setting the `api_domain` config variable has no effect because this setting has been deprecated. This bug is masked whenever `nsname == domain`, so the problem would not be noticeable in this very common case. This PR fixes the problem by using `nsname` instead of `domain` for the API's Let's Encrypt cert's CN and SAN. ### Examples: Where the config file includes these entries: ```ini [general] # domain name to serve the requests off of domain = "certs.mydomain.com" # zone name server nsname = "ns1.certs.mydomain.com" [api] # possible values: "letsencrypt", "letsencryptstaging", "cert", "none" tls = "letsencrypt" ``` ***Without*** this patch: ```console $ sudo ls /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org/sites certs.mydomain.com $ sudo openssl x509 -in /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org/sites/certs.mydomain.com/certs.mydomain.com.crt -nocert -subject -ext subjectAltName subject=CN = certs.mydomain.com X509v3 Subject Alternative Name: DNS:certs.mydomain.com ``` ***With*** this patch: ```console $ sudo ls /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org/sites ns1.certs.mydomain.com $ sudo openssl x509 -in /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org/sites/ns1.certs.mydomain.com/ns1.certs.mydomain.com.crt -nocert -subject -ext subjectAltName subject=CN = ns1.certs.mydomain.com X509v3 Subject Alternative Name: DNS:ns1.certs.mydomain.com ``` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>