Issue with renewal #22

New Issue

Closed

opened 2018-10-20 13:05:44 +00:00 by Ghost · 7 comments

Ghost commented 2018-10-20 13:05:44 +00:00

Copy Link

Hi,
I'm trying to renew a certificate for a wildcard domain using

var domainName = "example.com";
Greenlock.register({
    domains: [
        domainName,
        '*.'+domainName
    ],
    challengeType: 'dns-01',
    waitForRenewal: true
});

This creates the certificate on the folder live/example.com and is all good.

When we try to renew, this line
[https://git.coolaj86.com/coolaj86/greenlock.js/src/branch/master/lib/core.js#L355-L366] overwrites the domains array and so the renewal ends on this folder live/*.example.com because alt names are sorted alphabetically.

Maybe the IF should be something like

if(args.domains.length < certs.altnames.length) {

so you renew the full certificate if it doesn't contain the full list.

Hi, I'm trying to renew a certificate for a wildcard domain using var domainName = "example.com"; Greenlock.register({ domains: [ domainName, '*.'+domainName ], challengeType: 'dns-01', waitForRenewal: true }); This creates the certificate on the folder `live/example.com` and is all good. When we try to renew, this line [https://git.coolaj86.com/coolaj86/greenlock.js/src/branch/master/lib/core.js#L355-L366] overwrites the `domains` array and so the renewal ends on this folder `live/*.example.com` because alt names are sorted alphabetically. Maybe the IF should be something like if(args.domains.length < certs.altnames.length) { so you renew the full certificate if it doesn't contain the full list.

Ghost started working 2018-10-20 13:13:11 +00:00

Ghost canceled time tracking 2018-10-20 13:13:15 +00:00

coolaj86 commented 2018-11-05 07:31:13 +00:00

Owner

Copy Link

I think the reason I originally set that up was so that if people are using approveDomains as an array and they aren't doing anything else to actually make the renewal work as they probably want it to, that it would "do the right thing".

However, I see where that's a problem.

I'm thinking the best thing I can do is probably to remove it and update the docs and examples.

I think the worst that will happen is that some people will experience more renewals than they did previously, but I don't suspect anything would break.

What are your thoughts?

I think the reason I originally set that up was so that if people are using `approveDomains` as an array and they aren't doing anything else to actually make the renewal work as they probably want it to, that it would "do the right thing". However, I see where that's a problem. I'm thinking the best thing I can do is probably to remove it and update the docs and examples. I think the worst that will happen is that some people will experience more renewals than they did previously, but I don't suspect anything would break. What are your thoughts?

Ghost commented 2018-11-05 08:08:11 +00:00

Author

Copy Link

In my situation when I call the library I'm sure that for every cert there is exactly 1 domain so it's not a problem as a short term solution.

However, looking further at it, if you are trying to fix the input data to renew a full cert when the domains don't corresponds to the ones on the cert, maybe the best thing to do is to get the original settings from the renewal.conf

In this way you don't mix up folders and you are sure of what the original domains are

In my situation when I call the library I'm sure that for every cert there is exactly 1 domain so it's not a problem as a short term solution. However, looking further at it, if you are trying to fix the input data to renew a full cert when the domains don't corresponds to the ones on the cert, maybe the best thing to do is to get the original settings from the renewal.conf In this way you don't mix up folders and you are sure of what the original domains are

coolaj86 commented 2018-11-05 08:27:01 +00:00

Owner

Copy Link

Well, part of the problem is that the plugin that handled renewal.conf just needs to die. It was based on the original python certbot client and I just haven't had enough motivation to do a rewrite.

I need to write something that doesn't rely on cert.subject, but rather should be able to use any of the cert.altnames to correctly relate the domains to the user account, as well as wildcards.

When I do I'll create a JSON store (for small devices) and a SQL store (for ephemeral cloud systems).

Well, part of the problem is that the plugin that handled `renewal.conf` just needs to die. It was based on the original python certbot client and I just haven't had enough motivation to do a rewrite. I need to write something that doesn't rely on `cert.subject`, but rather should be able to use any of the `cert.altnames` to correctly relate the domains to the user account, as well as wildcards. When I do I'll create a JSON store (for small devices) and a SQL store (for ephemeral cloud systems).

Ghost commented 2018-11-05 08:56:26 +00:00

Author

Copy Link

So in the meantime I think this code should be removed because it makes false assumptions and "corrupts" the folder structure

So in the meantime I think this code should be removed because it makes false assumptions and "corrupts" the folder structure

Ghost commented 2019-02-02 20:59:41 +00:00

Author

Copy Link

I'm having the same issue. Is there a way to look up what altnames are on a previously isusued cert, compare it manually, and if it's not an exact match, clear out the old cache folder to force a reissue?

I'm having the same issue. Is there a way to look up what altnames are on a previously isusued cert, compare it manually, and if it's not an exact match, clear out the old cache folder to force a reissue?

coolaj86 commented 2019-02-05 05:16:58 +00:00

Owner

Copy Link

@noyearzero Yes, it's on the object in the approveDomains callback function.

@noyearzero Yes, it's on the object in the `approveDomains` callback function.

coolaj86 closed this issue 2019-02-05 05:16:58 +00:00

Ghost commented 2019-02-05 17:44:36 +00:00

Author

Copy Link

I can't get that callback to trigger. I'm using greenlock.js v2.6.7

I can't get that callback to trigger. I'm using greenlock.js v2.6.7

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

github

next

v4

npm

v3

wip

dns-challenge-regression-fix

v2.4

v2.5

v2.3

v2

v2.2

acmev2

v2.1

greenlock

v1

node-letsencrypt-python

v4.0.5

v4.0.4

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.5

v3.1.4

v3.1.3

v3.0.25

v3.0.24

v3.0.23

v3.0.21

v3.0.20

v3.0.19

v3.0.18

v3.0.17

v3.0.16

v3.0.15

v3.0.12

v3.0.11

v3.0.10

v3.0.9

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.23

v2.7.22

v2.7.21

v2.7.20

v2.7.19

v2.7.18

v2.7.17

v2.7.16

v2.7.15

v2.7.14

v2.7.13

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.10

v2.6.9

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.10

v2.4.9

v2.4.8

v2.4.7

v2.4.2

v2.4.1

v2.4.0

v2.3.13

v2.3.12

v2.3.11

v2.3.10

v2.3.9

v2.3.8

v2.3.7

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.0

v2.1.19

v2.1.18

v2.1.17

v2.1.16

v2.1.15

v2.1.14

v2.1.13

v2.1.12

v2.1.11

v2.1.10

v2.1.9

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v1.5.8

v2.0.5

v2.0.4

v1.5.7

v1.5.6

v1.5.5

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.0

v1.0.2

v1.0.0

v1.0.1

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/greenlock.js-ARCHIVED#22

No description provided.