Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS API env variables are not per domain so you cant use different accounts for different domains #799

Open
gitwer opened this issue Apr 18, 2017 · 10 comments
Open

DNS API env variables are not per domain so you cant use different accounts for different domains #799

gitwer opened this issue Apr 18, 2017 · 10 comments

Comments

@gitwer
Copy link

gitwer commented Apr 18, 2017

DNS API env variables are not able to be set per domain, meaning you can only use a single account for all domains. IE: you can't have 2 Cloudflare accounts one for example.com and a different account for other.com

Steps to reproduce

  1. set variables for Cloudflare:
    export CF_Key="sdfdxxxxxxxosdfgje"
    export CF_Email="email@example.com"

  2. issue a cert for example.com
    acme.sh --issue -d example.com --dns dns_cf

  3. install cert
    acme.sh --install-cert -d example.com (etc etc etc)

  4. set variables for DIFFERENT Cloudflare account:
    export CF_Key="wgdsyyyyyyyyyykghtysd"
    export CF_Email="email@other.com"

  5. issue a cert for other.com
    acme.sh --issue -d other.com --dns dns_cf

  6. install cert
    acme.sh --install-cert -d other.com (etc etc etc)

  7. the .acme.sh/account.conf file structure does not work with/allow different DNS API variables for the same DNS provider for different domains.

Can the required DNA API variables (currently saved using "_saveaccountconf") be saved to the .acme.sh/example.com/example.com.conf file instead? This would allow different domains to use different accounts.

Debug log

n/a
@Neilpang
Copy link
Member

Neilpang commented Apr 18, 2017
edited
Loading

yes, that is known limitation.

for most of the users, there is only one cloudflare account, they just need to save the api key one time. All the the domains will get benefit.

As a workaround, you can run acme.sh with different --config-home.

acme.sh  --config-home "/root/myacme.sh2/"   --issue -d example.com  --dns dns_cf

you will need to add another cronjob to auto-renew the certs:

7 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --config-home "/root/myacme.sh2/" > /dev/null

@FernandoMiguel
Copy link

I've made a Cloudflare PM promise me that they would have keys per domain, not full accounts.
I wish we could go as far as per subdomain / app.

so in the future, this is something @Neilpang might have to address

@Neilpang
Copy link
Member

@FernandoMiguel
Yes, I will think about it.

@gitwer
Copy link
Author

gitwer commented Apr 18, 2017

Thanks @Neilpang and good to know @FernandoMiguel
The different --config-home's will work for me (save me creating a different account to run it from or hacking the script). DIdn't think of that (then again, it is bed time!)

This was referenced Jul 7, 2017
Closed
Closed
@xBytez
Copy link

xBytez commented Jan 16, 2019

Just bumping this up. Is there any update on this? I'd prefer to avoid the different config-home workaround.

@chisaato
Copy link

maybe store the dns api env into per domain conf?

@senseisimple
Copy link

It makes sense to use the per-domain conf rather than account for exactly this issue. Perhaps this wasn't possible when the issue was raised but it certainly is now.

The documentation DNS-API-Dev-Guide is such:

dns_myapi_add() {
...

  MYAPI_Username="${MYAPI_Username:-$(_readaccountconf_mutable MYAPI_Username)}"
  MYAPI_Password="${MYAPI_Password:-$(_readaccountconf_mutable MYAPI_Password)}"
  if [ -z "$MYAPI_Username" ] || [ -z "$MYAPI_Password" ]; then
    MYAPI_Username=""
    MYAPI_Password=""
    _err "You don't specify cloudflare api key and email yet."
    _err "Please create you key and try again."
    return 1
  fi

  #save the credentials to the account conf file.
  _saveaccountconf_mutable MYAPI_Username "$MYAPI_Username"
  _saveaccountconf_mutable MYAPI_Password "$MYAPI_Password"
...

}

Couldn't we just use the following functions instead?

#_savedomainconf   key  value  base64encode
#save to domain.conf
_savedomainconf() {
  _save_conf "$DOMAIN_CONF" "$@"
}

#_cleardomainconf   key
_cleardomainconf() {
  _clear_conf "$DOMAIN_CONF" "$1"
}

#_readdomainconf   key
_readdomainconf() {
  _read_conf "$DOMAIN_CONF" "$1"
}

it would make sense to store the requisite details in the same place as the auth method and hooks are stored (i.e. Le_Webroot "dns_...." or Le_DeployHook since those are stored per-domain.

dns_myapi_add() {
...

  MYAPI_Username="${MYAPI_Username:-$(_readdomainconf MYAPI_Username)}"
  MYAPI_Password="${MYAPI_Password:-$(_readdomainconf MYAPI_Password)}"
  if [ -z "$MYAPI_Username" ] || [ -z "$MYAPI_Password" ]; then
    MYAPI_Username=""
    MYAPI_Password=""
    _err "You don't specify cloudflare api key and email yet."
    _err "Please create you key and try again."
    return 1
  fi

  #save the credentials to the account conf file.
 _savedomainconf MYAPI_Username "$MYAPI_Username"
 _savedomainconf MYAPI_Password "$MYAPI_Password"
...

}

Is this feasible?

senseisimple pushed a commit to sensimple-contrib/acme.sh that referenced this issue Aug 4, 2020
Store Rackspace DNSAPI in domain conf
3df276c 
This is meant to address acmesh-official#799 and acmesh-official#2091
@senseisimple senseisimple mentioned this issue Aug 4, 2020
Open
senseisimple pushed a commit to sensimple-contrib/acme.sh that referenced this issue Aug 4, 2020
DNSAPI per-domain conf wrapper funcs
716b9b8 
Update to acmesh-official#799 for per-domain auth conf storage.

_readdnsapiconf() <Item Key>
- Prefers the values stored in the domainconf over the accountconf[_mutable] if it exists in both places.
- After first new/update save with _savednsapiconf() it will be stored in the domainconf (and the original acctconf* location if applicable) that's where this function will find the value and the entry in the accountconf* will be obsolete/unused.

_savednsapiconf() <Item Key> <Item Value>
- "Migrate"/save the auth provided by env var or from accountconf[_mutable] to domainconf for future use. Update it in the original account location for backward compatibility if necessary.

1. These wrappers don't update the environment variable like the _getdeployconf(), they read from arg, emit text.
2. The keys saved through the save wrapper are named in mutable form with "SAVED_" prefix.
3. The DNS API Dev Guide (https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide) will need to be updated for the new functions

dns_cf.sh dnsapi script for cloudflare updated as an example.
@HLFH
Copy link

HLFH commented Dec 3, 2021

Any updates?

@thedaveCA thedaveCA mentioned this issue Mar 17, 2022
Open
@thompol
Copy link

thompol commented Dec 27, 2022

This is discussed in the following duplicate issues: #1278, #3779, #3988

Any reason that this is still a global setting, instead of per domain by default?

@thompol
Copy link

thompol commented Dec 28, 2022

To add some info, I want to implement DNS-01 verification for ISPConfig, but with the current storing of credentials this would not work.

@plantroon plantroon mentioned this issue Jun 6, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@FernandoMiguel @senseisimple @xBytez @HLFH @Neilpang @chisaato @gitwer @thompol