ovh: follow cname

[dauriata]

The LEGO_EXPERIMENTAL_CNAME_SUPPORT replaces the fqdn with a CNAME if it exists.

Actually OVH DNS provider create the TXT record on the original domain zone and does not follow the CNAME as intended.

Note:
Lets encrypt states that it follows cname so it would check if _acme-challenge.domain1 contains a CNAME and check the TXT record on that pointer.
so not only domain1 should point to domain2 but _acme-challenge.domain1 should point to anysubdomain.domain2
in case of using wildcards it should be better to add a cname record to point _acme-challenge.domain1 to _acme-challenge.domain2

Should be tested and reviewed

Fixes #1272

[ldez]

Hello,

I think that your PR just breaks the current working implementation without CNAME.

You have to find another approach.

[dauriata]

Hi, what would you make think so ?
if there is no cname, fqdn = _acme-challenge.*domain*.
hence authZone, which is the only entry altered by this commit, is the same for fqdn or domain

[ldez]

You should prove that your PR works with and without CNAME.

You should be able to do: (and put the output of this command to a comment in your PR)

rm -rf .lego

./lego -m your@email.com --dns ovh -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run

Note the wildcard domain is important.

In the 2 situations.

[dauriata]

I have made the following tests :

origin.com : A record and LEGO_EXPERIMENTAL_CNAME_SUPPORT=true => PASS
origin.com : A record and LEGO_EXPERIMENTAL_CNAME_SUPPORT=false => PASS
*.origin.com : A record and LEGO_EXPERIMENTAL_CNAME_SUPPORT=false => PASS
*.origin.com : A record and LEGO_EXPERIMENTAL_CNAME_SUPPORT=true => PASS

origin.com : CNAME record to dest.com and LEGO_EXPERIMENTAL_CNAME_SUPPORT=true => PASS, TXT record created as _acme-challenge.origin.com
origin.com : CNAME record to dest.com and LEGO_EXPERIMENTAL_CNAME_SUPPORT=false => PASS TXT record created as _acme-challenge.origin.com

_acme-challenge.origin.com : CNAME record to dest.com and LEGO_EXPERIMENTAL_CNAME_SUPPORT=true => PASS, TXT record created as dest.com
_acme-challenge.origin.com : CNAME record to dest.com and LEGO_EXPERIMENTAL_CNAME_SUPPORT=false => FAIL TXT record created as _acme-challenge.origin.com but looked for in dest.com

_acme-challenge.origin.com : CNAME record to sub.dest.com and LEGO_EXPERIMENTAL_CNAME_SUPPORT=true => PASS, TXT record created as sub.dest.com
_acme-challenge.origin.com : CNAME record to sub.dest.com and LEGO_EXPERIMENTAL_CNAME_SUPPORT=false => FAIL TXT record created as _acme-challenge.origin.com but looked for in sub.dest.com

*.origin.com : CNAME record to dest.com and LEGO_EXPERIMENTAL_CNAME_SUPPORT=true => PASS, TXT record created as dest.com
*.origin.com : CNAME record to dest.com and LEGO_EXPERIMENTAL_CNAME_SUPPORT=false => FAIL, TXT record created as _acme-challenge.origin.com but looked for at dest.com

*.origin.com : CNAME record to dest.com and _acme-challenge.origin.com : CNAME record to _acme-challenge.dest.com and LEGO_EXPERIMENTAL_CNAME_SUPPORT=true => PASS, TXT record created as _acme-challenge.dest.com

The current code always follow CNAME during pre checking, but follow CNAME for setting TXT record only if LEGO_EXPERIMENTAL_CNAME_SUPPORT is set: this is inconsistent.

[dauriata]

I am not putting all the logs but here logs with no CNAME. email,domain and key changed

user@ASPIRE:~/lego/dist$ rm -rf .lego/
user@ASPIRE:~/lego/dist$ OVH_ENDPOINT=ovh-eu OVH_APPLICATION_KEY=xx OVH_APPLICATION_SECRET=xx OVH_CONSUMER_KEY=xx LEGO_EXPERIMENTAL_CNAME_SUPPORT=true ./lego -m myemail@free.fr --dns ovh -d *.example.fr -d example.fr -s https://acme-staging-v02.api.letsencrypt.org/directory run
2021/08/18 03:01:39 No key found for account myemail@free.fr. Generating a P256 key.
2021/08/18 03:01:39 Saved key to /home/user/lego/dist/.lego/accounts/acme-staging-v02.api.letsencrypt.org/myemail@free.fr/keys/myemail@free.fr.key
2021/08/18 03:01:39 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you accept the TOS? Y/n

2021/08/18 03:01:41 [INFO] acme: Registering account for myemail@free.fr
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/home/user/lego/dist/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2021/08/18 03:01:41 [INFO] [*.example.fr, example.fr] acme: Obtaining bundled SAN certificate
2021/08/18 03:01:42 [INFO] [*.example.fr] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/295036258
2021/08/18 03:01:42 [INFO] [example.fr] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/295036268
2021/08/18 03:01:42 [INFO] [example.fr] acme: Could not find solver for: tls-alpn-01
2021/08/18 03:01:42 [INFO] [example.fr] acme: Could not find solver for: http-01
2021/08/18 03:01:42 [INFO] [example.fr] acme: use dns-01 solver
2021/08/18 03:01:42 [INFO] [*.example.fr] acme: use dns-01 solver
2021/08/18 03:01:42 [INFO] [example.fr] acme: Preparing to solve DNS-01
2021/08/18 03:01:43 [INFO] [*.example.fr] acme: Preparing to solve DNS-01
2021/08/18 03:01:43 [INFO] [example.fr] acme: Trying to solve DNS-01
2021/08/18 03:01:43 [INFO] [example.fr] acme: Checking DNS record propagation using [172.21.192.1:53]
2021/08/18 03:01:45 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2021/08/18 03:01:45 [INFO] [example.fr] acme: Waiting for DNS record propagation.
2021/08/18 03:01:47 [INFO] [example.fr] acme: Waiting for DNS record propagation.
2021/08/18 03:01:49 [INFO] [example.fr] acme: Waiting for DNS record propagation.
2021/08/18 03:01:51 [INFO] [example.fr] acme: Waiting for DNS record propagation.
2021/08/18 03:01:53 [INFO] [example.fr] acme: Waiting for DNS record propagation.
2021/08/18 03:01:55 [INFO] [example.fr] acme: Waiting for DNS record propagation.
2021/08/18 03:02:03 [INFO] [example.fr] The server validated our request
2021/08/18 03:02:03 [INFO] [*.example.fr] acme: Trying to solve DNS-01
2021/08/18 03:02:03 [INFO] [*.example.fr] acme: Checking DNS record propagation using [172.21.192.1:53]
2021/08/18 03:02:05 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2021/08/18 03:02:09 [INFO] [*.example.fr] The server validated our request
2021/08/18 03:02:09 [INFO] [example.fr] acme: Cleaning DNS-01 challenge
2021/08/18 03:02:10 [INFO] [*.example.fr] acme: Cleaning DNS-01 challenge
2021/08/18 03:02:10 [INFO] [*.example.fr, example.fr] acme: Validations succeeded; requesting certificates
2021/08/18 03:02:12 [INFO] [*.example.fr] Server responded with a certificate.

[ldez]

Thanks 👍