Lua-resty-auto-ssl: Expired domain not being caught & allow_domain not being run on renewal.

Created on 11 Jul 2018 · 7Comments · Source: auto-ssl/lua-resty-auto-ssl

Two related issue's we've been experiencing for automated cert renewals:

-Auto-ssl thinks that a domain is valid, whereas the whois shows it expired several months ago and is in redemption status.
-allow_domain doesn't appear to run for automated renewal.

Expired domain (does not resolve anywhere)
WHOIS data:
Registry Expiry Date: 2018-05-22T01:19:25Z
Domain Status: redemptionPeriod https://icann.org/epp#redemptionPeriod

2018/07/06 17:58:11 [error] 3233#3233: *42151 [lua] lets_encrypt.lua:41: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=74b9b9da3dc257b6f00948fc00b9117beab9fb356fb129a22dd6893c18a9cca3 HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain www.expireddomain.com --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
Processing www.expireddomain.com
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Aug 6 00:52:58 2018 GMT (Less than 30 days). Renewing!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting authorization for www.expireddomain.com...
+ 1 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for www.expireddomain.com authorization...
Invalid challenge: DOMAIN=www.expireddomain.com RESPONSE={
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up A for www.expireddomain.com",
"status": 400
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/bP_FGFj0H6027YXEVXwUTr0hgPYU3p4ux70J03YgJcg/5508927882",
"token": "xBzqCypg7iDi6AUTXlmc65C8MtifK14wAQOjh76Z4ok",
"keyAuthorization": "xBzqCypg7iDi6AUTXlmc65C8MtifK14wAQOjh76Z4ok.BmCf6H2DAkLb8K_367ROMmY9nfcTaEk0ovuF_zhtU1M",
"validationRecord": [
{
"url": "http://www.expireddomain.com/.well-known/acme-challenge/xBzqCypg7iDi6AUTXlmc65C8MtifK14wAQOjh76Z4ok",
"hostname": "www.expireddomain.com",
"port": "80"
}
]

Allow_domain doesn't appear to run on automated renewals
-This is a problem when a domain has moved to another provider and no longer resolves to our servers
-If allow_domain was run on automated cert renewals, it would also solve the expired domain problem, because our allow_domain script checks for DNS resolution. Which obviously fails, as reported by letsencrypt.

Source

danDanV1

Most helpful comment

No problem @edeis53
I have been meaning to make a pull request with this and the delete expired certs support, I’ll see if I can’t get around to it.

brianlund on 14 Jul 2018

👍8 ❤2

All 7 comments

I had the same issue as we go through a lot of domains and added the code below to the function renew_check_cert in renewal.lua to check the domain before allowing it. Additionally I also delete expired domains to avoid it happening every time.

-- Verify domain before we issue a renewal request. local allow_domain = auto_ssl_instance:get("allow_domain") if not allow_domain(domain) then ngx.log(ngx.NOTICE, "auto-ssl: domain not allowed - not renewing - ", domain) return end

brianlund on 11 Jul 2018

Thanks @brianlund.

Would be sweet if the renew_check_cert was configurable to avoid having to maintain our own fork.

danDanV1 on 14 Jul 2018

No problem @edeis53
I have been meaning to make a pull request with this and the delete expired certs support, I’ll see if I can’t get around to it.

brianlund on 14 Jul 2018

👍8 ❤2

@brianlund

Is it possible to remove domains on DNS error on renew? Details at #173

prionkor on 28 Jun 2019

@prionkor does this not address your issue? https://github.com/GUI/lua-resty-auto-ssl/pull/128

brianlund on 20 Aug 2019

I think this should hopefully be resolved in v0.13.0 between the combination of #176 and #128. Sorry for the long delay in addressing this! So I'm going to close this, but let me know if there were still any outstanding issues with the behavior in the new release.