Netlify Provider Chooses Incorrect domain_id

kevinbrown · Apr 5, 2022, 11:25 AM

I'm having some trouble with the Netlify Provider and ACME. I'm trying to use it but I keep getting this type of log:

(Note: I've replaced references to my actual domain with mydomain.com and the challenge value with [challenge value].

[Tue Apr  5 20:46:04 AEST 2022] Checking domain: _acme-challenge.firewall.mydomain.com
[Tue Apr  5 20:46:04 AEST 2022] Checking domain: firewall.mydomain.com
[Tue Apr  5 20:46:04 AEST 2022] Checking domain: mydomain.com
[Tue Apr  5 20:46:04 AEST 2022] _domain_id='609dddf4b9337b4899666f24
609dd9c1410efd3c571ecfa2'
[Tue Apr  5 20:46:04 AEST 2022] _sub_domain='_acme-challenge.firewall'
[Tue Apr  5 20:46:04 AEST 2022] _domain='mydomain.com'
[Tue Apr  5 20:46:04 AEST 2022] dns_zones/609dddf4b9337b4899666f24
609dd9c1410efd3c571ecfa2/dns_records
[Tue Apr  5 20:46:04 AEST 2022] data='{"type":"TXT", "hostname":"_acme-challenge.firewall", "value":"[challenge value]", "ttl":"10"}'
[Tue Apr  5 20:46:04 AEST 2022] POST
[Tue Apr  5 20:46:04 AEST 2022] _post_url='https://api.netlify.com/api/v1/dns_zones/609dddf4b9337b4899666f24
609dd9c1410efd3c571ecfa2/dns_records'
[Tue Apr  5 20:46:04 AEST 2022] body='{"type":"TXT", "hostname":"_acme-challenge.firewall", "value":"[challenge value]", "ttl":"10"}'
[Tue Apr  5 20:46:04 AEST 2022] _postContentType
[Tue Apr  5 20:46:04 AEST 2022] Http already initialized.
[Tue Apr  5 20:46:04 AEST 2022] _CURL='curl --silent --dump-header /tmp/acme/firewall.mydomain.com//http.header  -L '
[Tue Apr  5 20:46:04 AEST 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Tue Apr  5 20:46:04 AEST 2022] _ret='3'
[Tue Apr  5 20:46:04 AEST 2022] error dns_zones/609dddf4b9337b4899666f24
609dd9c1410efd3c571ecfa2/dns_records
[Tue Apr  5 20:46:04 AEST 2022] error adding validation value ()
[Tue Apr  5 20:46:04 AEST 2022] Error add txt for domain:_acme-challenge.firewall.mydomain.com
[Tue Apr  5 20:46:04 AEST 2022] _on_issue_err
[Tue Apr  5 20:46:04 AEST 2022] Please check log file for more details: /tmp/acme/firewall.mydomain.com/acme_issuecert.log

...proceeds to fail because it couldn't set the DNS record

What I found interesting about this is it's seemingly taking two domain IDs and trying to use both joined by a newline in the POST. I had a look at the source for the plugin and I noticed this line. I looked at the response from the original GET, and here are the domains by ID:

609dddf4b9337b4899666f24: mydomain.com.au
609dd9c1410efd3c571ecfa2: mydomain.com

So it looks like having both the .com.au as well as the .com set up in Netlify currently breaks the regex that's trying to parse the JSON there, resulting it both ID's getting jammed into the POST URL, obviously resulting in an error from Netlify's API because that's not valid at all. We need to constrain the trim to contain just the ID from exactly the domain we need.

I'd be happy to supply the response from the original GET to a maintainer for the package, or do the PR myself if I can figure out how to set up a dev environment so I can test my changes, but at the moment I haven't played with this before, so I thought I'd ask about next steps first.

So, where should I go from here?

jimp · Apr 5, 2022, 12:22 PM

That particular script is from upstream in the acme.sh project. Issues with that need to be reported to them: https://github.com/acmesh-official/acme.sh

After they fix it upstream we'll pick up the changes in the ACME package next time it gets synchronized with the upstream code.

kevinbrown · Apr 5, 2022, 1:03 PM

@jimp Thanks so much for the prompt response! I've added it to their Netlify API issue here and will see about getting it fixed upstream.

kevinbrown · Apr 5, 2022, 1:03 PM

This post is deleted!

kevinbrown · Apr 6, 2022, 5:38 AM

I did not comply with the testing requirements, so I've opened a new PR: https://github.com/acmesh-official/acme.sh/pull/4017

kevinbrown · Apr 7, 2022, 11:37 AM

And finally, in case someone else is waiting for this to land, you can patch this issue yourself by doing the following:

Install the System Patches Package.
Create a new custom patch and enter the following as settings:

Description: Fix ACME Netlify API
Patch Contents:

diff --git a/usr/local/pkg/acme/dnsapi/dns_netlify.sh b/usr/local/pkg/acme/dnsapi/dns_netlify.sh
index 2ce13e2..65e803c 100644
--- a/usr/local/pkg/acme/dnsapi/dns_netlify.sh
+++ b/usr/local/pkg/acme/dnsapi/dns_netlify.sh
@@ -114,7 +114,7 @@ _get_root() {
     fi
 
     if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
-      _domain_id=$(echo "$response" | _egrep_o "\"[^\"]*\",\"name\":\"$h" | cut -d , -f 1 | tr -d \")
+      _domain_id=$(echo "$response" | _egrep_o "\"[^\"]*\",\"name\":\"$h\"" | cut -d , -f 1 | tr -d \")
       if [ "$_domain_id" ]; then
         if [ "$i" = 1 ]; then
           #create the record at the domain apex (@) if only the domain name was provided as --domain-alias

Path Strip Count: 1
Base Directory: /
Ignore Whitespace: Checked
Auto Apply: Checked

Save then click debug to make sure the patch is able to apply successfully.
Click apply and you're good to go.

FMRC_Cheeky · May 26, 2022, 5:05 PM

@kevinbrown Thanks for finding this, Its not clear how this helps me, as your issue was different than mine, BUT, it does give me a new path for research that I was unaware of.

kevinbrown · May 27, 2022, 4:52 AM

@jimp Just a heads up that my fix has now been released in acme.sh v3.0.4.