Skip to content

Issue with Handling Multiple DNS Challenges in Azure DNS (TXT Record Concatenation) #51

New issue
New issue
Open
Open
Issue with Handling Multiple DNS Challenges in Azure DNS (TXT Record Concatenation)#51
@MrVitaminP

Description

@MrVitaminP
MrVitaminP
opened on Sep 4, 2024

I encountered an issue when using the 'certbot-dns-azure' plugin with Azure DNS for the 'dns-01' challenge. The problem occurs when plug attempt to add multiple challenges to the 'TXT' record. Azure DNS is combining the multiple challenge values into a single 'TXT' record with an array of values, rather than creating distinct 'TXT' records for each challenge. This then results in a failed validation.

Note: this was previously working as my auto-renewal has been in place for over a year. However, the last renew failed with a validation error. So, this appears to be a new bug. After some troubleshooting this is what I have found:

Steps to Reproduce:

  1. Use 'certbot-dns-azure' plugin for a domain with multiple challenges (e.g., a wildcard domain and its base domain).
  2. Run the renewal process for the certificate.
  3. Inspect the resulting 'TXT' record in Azure DNS.

Observed Behavior:

Azure DNS creates a single 'TXT' record with an array of challenge values:

{
  "TXTRecords": [
    {"value": ["first_challenge_value", "second_challenge_value"]}
  ]
}

This leads to a failed validation from Let's Encrypt, as it expects the challenge values to be separate records.

Expected Behavior:

Azure DNS should create distinct 'TXTRecord' entries for each challenge value, like this:

{
  "TXTRecords": [
    {"value": ["first_challenge_value"]},
    {"value": ["second_challenge_value"]}
  ]
}

Proposed Solution:

In the current implementation, the values are being appended into a single 'TxtRecord'. To fix this, I modified the plugin to create a separate 'TxtRecord' value for each challenge value.

Here is the code change that resolved my issue:

# Collect the TXT records as separate 'TxtRecord' objects
txt_records_list = [TxtRecord(value=[value]) for value in txt_value]  # Each value has its own TxtRecord

# Create or update the DNS record with multiple 'TxtRecord' objects
try:
    client.record_sets.create_or_update(
        resource_group_name=resource_group_name,
        zone_name=azure_domain,
        relative_record_set_name=validation_name,
        record_type='TXT',
        if_match=etag,
        parameters=RecordSet(ttl=self.ttl, txt_records=txt_records_list)  # Each TxtRecord contains one value
    )

Outcome:

After this change Azure DNS now correctly handles multiple challenges as separate 'TXTRecord' entries and my validation succeeds.

Request:

Could this fix be reviewed and incorporated into the plugin? It would help prevent similar issues for other users who are working with Azure DNS and wildcard certificates.

Thanks for your time and for maintaining this plugin!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions