From dca4ddd3d804bcfce144ac113fe91b554fad7f66 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Mon, 30 Oct 2023 10:34:30 -0700 Subject: [PATCH] Prep for 2.7.4 (#9823) * Set the delegated field in Lexicon config to bypass subdomain resolution (#9821) The Lexicon-based DNS plugins use a mechanism to determine which actual segment of the input domain is actually the DNS zone in which the DNS-01 challenge has to be initiated (eg. `subdomain.domain.com` or `domain.com` for input `subdomain.domain.com`): they tries recursively to configure Lexicon and initiate authentication from the most specific to most generic domain segment, and select the first segment where Lexicon stop erroring out. This mechanism broke with #9746 because now the plugins call Lexicon client instead of the underlying providers, and the client makes guess on the actual domain requested. Typically for `subdomain.domain.com` it will actually try to authenticate against `domain.com`, and so the mechanism above does not work anymore. This PR fixes the issue by using the `delegated` field in Lexicon config each time the plugin needs it. This field is designed for this kind of purpose: it will instruct Lexicon what is the actual DNS zone domain instead of guessing it. I tested the change with one of my OVH account. The expected behavior is re-established and the plugin is able to test `subdomain.domain.com` then `domain.com` as before. Fixes #9791 Fixes #9818 (cherry picked from commit cf4f07d17e22924f7d7d3f41a09136df22981765) * add changelog entry for 9821 (#9822) (cherry picked from commit 7bb85f844069cafbf1184d46f6e3c649fbfcc7d4) --------- Co-authored-by: Adrien Ferrand --- certbot/CHANGELOG.md | 10 ++++++++++ certbot/certbot/plugins/dns_common_lexicon.py | 4 ++++ 2 files changed, 14 insertions(+) diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md index 3ed4d2ff2..4e82bd157 100644 --- a/certbot/CHANGELOG.md +++ b/certbot/CHANGELOG.md @@ -2,6 +2,16 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). +## 2.7.4 - master + +### Fixed + +* Fixed a bug introduced in version 2.7.0 of our Lexicon based DNS plugins that + caused them to fail to find the DNS zone that needs to be modified in some + cases. + +More details about these changes can be found on our GitHub repo. + ## 2.7.3 - 2023-10-24 ### Fixed diff --git a/certbot/certbot/plugins/dns_common_lexicon.py b/certbot/certbot/plugins/dns_common_lexicon.py index 6e07e6dc4..be94e191b 100644 --- a/certbot/certbot/plugins/dns_common_lexicon.py +++ b/certbot/certbot/plugins/dns_common_lexicon.py @@ -198,6 +198,10 @@ class LexiconDNSAuthenticator(dns_common.DNSAuthenticator): dict_config = { 'domain': domain, + # We bypass Lexicon subdomain resolution by setting the 'delegated' field in the config + # to the value of the 'domain' field itself. Here we consider that the domain passed to + # _build_lexicon_config() is already the exact subdomain of the actual DNS zone to use. + 'delegated': domain, 'provider_name': self._provider_name, 'ttl': self._ttl, self._provider_name: {item[2]: self._credentials.conf(item[0])