Wildcard certificates failing at API

[dupsatou]

When trying to create a certificate with a wildcard as a SAN (or a wildcard cert with the main domain as a SAN) I get a 400 Bad Request error. If I create and validate the main domain by itself and re-run it later with just the wildcard added it works. But when I come back later and try to renew the whole certificate again it fails.

Processing *.example.org with alternative names: example.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Dec 13 22:15:56 2020 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for example.org
 + Handling authorization for example.org
 + 2 pending challenge(s)
 + Deploying challenge tokens...
Error: API error: curl: (22) The requested URL returned error: 400 Bad Request
ERROR: deploy_challenge hook returned with non-zero exit

domains.txt:

example.org *.example.org > example.org

I can also swap the main domain and wildcard - it still has the issue.

I can try to work on and contribute but I wanted to be sure its not user error here first... is this a known issue or am I doing something wrong?

[dupsatou]

Running with debug:

API version: 1
PDNS server: localhost
Zones: example.org
Suffix: ""
# Domain
Name:  _acme-challenge.example.org.
Token: 58cAdbaug4P0Zk1Ns6KgmpPt8Ejn3eICR85i-qLO69E kwBxFmymY2KyMYmpXNOMBnMMqqQXJpdzEL_cvX6D_Yc
Zone:  example.org.
# Request
Method: PATCH
URL: http://dns0.example.org:8081/api/v1/servers/localhost/zones/example.org.
Data: {"rrsets": [{
    "name": "_acme-challenge.example.org.",
    "type": "TXT",
    "ttl": 1,
    "records": [{
    "content": "\"58cAdbaug4P0Zk1Ns6KgmpPt8Ejn3eICR85i-qLO69E\"",
    "disabled": false,
    "set-ptr": false

    }{
    "content": "\"kwBxFmymY2KyMYmpXNOMBnMMqqQXJpdzEL_cvX6D_Yc\"",
    "disabled": false,
    "set-ptr": false

    }],
    "changetype": "REPLACE"
  }]}
Response: curl: (22) The requested URL returned error: 400 Bad Request
Error: API error: curl: (22) The requested URL returned error: 400 Bad Request
ERROR: deploy_challenge hook returned with non-zero exit code
Hook: exit_hook

PDNS Version info:

[root@dns0 yum.repos.d]# pdns_server --version
Sep 15 09:10:07 PowerDNS Authoritative Server 4.3.0 (C) 2001-2020 PowerDNS.COM BV
Sep 15 09:10:07 Using 64-bits mode. Built using gcc 7.3.1 20180303 (Red Hat 7.3.1-5) on Apr  6 2020 13:12:55 by root@6aa61bd2c735.
Sep 15 09:10:07 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Sep 15 09:10:07 Features: libcrypto-ecdsa lua sodium
Sep 15 09:10:07 Built-in modules:
Sep 15 09:10:07 Configured with: " '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-option-checking=fatal' '--sysconfdir=/etc/pdns' '--disable-static' '--disable-dependency-tracking' '--disable-silent-rules' '--with-modules=' '--with-lua=luajit' '--with-dynmodules= bind gmysql gpgsql pipe remote ldap lua2 gsqlite3 random' '--enable-tools' '--with-libsodium' '--enable-unit-tests' '--disable-lua-records' '--without-protobuf' '--with-boost=/usr/include/boost148/' 'LDFLAGS=-L/usr/lib64/boost148' 'CXXFLAGS=-std=gnu++11' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS=-DLDAP_DEPRECATED' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'"

[silkeh]

Thanks! That should be enough to reproduce this. I'll take a closer look at it tomorrow.

[dupsatou]

Awesome - happy to help or provide more info. I was trying to figure out if it was me somewhere - like a version or config setting or something. If you have trouble reproducing let me know and I'm happy to experiment and gather more info. Thank you!

[silkeh]

Ok, so the issue is a missing comma between the records, which points to this line introduced with #17.

However, I am only able to reproduce this on Bash versions lower than 4.1. Can you confirm this is the case?

[silkeh]

I have created a branch test-fixes that includes a fix for this issue. It would be helpful to see the following:

• Do all tests pass? (VERBOSE=yes ./test.sh)
• Do you still have the issue with this version?

[dupsatou]

[admin@example.org ~]$ bash --version
GNU bash, version 4.1.2(2)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[admin@example.org ~]$ lsb_release -a
LSB Version:    :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarc
h:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noar
ch
Distributor ID: CentOS
Description:    CentOS release 6.10 (Final)
Release:        6.10
Codename:       Final

I'll take a look at the test

[dupsatou]

running that test on the version I had previously failed a few places -- running it on your new branch though passes on all tests.

Running it now with your test-fixes branch seems to be successful! Thank you!

[silkeh]

Whoops, seems like I forgot to close this one. Thanks again for reporting the issue!