Add an option like: --I-understand-dns-manual-mode , to force the user understand dns manual mode before using it. #1029
Comments
|
i though about this the other day. if you go with that flag, i would suggest that the cron is also removed/commented out (if there arent more domains being issued) |
|
@FernandoMiguel If the user confirms to |
|
I have a question related to this, probably due to a misunderstanding about what dns manual mode, and auto dns mode actually do. Initially I setup a certificate using manual mode, then when I went to test renewal I found that renewals were not supported in that mode. Is this because the DNS TXT entry would be required to change during the renewal? It's not totally clear from the wiki/doco. I'm not clear on why the entry would need to change, given it appears to be a securely communicated, random token. Anyway, I setup aws cli and used --dns dns_aws to issue a cert. I deleted the first folder, and started from scratch. I also deleted the TXT records, expecting aws cli to add new ones itself. But when I issued the new cert, it said my domain was already verified, and skipped the auth process... Now, when I try and do a test run to see if renewal will work, it spits this out:
This is confusing, because it appears that renewal using the manual mode would in fact work, becase it doesn't go through the auth process again. In fact, it doesn't appear to even check if the TXT records are still there What am I missing here? How can I check if --dns aws_dns will/is actually working? |
|
The verification is valid for 30 days
…--
Fernando Miguel
On 14 Mar 2018 21:49, "comfytoday" ***@***.***> wrote:
I have a question related to this, probably due to a misunderstanding
about what dns manual mode, and auto dns mode actually do.
Initially I setup a certificate using manual mode, then when I went to
test renewal I found that renewals were not supported in that mode.
Is this because the DNS TXT entry would be required to change during the
renewal? It's not totally clear from the wiki/doco. I'm not clear on why
the entry would need to change, given it appears to be a securely
communicated, random token.
Anyway, I setup aws cli and used --dns dns_aws to issue a cert. I deleted
the first folder, and started from scratch. I also deleted the TXT records,
expecting aws cli to add new ones itself. But when I issued the new cert,
it said my domain was already verified, and skipped the auth process...
Now, when I try and do a test run to see if renewal will work, it spits
this out:
acme.sh --renew -d *.example.com --force
Single domain='
*.example.com <http://example.com>' Getting domain auth token for each
domain Getting webroot for domain='*.example.com'
*.example.com is already verified, skip dns-01.
This is confusing, because it appears that renewal using the manual mode
would in fact work, becase it doesn't go through the auth process again. In
fact, it doesn't appear to even check if the TXT records are still there
What am I missing here? How can I check if --dns aws_dns will/is actually
working?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1029 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAKRrqZcE5sHXKem60IFNOXrMf4SKTuzks5teZB1gaJpZM4PaJ4O>
.
|
|
Just to be clear, at that point will it add a new TXT entry? |
|
@comfytoday yes, everytime, you need to add a new txt entry by your hand. |
|
https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode acme.sh --issue -d example.com -dns \
--yes-I-know-dns-manual-mode-enough-go-ahead-please |
|
ahahahahahah |
|
not sure if yoy realise, but you made just an useless parameter... could someone clarify this? i hope you get my point, i don't intend to be mean or start any flamewar with that, just saying that pretending to clarify onclear things with following even more unclear "clarifications" is just bad idea and should not happen. |
|
Well using the manual mode you need to add the TXT records by yourself, but acme.sh will still autorenew after x days. So you will end up having no TXT records in your DNS but acme.sh tries to renew your cert and will fail! |
|
maybe it would be just clearer if the switch was saying --i-know-i-need-to-update-txt-record ? is self explanatory, doesn't bring any additional confusion - just my thoughts |
|
Oh yes maybe that makes more sense maybe so you know what to do while entering the parameter |
The wildcard went completely missing somewhere before the merge. In the original design, wildcard certificate usage was about to be referenced with a manual mode example. Running a manual mode with the current example would not produce a wildcard certificate because of the missing \*. subdomain. Furthermore, it would not do anything because a manual DNS mode requires a sort of confirmation command, more info acmesh-official/acme.sh#1029. Because of the many quirks of the various DNS modes, a separate subcommand page `acme.sh dns` was created.
|
Hi! I got here from the warning in the wiki. I host my own DNS server which doesn't have an API (and I don't want to use an alias), so I need to use manual mode.
I'm very confused by this. Why would there be no TXT records in my DNS? Would keeping the same DNS records also fail renewal? The wiki article is unclear on how to actually use manual mode. This issue, linked in the wiki, is also unclear. It's quite frustrating :/ |
@spiralw without the API you need to manually update TXT records for every renewal - shortly, you won't have them updated for new renewal, if you cannot put them there via API (or any sort of scripting if you host your own DNS server). |
|
I suggest that this way, "acme.sh" saves the content for the txt record in a separate file, this would make it easier to use in other scripts. It could even be in the .conf file created in the previous step |
So many users are using dns manual mode, but they don't really understand the manual mode .
I'd like to add a new command parameter, something like:
Which forces the user to read our wiki and make sure they know they will need to manually renew the cert in 90 days.
Without given this new parameter, acme.sh will show the wiki link and refuse to work.
The text was updated successfully, but these errors were encountered: