From 358244c9e945ad3ecbcce1e29062023ba0a00c49 Mon Sep 17 00:00:00 2001 From: "Paul B. Henson" Date: Wed, 5 Dec 2018 16:08:14 -0800 Subject: [PATCH] Allow dns checks to deal with CNAME records Some environments might delegate dns validation to a subzone by using CNAME records. These changes allow getssl to validate dns updates when the verification name is a CNAME to the TXT record rather than a TXT record itself. --- getssl | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/getssl b/getssl index 274fe6a7..5549200f 100755 --- a/getssl +++ b/getssl @@ -186,10 +186,11 @@ # 2017-02-18 add OCSP Must-Staple to the domain csr generation (2.10) # 2019-09-30 issue #423 Use HTTP 1.1 as workaround atm (2.11) # 2019-10-02 issue #425 Case insensitive processing of agreement url because of HTTP/2 (2.12) +# 2019-10-07 update DNS checks to allow use of CNAMEs (2.13) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} -VERSION="2.12" +VERSION="2.13" # defaults ACCOUNT_KEY_LENGTH=4096 @@ -1990,13 +1991,13 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then | grep '"'|awk -F'"' '{ print $2}') elif [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${d}" "@${ns}" \ - | grep ^_acme|awk -F'"' '{ print $2}') + | grep '300 IN TXT'|awk -F'"' '{ print $2}') elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${d}" "${ns}" \ - | grep ^_acme|awk -F'"' '{ print $2}') + | grep 'descriptive text'|awk -F'"' '{ print $2}') else check_result=$(nslookup -type=txt "_acme-challenge.${d}" "${ns}" \ - | grep ^_acme|awk -F'"' '{ print $2}') + | grep 'text ='|awk -F'"' '{ print $2}') fi debug "expecting $auth_key" debug "${ns} gave ... $check_result"