Subdomain and cert manager compatibility

[antiFetzen]

During the integration into cert-manager-webhook-strato
I struggled with presenting ACME-challenges for subdomains.

Issue

In the current version I couldn't create a record for a domain like subdomain.example.com.

Parameter set:

Test cases

1. ✅ Add record for example.com

CERTBOT_DOMAIN=example.com CERTBOT_VALIDATION=token-txt-value python auth-hook.py

Result

• Works as expected and record _acme-challenge.example.com was created.

2. 🚫 Add record for subdomain.example.com

CERTBOT_DOMAIN=subdomain.example.com CERTBOT_VALIDATION=token-txt-value python auth-hook.py

Result

• No record was created and no existing record could be read form Strato.

Log

...
INFO: Current cname/txt records:
INFO: New cname/txt records:
INFO: - _acme-challenge.subdomain TXT: token-txt-value

3. 🚫 Add record for next.subdomain.example.com

CERTBOT_DOMAIN=next.subdomain.example.com CERTBOT_VALIDATION=token-txt-value python auth-hook.py

Result

• No record was created and no existing record could be read form Strato.

Log

...
INFO: Current cname/txt records:
INFO: New cname/txt records:
INFO: - _acme-challenge.next.subdomain TXT: token-txt-value

4. 🚫 Add record for _acme-challenge.next.subdomain.example.com

CERTBOT_DOMAIN=_acme-challenge.next.subdomain.example.com CERTBOT_VALIDATION=token-txt-value python auth-hook.py

• No record was created and no existing record could be read form Strato.
• Duplication of the acme-challenge label.

Log

...
INFO: Current cname/txt records:
INFO: New cname/txt records:
INFO: - _acme-challenge._acme-challenge.next.subdomain TXT: token-txt-value

Analysis

CERTBOT_DOMAIN=next.subdomain.example.com CERTBOT_VALIDATION=token-txt-value python auth-hook.py

Domain data

INFO: txt_key: _acme-challenge
INFO: txt_value: token-txt-value
INFO: second_level_domain_name: example.com
INFO: domain_name: next.subdomain.example.com
INFO: subdomain: next.subdomain

By requesting the record the method get_txt_record() could not find anyone.

certbotstratoapi.py:194

def get_txt_records(self) -> None:
    """Requests all txt and cname records related to domain."""
    request = self.http_session.get(
        self.api_url,
        params={
            "sessionID": self.session_id,
            "cID": self.package_id,
            "node": "ManageDomains",
            "action_show_txt_records": "",
            "vhost": self.domain_name,
        },
    )
    ...

The request asks for records page of the vhost = next.subdomain.example.com.
=> This will return the general overview page, because the vhost does not exist.

✏️ Modification

Main change

Change vhost from self.domain_name to self.second_level_domain_name in:

• get_txt_records()
• push_txt_records()

Cert-manager adjustments

• Create unification of CERTBOT_DOMAIN to support multiple variants
  • With acme-challenge label: _acme-challenge.subdomain.example.com
  • Fqdn with root-level period: example.com.
• Add examples to the different domain types
• Do some small refinements

Final tests

• 1. ✅ Add record for example.com
• 2. ✅ Add record for subdomain.example.com
• 3. ✅ Add record for next.subdomain.example.com
• 4. ✅ Add record for _acme-challenge.next.subdomain.example.com
• 5. ✅ Add record for _acme-challenge.next.subdomain.example.com.

Both hooks auth-hook and cleanup-hook working now as expected! 🥳

[Buxdehuda]

Hi, can you please remove the extra indentation? I'm getting a merge conflict right now

[antiFetzen]

Hey how,

I resolved all merge conflicts and removed the indentations. Sorry, for that!

In addition I rewrite the last regex with BeautifulSoup 😉

[Buxdehuda]

Great, thanks!