Interaction of dns and http approval and approveDomains function #2
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
In light of the "canonical" root discussion, I decided to log this one here :)
Background
The way I'm using greenlock is by allowing my customers to create subdomains under my domain (say, mycompany.com). Since there's multiple subdomains under mycompany.com, I'm using the dns-01 challenge method for *.mycompany.com
At the same time, I allow the customers to have a custom domain (theircompany.com) that points our servers and we issue a cert using http-01 auth challenge.
Problem
It appears that whenever there's a new client using a subdomain under our main domain (sub.mycompany.com), the approve function gets called and the challenge is issued for the dns-01 challenge. This shouldn't be needed, so I'm wondering what I'm doing wrong.
approveDomains
Here's my approve domains function:
I guess it really shows that I'm not entirely sure what
approveDomains
should return. I always return all the valid domains including the wildcard one.Any guidance would be much appreciated, AJ.
If you include
*.foo.com
, you can includefoo.com
, but you cannot includebar.foo.com
.I'd recommend issuing each bare + wild domain separately as needed:
foo.com
,*.foo.com
bar.co.uk
,*.bar.co.uk
foo.com
,bar.com
,*.foo
, ...I know I added a property
wildname
for the storage plugins. I think that comes throughapproveDomains
as well, but I'm not certain.I'd say query on
opts.domain
andopts.wildname
and search your database based on that and return only those results.Do you have some resources you could put towards consulting so that we could spend a few hours working through this together? I'm overcommitted this week, but this weekend or next week I could set aside up to 4 hours of my full attention to review and debug.
And you are using
greenlock-sequelize-store
, correct?I'm not using
greenlock-sequelize-store
at all. I think this actually sheds light into #3 as well.I wish I could get your professional services on this...but the project I'm working on is fully bootstrapped and the straps came off as getting tight on cash and had to let go of the frontend dev as well. Startups 🙄
What's the actual advantage of
greenlock-sequelize-store
over the fs one?Hey Gezim, I'm sorry I dropped the ball on this.
Did you get things sorted out?
I'm just about to publish v3 in which there is no longer any
approveDomains
. Instead there is a management plugin that's a lot simpler to use.Docs are forthcoming...
Here's some related documentation for v3 (I'll need to add this to the new official readme as well):
Greenlock v3 prefers challenges in this order:
It will only use dns-01 for wildcard domains unless it is the only option.
If there is a group of domains that are completely private or local domains, the
dns-01
plugin must be set for that group as the only option, like this:This new priority behavior seems to make the most sense with what is required and what can be used (and which is the fastest, most efficient).