EasyDNS dns provider doesn't properly handle domains with multi-part TLDs

[Confuzed]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

When attempting to obtain a cert for a domain with a ccTLD that is made up of two parts, e.g. example.co.uk, I expect lego to correctly submit the zone update to the EasyDNS REST API to complete the DNS challenge before generating certificates.

What did you see instead?

When attempting to obtain certificates for a domain in the form of example.co.uk using the DNS challenge provider for EasyDNS, I consistently get an error response:

Could not obtain certificates:
	error: one or more domains had a problem:
[www.example.co.uk] [www.example.co.uk] acme: error presenting token: easydns: error adding zone record: 403: request failed: {"error":{"code":403,"message":"Access to resource denied due to permissions"}}

When I tested the zone update against the REST API directly, using Postman and the same credentials, the request succeeded.

On inspection of the logging available through EasyDNS's management portal I noticed that the domain was split such that the domain was co.uk and it treated example as part of the host name.

How do you use lego?

Docker image

Reproduction steps

Pre-requisite: A domain registered and managed with EasyDNS that has a multi-part TLD, such as .co.uk. It is also necessary to sign up explicitly for API access.

1. Obtain the access token and API key for the EasyDNS API, making sure that you have the correct credentials for the endpoint you use for testing (sandbox or production). FWIW, the results are the same for both endpoints.
2. Configure the env variables EASYDNS_TOKEN and EASYDNS_KEY, and optionally EASYDNS_ENDPOINT using the values obtained for the REST API.
3. Run lego -a --dns easydns --domains example.co.uk --email [email protected]

In order to test this more easily I wrote a script which sets up the environment variables and executes lego via docker. I'll share that here:

#!/bin/bash

set -e

# Replace with your full domain name
DOMAIN="www.example.co.uk"

# The email address to use in the request
EMAIL="[email protected]"

# LetsEncrypt staging server
CASERVER="https://acme-staging-v02.api.letsencrypt.org/directory"

# The EasyDNS endpoint to use, usually test with the sandbox endpoint
EASYDNS_ENDPOINT="https://sandbox.rest.easydns.net"

# easyDNS API creds
EASYDNS_TOKEN="Your Token Here"
EASYDNS_KEY="Your Key Here"

docker run \
  --rm \
  -v "$(pwd)/lego:/.lego" \
  -e EASYDNS_ENDPOINT=${EASYDNS_ENDPOINT} \
  -e EASYDNS_TOKEN=${EASYDNS_TOKEN} \
  -e EASYDNS_KEY=${EASYDNS_KEY} \
  goacme/lego \
  -a \
  --server "${CASERVER}" \
  --dns easydns \
  --dns.resolvers "dns1.easydns.com" \
  --domains "${DOMAIN}" \
  --email "${EMAIL}" \
  run 

Version of lego

lego version v4.4.0 linux/amd64

Logs

2021/08/17 16:59:59 [INFO] [www.example.co.uk] acme: Obtaining bundled SAN certificate
2021/08/17 17:00:00 [INFO] [www.example.co.uk] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/292448088
2021/08/17 17:00:00 [INFO] [www.example.co.uk] acme: Could not find solver for: tls-alpn-01
2021/08/17 17:00:00 [INFO] [www.example.co.uk] acme: Could not find solver for: http-01
2021/08/17 17:00:00 [INFO] [www.example.co.uk] acme: use dns-01 solver
2021/08/17 17:00:00 [INFO] [www.example.co.uk] acme: Preparing to solve DNS-01
2021/08/17 17:00:00 [INFO] [www.example.co.uk] acme: Cleaning DNS-01 challenge
2021/08/17 17:00:01 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/292448088
2021/08/17 17:00:01 Could not obtain certificates:
	error: one or more domains had a problem:
[www.example.co.uk] [www.example.co.uk] acme: error presenting token: easydns: error adding zone record: 403: request failed: {"error":{"code":403,"message":"Access to resource denied due to permissions"}}

Go environment (if applicable)

The docker container

[ldez]

Hello,

could you provide the log from the start of lego?

[Confuzed]

@ldez Sure, I updated the log section in the description to include the full output.

This looks suspect to me, seems like it assumes that the domain part of a host is only ever two parts:

lego/providers/dns/easydns/easydns.go

Lines 168 to 175 in bc8ff4a

	func splitFqdn(fqdn string) (host, domain string) {
	parts := dns.SplitDomainName(fqdn)
	length := len(parts)
	host = strings.Join(parts[0:length-2], ".")
	domain = strings.Join(parts[length-2:length], ".")
	return
	}

[ldez]

Hello @Confuzed,
if I create a PR are you able to test it?

[Confuzed]

Hello @Confuzed,
if I create a PR are you able to test it?

Yes, be happy to 👍🏻

[ldez]

The main problem with the EasyDNS API is to find a way to get the domain/zone from an FQDN.

The API documentation is a bit weak on examples, then I will need you to get more information about the API behavior.

@Confuzed, can you try to give me the responses of the following API endpoint, with several FQDN (example.co.uk, example.com, foo.example.co.uk, foo.example.com)?

• https://sandbox.rest.easydns.net:3001/#/read/listUserDomains
• https://sandbox.rest.easydns.net:3001/#/read/listParsedZone

[Confuzed]

@ldez definitely want to help with this, just been struggling for time and am currently away from home. Will test those endpoints as soon as I can.

[tsg1992]

Hello we are experiencing the same issue, with same error message as original post. Direct cURL requests to EasyDNS seem to work just fine using multi-part TLD domains. We build from latest --version shows

lego version 615e601d787696ab33dbf690bc351a2cb279783a linux/amd64

[tsg1992]

The main problem with the EasyDNS API is to find a way to get the domain/zone from an FQDN.

The API documentation is a bit weak on examples, then I will need you to get more information about the API behavior.

@Confuzed, can you try to give me the responses of the following API endpoint, with several FQDN (example.co.uk, example.com, foo.example.co.uk, foo.example.com)?

using cURL with similar requests:

---

https://sandbox.rest.easydns.net:3001/#/read/listUserDomains

GET "https://rest.easydns.net/domains/list/user?format=json"

"1": ...
"2": ...
"n": ...
"63":{"name":"juliamiles.co.uk","link":"https:\/\/rest.easydns.net\/domain\/juliamiles.co.uk?format=json"},
"64":{"name":"karinahart.com","link":"https:\/\/rest.easydns.net\/domain\/karinahart.com?format=json"}
... 

---

https://sandbox.rest.easydns.net:3001/#/read/listParsedZone

GET "https://rest.easydns.net/zones/records/parsed/juliamiles.co.uk?format=json"

{
  "tm": 1665148834,
  "data": [
    {
      "id": "69173373",
      "domain": "juliamiles.co.uk",
      "host": "*",
      "ttl": 3600,
      "type": "A",
      "rdata": "209.208.211.200",
      "last_mod": "2019-09-13 20:24:29"
    },
    {
      "id": "69173376",
      "domain": "juliamiles.co.uk",
      "host": "@",
      "ttl": 3600,
      "type": "A",
      "rdata": "209.208.211.200",
      "last_mod": "2019-09-13 20:24:29"
    },
    {
      "id": "69173380",
      "domain": "juliamiles.co.uk",
      "host": "join",
      "ttl": 3600,
      "type": "CNAME",
      "rdata": "secure.score-cash.com.",
      "last_mod": "2019-09-13 20:24:30"
    },
    {
      "id": "69173387",
      "domain": "juliamiles.co.uk",
      "host": "@",
      "ttl": 3600,
      "type": "NS",
      "rdata": "dns1.easydns.com.",
      "last_mod": "2019-09-13 20:24:32",
      "orig_rdata": "LOCAL."
    },
    {
      "id": "69173387",
      "domain": "juliamiles.co.uk",
      "host": "@",
      "ttl": 3600,
      "type": "NS",
      "rdata": "dns2.easydns.net.",
      "last_mod": "2019-09-13 20:24:32",
      "orig_rdata": "LOCAL."
    },
    {
      "id": "69173387",
      "domain": "juliamiles.co.uk",
      "host": "@",
      "ttl": 3600,
      "type": "NS",
      "rdata": "dns3.easydns.org.",
      "last_mod": "2019-09-13 20:24:32",
      "orig_rdata": "LOCAL."
    },
    {
      "id": "69173388",
      "domain": "juliamiles.co.uk",
      "host": "@",
      "ttl": 3600,
      "type": "SOA",
      "rdata": "dns1.easydns.com. zone.easydns.com. 1665139042 3600 600 604800 0",
      "last_mod": "2019-09-13 20:24:33",
      "orig_rdata": "dns1.easydns.com. zone.easydns.com. %%NOW%% 3600 600 604800 0"
    },
    {
      "id": "93320134",
      "domain": "juliamiles.co.uk",
      "host": "@",
      "ttl": 60,
      "type": "CAA",
      "rdata": "0 issuewild letsencrypt.org",
      "last_mod": "2021-10-14 20:28:16"
    },
    {
      "id": "104616394",
      "domain": "juliamiles.co.uk",
      "host": "@",
      "ttl": 60,
      "type": "TXT",
      "rdata": "v=spf1 mx a ip4:38.109.20.80\/28 ip4:209.208.211.192\/28 ~all",
      "last_mod": "2022-10-07 10:37:21"
    }
  ],
  "count": 20,
  "total": 20,
  "start": 0,
  "max": 1000,
  "status": 200
}

[plemelin]

Facing same issue as @tsg1992 and @Confuzed

Willing to test any solution that would allow to solve this.

[tsg1992]

2022/12/09 09:24:29 [INFO] [*.juliamiles.co.uk, juliamiles.co.uk] acme: Obtaining SAN certificate
2022/12/09 09:24:29 [INFO] [*.juliamiles.co.uk] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/185651218887
2022/12/09 09:24:29 [INFO] [juliamiles.co.uk] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/185651218897
2022/12/09 09:24:29 [INFO] [*.juliamiles.co.uk] acme: use dns-01 solver
2022/12/09 09:24:29 [INFO] [juliamiles.co.uk] acme: Could not find solver for: tls-alpn-01
2022/12/09 09:24:29 [INFO] [juliamiles.co.uk] acme: Could not find solver for: http-01
2022/12/09 09:24:29 [INFO] [juliamiles.co.uk] acme: use dns-01 solver
2022/12/09 09:24:29 [INFO] [*.juliamiles.co.uk] acme: Preparing to solve DNS-01
2022/12/09 09:24:30 [INFO] [*.juliamiles.co.uk] acme: Cleaning DNS-01 challenge
2022/12/09 09:24:30 [INFO] [juliamiles.co.uk] acme: Preparing to solve DNS-01
2022/12/09 09:24:32 [INFO] [juliamiles.co.uk] acme: Cleaning DNS-01 challenge
2022/12/09 09:24:32 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/185651218887
2022/12/09 09:24:32 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/185651218897
2022/12/09 09:24:32 Could not obtain certificates:
	error: one or more domains had a problem:
[*.juliamiles.co.uk] [*.juliamiles.co.uk] acme: error presenting token: easydns: error adding zone record: 403: request failed: {"error":{"code":403,"message":"Access to resource denied due to permissions"}}
[juliamiles.co.uk] [juliamiles.co.uk] acme: error presenting token: easydns: error adding zone record: 403: request failed: {"error":{"code":403,"message":"Access to resource denied due to permissions"}}

[thadius83]

I have this same issue with example.id.au

works fine with example.com.au
Was there every a solution discovered?

I found that it doesn't even create the TXT records

[ldez]

example.com.au or example.id.au will provide the same result because the split between the zone and the subdomain will be wrong:

• _acme-challenge.example.com.au:
  • zone: com.au
  • subdomain: _acme-challenge.example
• _acme-challenge.example.id.au:
  • zone: id.au
  • subdomain: _acme-challenge.example

The problem is the way to get to the zone.

#1466 (comment)

I will try to find something but I will need people to test it.

[ldez]

You can try the following PR #2121

[thadius83]

example

Could it possibly be because my actual domain is ab.id.au

One of those rare two character domain names ?

[ldez]

No, the algo is simple and just splits the domain based on dots.