Expired domain not being caught & allow_domain not being run on renewal.

[danDanV1]

Two related issue's we've been experiencing for automated cert renewals:

-Auto-ssl thinks that a domain is valid, whereas the whois shows it expired several months ago and is in redemption status.
-allow_domain doesn't appear to run for automated renewal.

Expired domain (does not resolve anywhere)
WHOIS data:
Registry Expiry Date: 2018-05-22T01:19:25Z
Domain Status: redemptionPeriod https://icann.org/epp#redemptionPeriod

2018/07/06 17:58:11 [error] 3233#3233: *42151 [lua] lets_encrypt.lua:41: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=74b9b9da3dc257b6f00948fc00b9117beab9fb356fb129a22dd6893c18a9cca3 HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain www.expireddomain.com --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
Processing www.expireddomain.com
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Aug 6 00:52:58 2018 GMT (Less than 30 days). Renewing!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting authorization for www.expireddomain.com...
+ 1 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for www.expireddomain.com authorization...
Invalid challenge: DOMAIN=www.expireddomain.com RESPONSE={
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up A for www.expireddomain.com",
"status": 400
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/bP_FGFj0H6027YXEVXwUTr0hgPYU3p4ux70J03YgJcg/5508927882",
"token": "xBzqCypg7iDi6AUTXlmc65C8MtifK14wAQOjh76Z4ok",
"keyAuthorization": "xBzqCypg7iDi6AUTXlmc65C8MtifK14wAQOjh76Z4ok.BmCf6H2DAkLb8K_367ROMmY9nfcTaEk0ovuF_zhtU1M",
"validationRecord": [
{
"url": "http://www.expireddomain.com/.well-known/acme-challenge/xBzqCypg7iDi6AUTXlmc65C8MtifK14wAQOjh76Z4ok",
"hostname": "www.expireddomain.com",
"port": "80"
}
]

Allow_domain doesn't appear to run on automated renewals
-This is a problem when a domain has moved to another provider and no longer resolves to our servers
-If allow_domain was run on automated cert renewals, it would also solve the expired domain problem, because our allow_domain script checks for DNS resolution. Which obviously fails, as reported by letsencrypt.

[brianlund]

I had the same issue as we go through a lot of domains and added the code below to the function renew_check_cert in renewal.lua to check the domain before allowing it. Additionally I also delete expired domains to avoid it happening every time.

  local allow_domain = auto_ssl_instance:get("allow_domain")
  if not allow_domain(domain) then
    ngx.log(ngx.NOTICE, "auto-ssl: domain not allowed - not renewing - ", domain)
    return
  end```

[danDanV1]

Thanks @brianlund.

Would be sweet if the renew_check_cert was configurable to avoid having to maintain our own fork.

[brianlund]

No problem @edeis53
I have been meaning to make a pull request with this and the delete expired certs support, I’ll see if I can’t get around to it.

[prionkor]

@brianlund

Is it possible to remove domains on DNS error on renew? Details at #173

[brianlund]

@prionkor does this not address your issue? #128

[GUI]

I think this should hopefully be resolved in v0.13.0 between the combination of #176 and #128. Sorry for the long delay in addressing this! So I'm going to close this, but let me know if there were still any outstanding issues with the behavior in the new release.

[danDanV1]

Installed and testing now! thanks so much for merging and releasing.