Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Edge case: _contains using grep with regex matches incorrectly for 'g.domain.com', at least for INWX api #5129

Open
mandrakey opened this issue May 2, 2024 · 1 comment
Open

Edge case: _contains using grep with regex matches incorrectly for 'g.domain.com', at least for INWX api #5129

mandrakey opened this issue May 2, 2024 · 1 comment

Comments

@mandrakey
Copy link

mandrakey commented May 2, 2024
edited

Hi team,

I just stumbled on this when trying to issue a certificate for 'g.berlight.de'. Took me a minute to debug.

Steps to reproduce

  1. Try to issue a certificate with --dns dns_inwx active and use a subdomain 'g', like -d g.berlight.de or -d g.domain.com, ...

Debug log

Traceable in the normal log, the following entries are of interest:

[Thu May  2 12:30:23 UTC 2024] h='g.berlight.de'                                                                                                                                                                     
[Thu May  2 12:30:23 UTC 2024] _sub_domain='_acme-challenge'                                                                                                                                                         
[Thu May  2 12:30:23 UTC 2024] _domain='g.berlight.de'                                                                                                                                                               
[Thu May  2 12:30:23 UTC 2024] Adding record: domain=g.berlight.de sub=_acme-challenge

Notice how a -d g.berlight.de gets to be Adding record: domain=g.berlight.de sub=_acme-challenge - it should be Adding record: domain=berlight.de sub=_acme-challenge.g.

I traced it to the _contains function in acme.sh, which looks like this:

_contains() {
  _str="$1"
  _sub="$2"
  echo "$_str" | grep -- "$_sub" >/dev/null 2>&1
}

Now the INWX api returns XML by default and has type hints in it. In this particular case, you can find, among a lot of other stuff, the string <string>berlight.de</string> in it, on which _contains "...XML..." "g.berlight.de" returns a hit as it uses regular expressions: g>berlight.de matches (confirmed on Fedora and Alpine).

I was able to issue my certificate by altering _contains to use grep -F, though I am not sure if that would be a generally acceptable solution, or if that might break some feature I am not using.

Another idea might be to alter dns_inwx.sh to replace dots in it's _get_root function with a \. so it will match actual dots, and not "any character".

It is an edge case and thus probably not very important, just wanted to point it out.

Thanks for all the work!
@mandrakey mandrakey changed the title Edge case: _contains using grep with regex matches incorrectly for Edge case: _contains using grep with regex matches incorrectly for 'g.domain.com', at least for INWX api May 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 2, 2024

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mandrakey