BUG/MEDIUM: Fix ACME dns-01 propagation checks

oliwer · oliwer · commit c80b4cdd1c7e · 2026-04-13T20:42:07.000+02:00
- check the right TXT record name
- allow DNS record overwrites
- add more debug messages
diff --git a/.aspell.yml b/.aspell.yml
@@ -199,6 +199,7 @@ allowed:
   - tls
   - tooltip
   - tsconfig
+  - txt
   - typings
   - ubuntu
   - uniq
diff --git a/acme/dns01.go b/acme/dns01.go
@@ -23,6 +23,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/haproxytech/dataplaneapi/log"
 	"github.com/libdns/libdns"
 	"github.com/miekg/dns"
 )
@@ -36,7 +37,7 @@ const (
 
 // DNSProvider defines the operations required for dns-01 challenges.
 type DNSProvider interface {
-	libdns.RecordAppender
+	libdns.RecordSetter
 	libdns.RecordDeleter
 }
 
@@ -82,7 +83,7 @@ func (s *DNS01Solver) Present(ctx context.Context, domain, zone, keyAuth string)
 		zone = rooted(zone)
 	}
 
-	results, err := s.provider.AppendRecords(ctx, zone, []libdns.Record{rec})
+	results, err := s.provider.SetRecords(ctx, zone, []libdns.Record{rec})
 	if err != nil {
 		return fmt.Errorf("adding temporary record for zone %q: %w", zone, err)
 	}
@@ -123,7 +124,10 @@ func (s *DNS01Solver) Wait(ctx context.Context, domain, zone, keyAuth string) er
 	checkAuthoritativeServers := len(s.Resolvers) == 0
 	resolvers := RecursiveNameservers(s.Resolvers)
 
-	absName := strings.Trim(domain, ".")
+	log.Debugf("events: acme deploy: %s: using DNS resolvers %v, check authoritative servers=%v",
+		domain, resolvers, checkAuthoritativeServers)
+
+	absName := "_acme-challenge." + strings.Trim(domain, ".")
 
 	var err error
 	start := time.Now()
diff --git a/acme/propagation.go b/acme/propagation.go
@@ -28,6 +28,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/haproxytech/dataplaneapi/log"
 	"github.com/miekg/dns"
 )
 
@@ -142,6 +143,8 @@ func checkDNSPropagation(ctx context.Context, fqdn string, recType uint16, expec
 		}
 		populateNameserverPorts(authoritativeServers)
 		resolvers = authoritativeServers
+		log.Debugf("events: acme deploy: %s: using DNS resolvers %v, check authoritative servers=%v",
+			fqdn, resolvers, checkAuthoritativeServers)
 	}
 
 	return checkAuthoritativeNss(ctx, fqdn, recType, expectedValue, resolvers)
@@ -172,6 +175,9 @@ func checkAuthoritativeNss(ctx context.Context, fqdn string, recType uint16, exp
 					record := strings.Join(txt.Txt, "")
 					if record == expectedValue {
 						return true, nil
+					} else {
+						log.Debugf("events: acme deploy: %s: TXT record mismatch! Expected %q, Got %q",
+							fqdn, expectedValue, record)
 					}
 				}
 			case dns.TypeCNAME:
@@ -221,6 +227,7 @@ func updateDomainWithCName(r *dns.Msg, fqdn string) string {
 	for _, rr := range r.Answer {
 		if cn, ok := rr.(*dns.CNAME); ok {
 			if cn.Hdr.Name == fqdn {
+				log.Debugf("events: acme deploy: %s: updated FQDN with CNAME value: %q", fqdn, cn.Target)
 				return cn.Target
 			}
 		}
diff --git a/client-native/events_acme.go b/client-native/events_acme.go
@@ -250,8 +250,10 @@ func (h *HAProxyEventListener) handleAcmeDeployEvent(ctx context.Context, args s
 	solver.PropagationDelay = getEnvDuration("DPAPI_ACME_PROPAGDELAY_SEC", 0)
 	solver.PropagationTimeout = getEnvDuration("DPAPI_ACME_PROPAGTIMEOUT_SEC", time.Hour)
 
+	log.Debugf("events: acme deploy: %s: using DNS provider %s", domainName, provider)
+
 	var zone string
-	if solver.PropagationTimeout != -1 {
+	if solver.PropagationTimeout == -1 {
 		zone = acme.GuessZone(domainName)
 	} else {
 		zone, err = acme.FindZoneByFQDN(ctx, domainName, acme.RecursiveNameservers(nil))
@@ -260,11 +262,18 @@ func (h *HAProxyEventListener) handleAcmeDeployEvent(ctx context.Context, args s
 		log.Errorf("events: acme deploy: failed to find root zone for '%s': %s", domainName, err.Error())
 		return
 	}
+
+	log.Debugf("events: acme deploy: %s: found DNS zone: %q", domainName, zone)
+
 	err = solver.Present(ctx, domainName, zone, keyAuth)
 	if err != nil {
 		log.Errorf("events: acme deploy: DNS solver: %s", err.Error())
 		return
 	}
+
+	log.Debugf("events: acme deploy: %s: record created, waiting for propagation. Timeout: %s",
+		domainName, solver.PropagationTimeout.String())
+
 	// Wait for DNS propagation and cleanup.
 	err = solver.Wait(ctx, domainName, zone, keyAuth)
 	// Remove the challenge in 10m if Wait() was successful. This should be

-Original file line number
+Diff line change
   - tls
   - tooltip
   - tsconfig
 +  - txt
   - typings
   - ubuntu
   - uniq
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ import (`
`28`	`28`	`"strings"`
`29`	`29`	`"time"`
`30`	`30`
	`31`	`+ "github.com/haproxytech/dataplaneapi/log"`
`31`	`32`	`"github.com/miekg/dns"`
`32`	`33`	`)`
`33`	`34`
`@@ -142,6 +143,8 @@ func checkDNSPropagation(ctx context.Context, fqdn string, recType uint16, expec`
`142`	`143`	`}`
`143`	`144`	`populateNameserverPorts(authoritativeServers)`
`144`	`145`	`resolvers = authoritativeServers`
	`146`	`+ log.Debugf("events: acme deploy: %s: using DNS resolvers %v, check authoritative servers=%v",`
	`147`	`+ fqdn, resolvers, checkAuthoritativeServers)`
`145`	`148`	`}`
`146`	`149`
`147`	`150`	`return checkAuthoritativeNss(ctx, fqdn, recType, expectedValue, resolvers)`
`@@ -172,6 +175,9 @@ func checkAuthoritativeNss(ctx context.Context, fqdn string, recType uint16, exp`
`172`	`175`	`record := strings.Join(txt.Txt, "")`
`173`	`176`	`if record == expectedValue {`
`174`	`177`	`return true, nil`
	`178`	`+ } else {`
	`179`	`+ log.Debugf("events: acme deploy: %s: TXT record mismatch! Expected %q, Got %q",`
	`180`	`+ fqdn, expectedValue, record)`
`175`	`181`	`}`
`176`	`182`	`}`
`177`	`183`	`case dns.TypeCNAME:`
`@@ -221,6 +227,7 @@ func updateDomainWithCName(r *dns.Msg, fqdn string) string {`
`221`	`227`	`for _, rr := range r.Answer {`
`222`	`228`	`if cn, ok := rr.(*dns.CNAME); ok {`
`223`	`229`	`if cn.Hdr.Name == fqdn {`
	`230`	`+ log.Debugf("events: acme deploy: %s: updated FQDN with CNAME value: %q", fqdn, cn.Target)`
`224`	`231`	`return cn.Target`
`225`	`232`	`}`
`226`	`233`	`}`