Acme.sh feature request: DNS API 'commit'

I’ve written a DNS API plug-in for use in-house. It works by adding the TXT record name and value to a text file in tinydns format, and then running a “make” command which rebuilds the data.cdb file (the “live” DNS data file) and pushes it out to our DNS slave servers.

When I issue a cert with multiple domains, it ends up “pushing” once for every domain in the request, which adds about 30 seconds per domain. Today I had to wait over ten minutes because of this - maybe not the end of the world, but irritating enough that I want to fix it.

I’m planning to update my copy of acme.sh so that after calling ${_currentRoot}_add() for each name, it will call a new ${_currentRoot}_commit() function, if it exists. This will let me issue a single cert with multiple names, while only “pushing” the udpated records out to the slaves once, while not breaking the API for existing dnsapi modules. I plan to do the same thing after calling ${_currentRoot}_rm() as well. (Obviously, any changes I make will be sent back here as a pull request.)

Before I do this, is anybody else planning to do anything similar? Or does anybody have any other ideas for how to handle this situation?

1 Like

I just realized that this site is focused more on LE in general rather than acme.sh specifically. (It’s been a really long day.)

Sorry for any confusion.

I think this is a fairly common defect in implementations of the dns-01 challenge.

We had the same problem with our cPanel plugin, which has a pretty atrocious DNS API, requiring reloading the zone for every individual line we change, and then waiting some non-deterministic amount of time for the nameserver cluster to begin serving the new version of the zone.

Not updating individual challenges one at a time seems to be the most straightforward approach to minimizing the total time required to complete an order (at least, improved things for us):

  • Receive challenges (ACME)
  • Set all the zone records (DNS cluster)
  • Nameserver publish/reload/wait for new zonefiles to be active (DNS cluster)
  • Update all the challanges (ACME)
  • Finalize the order (ACME)

Yes, I have similar concerns with Certbot manual hook scripts.

I’m not sure how the input and output details would be worked out, but a “commit” step would be useful to me.

Redoing my scripts to efficiently manage the updates all in one step sounds like a nightmare, though.

For reference, https://github.com/Neilpang/acme.sh/issues/1173 is where I asked the same question of acme.sh's developer. Please watch there for updates, but the short version is, I am going to write an update, and it may or may not be merged into acme.sh itself. If not, I will make it available for others who may need it, obviously using the same GPLv3 license.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.