Commit ebb348c2 authored by Adrien Dorsaz's avatar Adrien Dorsaz

acme-dns-tiny: only wait for 1 TTL by domain and be more accurate for the TTL…

acme-dns-tiny: only wait for 1 TTL by domain and be more accurate for the TTL configuration documentation
parent 21bc3a82
......@@ -195,8 +195,7 @@ def get_crt(config, log=LOGGER):
while challenge_verified is False:
try:
log.debug('Self test (try: {0}): Check resource with value "{1}" exits on nameservers: {2}'.format(number_check_fail, keydigest64, resolver.nameservers))
challenges = resolver.query(dnsrr_domain, rdtype="TXT")
for response in challenges.rrset:
for response in resolver.query(dnsrr_domain, rdtype="TXT").rrset:
log.debug(" - Found value {0}".format(response.to_text()))
challenge_verified = challenge_verified or response.to_text() == '"{0}"'.format(keydigest64)
except dns.exception.DNSException as dnsexception:
......@@ -208,8 +207,7 @@ def get_crt(config, log=LOGGER):
number_check_fail = number_check_fail + 1
time.sleep(config["DNS"].getint("TTL"))
log.info("Waiting for 1 TTL ({0} seconds) before asking ACME server to validate challenge.".format(config["DNS"].getint("TTL")))
time.sleep(config["DNS"].getint("TTL"))
log.info("Asking ACME server to validate challenge.")
code, result, headers = _send_signed_request(challenge["url"], {"keyAuthorization": keyauthorization})
if code != 200:
raise ValueError("Error triggering challenge: {0} {1}".format(code, result))
......
......@@ -45,8 +45,9 @@ Host = dnsserver
# Optional port to connect on DNS server (default: 53)
Port = 53
# Optional time to live (TTL) value for the added DNS entries
# If you set a value too high, ACME server could return error about invalid entries while checking the TXT resources
# So, the default value is low to increase the probability of having a working setup without needing to update it
# Optional time to live (TTL) value used to add DNS entries
# For each domain registered in the CSR, at least 1 TTL is waited before certificate creation.
# If an error occurs while looking for TXT records, we wait up to 10 TTLs by domain.
# That's why the default is only of 10 seconds, to avoid having too long time to wait to receive a new certificate.
# Default: 10 seconds
TTL = 10
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment