Wildcard domains on Heroku break renewal without an ACME_DOMAIN variable

[jalada]

$ heroku domains
=== my-app Custom Domains
Domain Name                                       DNS Target
────────────────────────────────────────────────  ──────────────────────────────────────────────────────────────
*.my-app.co.uk                            wildcard.my-app.co.uk.herokudns.com
www.my-app.co.uk                          www.my-app.co.uk.herokudns.com

$ heroku run rake letsencrypt:renew                                                                                                                                                                                          Running rake letsencrypt:renew on ⬢ my-app... up, run.5599 (Hobby)
Creating account key...Done!
Registering with LetsEncrypt...Done!
Using 5 configured Heroku domain(s) for this app...
Performing verification for *.my-app.co.uk:
rake aborted!
Acme::Client::Error::Malformed: Invalid character in DNS name

Workaround is to continue to set the ACME_DOMAIN variable.

[jalada]

Also breaks the 'live' check, where the code picks the first domain from the heroku.domains call, which could be a wildcard.

[kaspernj]

I also ran into this problem. Possible solution to this could be to fix this line to select a hostname that isn't a wildcard instead of the first one?

https://github.com/pixielabs/letsencrypt-rails-heroku/blob/master/lib/tasks/letsencrypt.rake#L56

[jalada]

@kaspernj yup, you're absolutely right! :)

[kaspernj]

@jalada Would you like me to submit a PR or would you prefer to do it yourself? :-)

[jalada]

@kaspernj PRs are always welcome :star:

[kaspernj]

@jalada Done :-)

[mrdomino]

Afaict #45 doesn't resolve this since Let's Encrypt doesn't support wildcard certs. Maybe it'd be good to have a default behavior of filtering the list of domains for non-wildcard domains?

[kaspernj]

@mrdomino It fixed the problem for me.

I had a configuration with several configured normal domains and a wildcard domain (like in the example in this issue). For some reason the wild card domain was always chosen by letsencrypt-rails-heroku to make the connection test against.

Since the wildcard domain isn't a valid hostname the lookup failed and my certificate wasn't installed correctly.

After using the fix in #45 it worked correctly for me.

[mrdomino]

Interesting. What domains does the resulting cert say it supports?

[kaspernj]

@mrdomino All the ones defined in ACME_DOMAIN. The only difference the change makes, is that instead of taking the first domain in the configured domains on the Heroku app (not ACME_DOMAIN) it takes on of the configured domains that isn't a wildcard domain.

Original code to choose domain: https://github.com/pixielabs/letsencrypt-rails-heroku/pull/45/files#diff-5afd887c0f3237cdd9f1f479de04e71cL56

New code to choose domain that isn't a wildcard: https://github.com/pixielabs/letsencrypt-rails-heroku/pull/45/files#diff-5afd887c0f3237cdd9f1f479de04e71cR62

[mrdomino]

Oh, I see, okay.

On Sun, Mar 5, 2017, 11:29 Kasper Johansen [email protected] wrote:

@mrdomino https://github.com/mrdomino All the ones defined in ACME_DOMAIN. The only difference the change makes, is that instead of taking the first domain in the configured domains on the Heroku app (not ACME_DOMAIN) it takes on of the configured domains that isn't a wildcard domain.

Original code to choose domain:

https://github.com/pixielabs/letsencrypt-rails-heroku/pull/45/files#diff-5afd887c0f3237cdd9f1f479de04e71cL56

New code to choose domain that isn't a wildcard:

https://github.com/pixielabs/letsencrypt-rails-heroku/pull/45/files#diff-5afd887c0f3237cdd9f1f479de04e71cR62

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pixielabs/letsencrypt-rails-heroku/issues/39#issuecomment-284241244, or mute the thread https://github.com/notifications/unsubscribe-auth/AABZ63ojVa2pwNieKxpzvuylLKakyp7nks5riuL0gaJpZM4MJrB9 .