Skip to content

security/acme-client: Fix DNS validation failures - missing prepare() call #4834

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

security/acme-client: Fix DNS validation failures - missing prepare() call #4834

wants to merge 1 commit into from
+3 −0

Conversation

@jrork
Copy link

@jrork jrork commented Jul 24, 2025

Description

This PR fixes a critical bug in the ACME client where DNS validations fail because environment variables (API credentials) are not being passed to acme.sh.

The Problem

The prepare() method in DNS validation classes (like DnsCf.php for Cloudflare) sets environment variables with API credentials:

public function prepare()
{
    $this->acme_env['CF_Token'] = (string)$this->config->dns_cf_token;
    $this->acme_env['CF_Zone_ID'] = (string)$this->config->dns_cf_zone_id;
    // etc...
}

However, the Base::run() method never calls prepare(), so these environment variables are never set, causing DNS validations to fail with exit code 3.

The Solution

Add a call to $this->prepare(); in the run() method before the environment variables are used.

Testing

Tested with Cloudflare DNS validation on OPNsense 25.1:

  • Before fix: Validation fails with "domain validation failed (dns01)" and exit code 3
  • After fix: Certificate successfully issued

Impact

This bug affects ALL DNS validation providers (Cloudflare, Route53, Azure DNS, etc.) as none of them can pass their credentials to acme.sh.

@jrork
security/acme-client: Fix DNS validation failures - missing prepare()…
ebe916b 
… call

The prepare() method was not being called in the Base validation class,
which prevented DNS provider credentials from being passed as environment
variables to acme.sh. This caused DNS-01 validations to fail with exit
code 3.

This fix ensures prepare() is called before running acme.sh, properly
setting environment variables for DNS providers like Cloudflare, Route53,
Azure DNS, and all other DNS validation providers.

Testing:
- Before fix: Validation fails with 'domain validation failed (dns01)'
- After fix: Certificate successfully issued with Cloudflare DNS validation
@fraenki fraenki self-assigned this Jul 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@fraenki fraenki

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jrork @fraenki