Acme.sh: Add an option like: --I-understand-dns-manual-mode , to force the user understand dns manual mode before using it.

i though about this the other day.
i was going to propose that it would only work in --test mode, but there is at least one use case where it is useful:
when there is no cert and you want to do the initial cert via DNS.

if you go with that flag, i would suggest that the cron is also removed/commented out (if there arent more domains being issued)

@FernandoMiguel
This flag will be only for the first initial issue of the domain.
And the cron will work as before, that is showing a dns manual error message.

If the user confirms to understand the dns manul mode for the first time. I would assume he would take care of the certs by himself.

I have a question related to this, probably due to a misunderstanding about what dns manual mode, and auto dns mode actually do.

Initially I setup a certificate using manual mode, then when I went to test renewal I found that renewals were not supported in that mode.

Is this because the DNS TXT entry would be required to change during the renewal? It's not totally clear from the wiki/doco. I'm not clear on why the entry would need to change, given it appears to be a securely communicated, random token.

Anyway, I setup aws cli and used --dns dns_aws to issue a cert. I deleted the first folder, and started from scratch. I also deleted the TXT records, expecting aws cli to add new ones itself. But when I issued the new cert, it said my domain was already verified, and skipped the auth process...

Now, when I try and do a test run to see if renewal will work, it spits this out:

acme.sh --renew -d *.example.com --force

Single domain='.example.com'
Getting domain auth token for each domain
Getting webroot for domain='.example.com'
*.example.com is already verified, skip dns-01.

This is confusing, because it appears that renewal using the manual mode would in fact work, becase it doesn't go through the auth process again. In fact, it doesn't appear to even check if the TXT records are still there

What am I missing here? How can I check if --dns aws_dns will/is actually working?

The verification is valid for 30 days

--
Fernando Miguel

On 14 Mar 2018 21:49, "comfytoday" notifications@github.com wrote:

I have a question related to this, probably due to a misunderstanding
about what dns manual mode, and auto dns mode actually do.

Initially I setup a certificate using manual mode, then when I went to
test renewal I found that renewals were not supported in that mode.

Is this because the DNS TXT entry would be required to change during the
renewal? It's not totally clear from the wiki/doco. I'm not clear on why
the entry would need to change, given it appears to be a securely
communicated, random token.

Anyway, I setup aws cli and used --dns dns_aws to issue a cert. I deleted
the first folder, and started from scratch. I also deleted the TXT records,
expecting aws cli to add new ones itself. But when I issued the new cert,
it said my domain was already verified, and skipped the auth process...

Now, when I try and do a test run to see if renewal will work, it spits
this out:

acme.sh --renew -d *.example.com --force

Single domain='

.example.com http://example.com' Getting domain auth token for each
domain Getting webroot for domain='.example.com'
*.example.com is already verified, skip dns-01.

This is confusing, because it appears that renewal using the manual mode
would in fact work, becase it doesn't go through the auth process again. In
fact, it doesn't appear to even check if the TXT records are still there

What am I missing here? How can I check if --dns aws_dns will/is actually
working?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/Neilpang/acme.sh/issues/1029#issuecomment-373186505,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAKRrqZcE5sHXKem60IFNOXrMf4SKTuzks5teZB1gaJpZM4PaJ4O
.

Just to be clear, at that point will it add a new TXT entry?

@comfytoday yes, everytime, you need to add a new txt entry by your hand.

https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode

acme.sh --issue -d example.com  -dns   \
   --yes-I-know-dns-manual-mode-enough-go-ahead-please

ahahahahahah

not sure if yoy realise, but you made just an useless parameter...
as per this comment https://github.com/Neilpang/acme.sh/issues/1029#issuecomment-373186505
i can either find no valuable explanation for how really does the manual dns mode work - especially, if true, that the renewal goes anyway, without changing TXT record for the domain...

could someone clarify this?
the perfect clarification would be in the https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode without the endless loop mode that https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode is sending here for explanation and @Neilpang is sending in comment back to https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode and you still can not be certain of how does the manual mode work.
i mean this is unclear what author of this switch means by "i know manual mode enough" - if it is by the TXT entry, it should be clearly stated. And if, as @comfytoday say, it doesn't even revalidate the TXT after first validation, then implementing a --millions-of-billions-of-gazillions-of-characters-long-useless-switch-remains-really-useless-as-it-solves-nothing.

i hope you get my point, i don't intend to be mean or start any flamewar with that, just saying that pretending to clarify onclear things with following even more unclear "clarifications" is just bad idea and should not happen.
either this switch is unclear or i am just dumb and don't see the proper explanation under my nose.

Well using the manual mode you need to add the TXT records by yourself, but acme.sh will still autorenew after x days. So you will end up having no TXT records in your DNS but acme.sh tries to renew your cert and will fail!
This command just ensures that the users will add them manually on their own every time acme.sh tries to renew the cert.
And as stated in the wiki, its p. senseless in a production enviroment to use the manual mode

maybe it would be just clearer if the switch was saying --i-know-i-need-to-update-txt-record ? is self explanatory, doesn't bring any additional confusion - just my thoughts

Oh yes maybe that makes more sense maybe so you know what to do while entering the parameter