From f2bcce5ab2acf39d0b1a37261e11a46706f1d0b6 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sun, 25 Oct 2020 14:46:30 +0000 Subject: [PATCH 1/5] Add more info to debug statemetns when running tests --- getssl | 60 +++++++++++++++++++++++++++++++++------------------------- 1 file changed, 34 insertions(+), 26 deletions(-) diff --git a/getssl b/getssl index f99c53e..9fd63ea 100755 --- a/getssl +++ b/getssl @@ -629,10 +629,10 @@ check_getssl_upgrade() { # check if a more recent version of code is available a if [[ "${latestvdec:-0}" -gt "$localvdec" ]]; then if [[ ${_UPGRADE} -eq 1 ]]; then if ! install "$0" "${0}.v${VERSION}"; then - error_exit "problem renaming old version while updating, check permissions" + error_exit "problem renaming old version while updating, check permissions" fi if ! install -m 700 "$TEMP_UPGRADE_FILE" "$0"; then - error_exit "problem installing new version while updating, check permissions" + error_exit "problem installing new version while updating, check permissions" fi if [[ ${_MUTE} -eq 0 ]]; then echo "Updated getssl from v${VERSION} to v${latestversion}" @@ -819,7 +819,7 @@ create_csr() { # create a csr using a given key (if it doesn't already exist) for d in $alldomains; do if [[ "$(echo "${domains_in_csr}"| grep "^${d}$")" != "${d}" ]]; then info "existing csr at $csr_file does not contain ${d} - re-create-csr"\ - ".... $(echo "${domains_in_csr}"| grep "^${d}$")" + ".... $(echo "${domains_in_csr}"| grep "^${d}$")" _RECREATE_CSR=1 fi done @@ -889,6 +889,7 @@ create_order() { OrderLink=$(echo "$responseHeaders" | grep -i location | awk '{print $2}'| tr -d '\r\n ') debug "Order link $OrderLink" FinalizeLink=$(json_get "$response" "finalize") + debug "Finalize link $FinalizeLink" if [[ $API -eq 1 ]]; then dn=0 @@ -915,6 +916,7 @@ create_order() { d=$(echo "$d" | tr "[:upper:]" "[:lower:]") if [ "$d" == "$authdomain" ]; then debug "Saving authorization response for $authdomain for domain alldomains[$dn]" + debug "Response = ${response//['\t\r\n']}" AuthLinkResponse[$dn]=$response AuthLinkResponseHeader[$dn]=$responseHeaders fi @@ -957,7 +959,7 @@ debug() { # write out debug info if the debug flag has been set if [[ ${_USE_DEBUG} -eq 1 ]]; then # If running tests then output in TAP format (for debugging tests) if [[ ${_RUNNING_TEST} -eq 1 ]]; then - echo "#" "$@" >&3 + echo "# $(date "+%b %d %T") ${FUNCNAME[1]}:${BASH_LINENO[1]}" "$@" >&3 else echo " " echo "$@" @@ -1047,7 +1049,7 @@ for d in $alldomains; do uri=$(json_get "$response" "uri" "dns-01") debug uri "$uri" else # APIv2 - debug "authlink response = $response" + debug "authlink response = ${response//['\t\r\n']}" # get the token and uri from the dns-01 component token=$(json_get "$response" "challenges" "type" "dns-01" "token") uri=$(json_get "$response" "challenges" "type" "dns-01" "url") @@ -1058,10 +1060,11 @@ for d in $alldomains; do debug keyauthorization "$keyauthorization" #create signed authorization key from token. - auth_key=$(printf '%s' "$keyauthorization" | openssl dgst -sha256 -binary \ - | openssl base64 -e \ - | tr -d '\n\r' \ - | sed -e 's:=*$::g' -e 'y:+/:-_:') + auth_key=$(printf '%s' "$keyauthorization" \ + | openssl dgst -sha256 -binary \ + | openssl base64 -e \ + | tr -d '\n\r' \ + | sed -e 's:=*$::g' -e 'y:+/:-_:') debug auth_key "$auth_key" # shellcheck disable=SC2018,SC2019 @@ -1102,7 +1105,7 @@ for d in $alldomains; do uri=$(json_get "$response" "uri" "http-01") debug uri "$uri" else # APIv2 - debug "authlink response = $response" + debug "authlink response = ${response//['\t\r\n']}" # get the token from the http-01 component token=$(json_get "$response" "challenges" "type" "http-01" "token") # get the uri from the http component @@ -1198,18 +1201,18 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then while [[ "$check_dns" == "fail" ]]; do if [[ "$os" == "cygwin" ]]; then check_result=$(nslookup -type=txt "_acme-challenge.${lower_d}" "${ns}" \ - | grep ^_acme -A2\ - | grep '"'|awk -F'"' '{ print $2}') + | grep ^_acme -A2\ + | grep '"'|awk -F'"' '{ print $2}') elif [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then debug "$DNS_CHECK_FUNC" TXT "_acme-challenge.${lower_d}" "@${ns}" check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${lower_d}" "@${ns}" \ - | grep 'IN\WTXT'|awk -F'"' '{ print $2}') + | grep 'IN\WTXT'|awk -F'"' '{ print $2}') elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${lower_d}" "${ns}" \ - | grep 'descriptive text'|awk -F'"' '{ print $2}') + | grep 'descriptive text'|awk -F'"' '{ print $2}') else check_result=$(nslookup -type=txt "_acme-challenge.${lower_d}" "${ns}" \ - | grep 'text ='|awk -F'"' '{ print $2}') + | grep 'text ='|awk -F'"' '{ print $2}') fi debug "expecting $auth_key" debug "${ns} gave ... $check_result" @@ -1515,7 +1518,7 @@ get_cr() { # get curl response debug url "$url" response=$(curl --user-agent "$CURL_USERAGENT" --silent "$url") ret=$? - debug response "$response" + debug response "${response//[$'\t\r\n']}" code=$(json_get "$response" status) debug code "$code" debug "get_cr return code $ret" @@ -1566,8 +1569,8 @@ get_signing_params() { # get signing parameters from key crv="$(openssl ec -in "$skey" -noout -text 2>/dev/null | awk '$2 ~ "CURVE:" {print $3}')" if [[ -z "$crv" ]]; then gsp_keytype="$(openssl ec -in "$skey" -noout -text 2>/dev/null \ - | grep "^ASN1 OID:" \ - | awk '{print $3}')" + | grep "^ASN1 OID:" \ + | awk '{print $3}')" case "$gsp_keytype" in prime256v1) crv="P-256" ;; secp384r1) crv="P-384" ;; @@ -1582,8 +1585,8 @@ get_signing_params() { # get signing parameters from key *) error_exit "invalid curve algorithm type $crv";; esac pubtext="$(openssl ec -in "$skey" -noout -text 2>/dev/null \ - | awk '/^pub:/{p=1;next}/^ASN1 OID:/{p=0}p' \ - | tr -d ": \n\r")" + | awk '/^pub:/{p=1;next}/^ASN1 OID:/{p=0}p' \ + | tr -d ": \n\r")" mid=$(( (${#pubtext} -2) / 2 + 2 )) x64=$(echo "$pubtext" | cut -b 3-$mid | hex2bin | urlbase64) y64=$(echo "$pubtext" | cut -b $((mid+1))-${#pubtext} | hex2bin | urlbase64) @@ -1634,6 +1637,11 @@ hex2bin() { # Remove spaces, add leading zero, escape as hex string ensuring no info() { # write out info as long as the quiet flag has not been set. if [[ ${_QUIET} -eq 0 ]]; then + # If running tests then output in TAP format as well (for debugging tests) + if [[ ${_RUNNING_TEST} -eq 1 ]]; then + echo "# $(date "+%b %d %T") ${FUNCNAME[1]}:${BASH_LINENO[1]}" "$@" >&3 + fi + echo "$@" fi } @@ -2111,7 +2119,7 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p fi debug responseHeaders "$responseHeaders" - debug response "$response" + debug response "${response//[$'\t\r\n']}" code=$(awk ' $1 ~ "^HTTP" {print $2}' "$CURL_HEADER" | tail -1) debug code "$code" if [[ "$code" == 4* && $response != *"error:badNonce"* && "$code" != 409 ]]; then @@ -2223,9 +2231,9 @@ usage() { # echos out the program usage write_domain_template() { # write out a template file for a domain. if [[ -s "$WORKING_DIR/getssl_default.cfg" ]]; then - export DOMAIN="$DOMAIN" - export EX_SANS="$EX_SANS" - envsubst < "$WORKING_DIR/getssl_default.cfg" > "$1" + export DOMAIN="$DOMAIN" + export EX_SANS="$EX_SANS" + envsubst < "$WORKING_DIR/getssl_default.cfg" > "$1" else cat > "$1" <<- _EOF_domain_ # vim: filetype=sh @@ -2786,10 +2794,10 @@ fi # if not reusing private key, then remove the old keys if [[ "$REUSE_PRIVATE_KEY" != "true" ]]; then if [[ -s "$DOMAIN_DIR/${DOMAIN}.key" ]]; then - rm -f "$DOMAIN_DIR/${DOMAIN}.key" + rm -f "$DOMAIN_DIR/${DOMAIN}.key" fi if [[ -s "$DOMAIN_DIR/${DOMAIN}.ec.key" ]]; then - rm -f "$DOMAIN_DIR/${DOMAIN}.ec.key" + rm -f "$DOMAIN_DIR/${DOMAIN}.ec.key" fi fi # create new domain keys if they don't already exist From 8871da0b2c65ec7160137253eccce9349312968d Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sun, 25 Oct 2020 14:48:27 +0000 Subject: [PATCH 2/5] Add tests for changing SANS (bug not fixed) --- test/19-test-add-to-sans.bats | 61 +++++++++++++++++++ .../getssl-dns01-add-to-sans-1.cfg | 37 +++++++++++ .../getssl-dns01-add-to-sans-2.cfg | 37 +++++++++++ 3 files changed, 135 insertions(+) create mode 100644 test/19-test-add-to-sans.bats create mode 100644 test/test-config/getssl-dns01-add-to-sans-1.cfg create mode 100644 test/test-config/getssl-dns01-add-to-sans-2.cfg diff --git a/test/19-test-add-to-sans.bats b/test/19-test-add-to-sans.bats new file mode 100644 index 0000000..8d6f560 --- /dev/null +++ b/test/19-test-add-to-sans.bats @@ -0,0 +1,61 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a +} + +teardown() { + curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a + curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a +} + + + +@test "Create certificate to check can add to SANS" { + skip "FIXME: Certificate is not recreated when SANS is updated" + if [ -n "$STAGING" ]; then + skip "Not trying on staging server yet" + CONFIG_FILE="getssl-staging-dns01.cfg" + else + CONFIG_FILE="getssl-dns01-add-to-sans-1.cfg" + fi + . "${CODE_DIR}/test/test-config/${CONFIG_FILE}" + setup_environment + + + init_getssl + create_certificate + assert_success + check_output_for_errors +} + + +@test "Check we can add a new domain to SANS" { + skip "FIXME: Certificate is not recreated when SANS is updated" + if [ -n "$STAGING" ]; then + skip "Not trying on staging server yet" + CONFIG_FILE="getssl-staging-dns01.cfg" + else + CONFIG_FILE="getssl-dns01-add-to-sans-2.cfg" + fi + # . "${CODE_DIR}/test/test-config/${CONFIG_FILE}" + # CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt + # KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key + # cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg" + + create_certificate + assert_success + check_output_for_errors + + # As the SANS list changed, a new certificate is needed + assert_line --partial "certificate installed OK on server" + refute_line --partial 'certificate is valid for more than' +} diff --git a/test/test-config/getssl-dns01-add-to-sans-1.cfg b/test/test-config/getssl-dns01-add-to-sans-1.cfg new file mode 100644 index 0000000..ddb514a --- /dev/null +++ b/test/test-config/getssl-dns01-add-to-sans-1.cfg @@ -0,0 +1,37 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs +# +CA="https://pebble:14000/dir" + +VALIDATE_VIA_DNS=true +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" +AUTH_DNS_SERVER=10.30.50.3 + +# Speed up the test by reducing the number or retries and the wait between retries. +DNS_WAIT=2 +DNS_WAIT_COUNT=11 +DNS_EXTRA_WAIT=0 + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="a.${GETSSL_HOST}" + +# Location for all your certs, these can either be on the server (full path name) +# or using ssh /sftp as for the ACL +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="true" +IGNORE_DIRECTORY_DOMAIN="true" + +#_USE_DEBUG=1 +#_RUNNING_TEST=1 diff --git a/test/test-config/getssl-dns01-add-to-sans-2.cfg b/test/test-config/getssl-dns01-add-to-sans-2.cfg new file mode 100644 index 0000000..9196905 --- /dev/null +++ b/test/test-config/getssl-dns01-add-to-sans-2.cfg @@ -0,0 +1,37 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs +# +CA="https://pebble:14000/dir" + +VALIDATE_VIA_DNS=true +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" +AUTH_DNS_SERVER=10.30.50.3 + +# Speed up the test by reducing the number or retries and the wait between retries. +DNS_WAIT=2 +DNS_WAIT_COUNT=11 +DNS_EXTRA_WAIT=0 + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="b.${GETSSL_HOST}, a.${GETSSL_HOST}" + +# Location for all your certs, these can either be on the server (full path name) +# or using ssh /sftp as for the ACL +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="false" +IGNORE_DIRECTORY_DOMAIN="true" + +#_USE_DEBUG=1 +#_RUNNING_TEST=1 From f44346f835a706cd2043c708d46639668e12f41b Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sun, 25 Oct 2020 16:09:40 +0000 Subject: [PATCH 3/5] Reduce number of DNS lookup attempts and retry DNS_ADD --- test/test-config/getssl-staging-dns01-no-suffix.cfg | 11 +++++------ test/test-config/getssl-staging-dns01.cfg | 11 +++++------ 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/test/test-config/getssl-staging-dns01-no-suffix.cfg b/test/test-config/getssl-staging-dns01-no-suffix.cfg index 47d2cec..b4f5202 100644 --- a/test/test-config/getssl-staging-dns01-no-suffix.cfg +++ b/test/test-config/getssl-staging-dns01-no-suffix.cfg @@ -9,18 +9,17 @@ PUBLIC_DNS_SERVER=ns2.duckdns.org CHECK_ALL_AUTH_DNS=true DNS_EXTRA_WAIT=120 +# Speed up the test by reducing the number or retries and the wait between retries. +DNS_WAIT=2 +DNS_WAIT_COUNT=11 +DNS_WAIT_RETRY_ADD="true" + ACCOUNT_KEY_TYPE="rsa" PRIVATE_KEY_ALG="rsa" # Additional domains - this could be multiple domains / subdomains in a comma separated list SANS="" -# Acme Challenge Location. The first line for the domain, the following ones for each additional domain. -ACL=('/var/www/html/.well-known/acme-challenge') - -#Set USE_SINGLE_ACL="true" to use a single ACL for all checks -USE_SINGLE_ACL="false" - # Location for all your certs, these can either be on the server (full path name) # or using ssh /sftp as for the ACL DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" diff --git a/test/test-config/getssl-staging-dns01.cfg b/test/test-config/getssl-staging-dns01.cfg index 348cabf..030eaa1 100644 --- a/test/test-config/getssl-staging-dns01.cfg +++ b/test/test-config/getssl-staging-dns01.cfg @@ -9,18 +9,17 @@ PUBLIC_DNS_SERVER=ns2.duckdns.org CHECK_ALL_AUTH_DNS=true DNS_EXTRA_WAIT=120 +# Speed up the test by reducing the number or retries and the wait between retries. +DNS_WAIT=2 +DNS_WAIT_COUNT=11 +DNS_WAIT_RETRY_ADD="true" + ACCOUNT_KEY_TYPE="rsa" PRIVATE_KEY_ALG="rsa" # Additional domains - this could be multiple domains / subdomains in a comma separated list SANS="" -# Acme Challenge Location. The first line for the domain, the following ones for each additional domain. -ACL=('/var/www/html/.well-known/acme-challenge') - -#Set USE_SINGLE_ACL="true" to use a single ACL for all checks -USE_SINGLE_ACL="false" - # Location for all your certs, these can either be on the server (full path name) # or using ssh /sftp as for the ACL DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" From 9e4372c5b6a7c0621e1876b773616f42775f786c Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sun, 25 Oct 2020 16:34:38 +0000 Subject: [PATCH 4/5] Don't check all the auth servers as one DuckDNS server isn't updating --- test/test-config/getssl-staging-dns01.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test-config/getssl-staging-dns01.cfg b/test/test-config/getssl-staging-dns01.cfg index 030eaa1..d7eb7a4 100644 --- a/test/test-config/getssl-staging-dns01.cfg +++ b/test/test-config/getssl-staging-dns01.cfg @@ -6,7 +6,7 @@ VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" PUBLIC_DNS_SERVER=ns2.duckdns.org -CHECK_ALL_AUTH_DNS=true +CHECK_ALL_AUTH_DNS="false" DNS_EXTRA_WAIT=120 # Speed up the test by reducing the number or retries and the wait between retries. From c6b75847a486d89454608bd8519429ed8bee6198 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Sun, 25 Oct 2020 21:24:53 +0000 Subject: [PATCH 5/5] When retrying DNS_ADD, delete first --- getssl | 9 +++++---- test/test-config/getssl-staging-dns01.cfg | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/getssl b/getssl index cdd18e0..2fc8275 100755 --- a/getssl +++ b/getssl @@ -916,7 +916,7 @@ create_order() { d=$(echo "$d" | tr "[:upper:]" "[:lower:]") if [ "$d" == "$authdomain" ]; then debug "Saving authorization response for $authdomain for domain alldomains[$dn]" - debug "Response = ${response//['\t\r\n']}" + debug "Response = ${response//[$'\t\r\n']}" AuthLinkResponse[$dn]=$response AuthLinkResponseHeader[$dn]=$responseHeaders fi @@ -1049,7 +1049,7 @@ for d in $alldomains; do uri=$(json_get "$response" "uri" "dns-01") debug uri "$uri" else # APIv2 - debug "authlink response = ${response//['\t\r\n']}" + debug "authlink response = ${response//[$'\t\r\n']}" # get the token and uri from the dns-01 component token=$(json_get "$response" "challenges" "type" "dns-01" "token") uri=$(json_get "$response" "challenges" "type" "dns-01" "url") @@ -1105,7 +1105,7 @@ for d in $alldomains; do uri=$(json_get "$response" "uri" "http-01") debug uri "$uri" else # APIv2 - debug "authlink response = ${response//['\t\r\n']}" + debug "authlink response = ${response//[$'\t\r\n']}" # get the token from the http-01 component token=$(json_get "$response" "challenges" "type" "http-01" "token") # get the uri from the http component @@ -1224,8 +1224,9 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then if [[ $ntries -lt $DNS_WAIT_COUNT ]]; then ntries=$(( ntries + 1 )) - if [[ $DNS_WAIT_RETRY_ADD == "true" && $(( ntries % 10 == 0 )) ]]; then + if [[ $DNS_WAIT_RETRY_ADD == "true" && $(( ntries % 10 )) == 0 ]]; then debug "Retrying adding dns via command: $DNS_ADD_COMMAND $lower_d $auth_key" + eval "$DNS_DEL_COMMAND" "$lower_d" "$auth_key" if ! eval "$DNS_ADD_COMMAND" "$lower_d" "$auth_key" ; then error_exit "DNS_ADD_COMMAND failed for domain $d" fi diff --git a/test/test-config/getssl-staging-dns01.cfg b/test/test-config/getssl-staging-dns01.cfg index d7eb7a4..910c7fe 100644 --- a/test/test-config/getssl-staging-dns01.cfg +++ b/test/test-config/getssl-staging-dns01.cfg @@ -5,7 +5,7 @@ CA="https://acme-staging-v02.api.letsencrypt.org/directory" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" -PUBLIC_DNS_SERVER=ns2.duckdns.org +PUBLIC_DNS_SERVER=1.1.1.1 CHECK_ALL_AUTH_DNS="false" DNS_EXTRA_WAIT=120