dns-01-lexicon.yml not included

[VoidAndAny]

If we use dehydrated_challengetype == 'http-01' but we define a specific domain with dns_01 the dns-01-lexicon.yml is not included and dehydrated can't issue the certificate.

Exemple :

dehydrated_challengetype == 'http-01'
dehydrated_domains: |
  dns-validation.fr
  customer-domain.fr
  another-domain-without-dns.fr
  customer2.fr
  external-domain.fr
dehydrated_cert_config:
  - name: dns-validation.fr
    challengetype: dns-01

2 solutions :

• change inclusion condition to test if at least one domain in dehydrated_cert_config has challengetype=dns-01 --> Quite difficult I think
• change the condition to include dns-01-lexicon.yml whatever the dehydrated_challengetype value (only test dehydrated_use_lexicon)

What do you think ?
Yoann

[azielke]

I haven't really considered that use case so far.

You can set dehydrated_use_lexicon: yes, but that would cause the role to request all certificates via dns-01, even if the per-certificate-config says http-01. That the dns-01-lexicon is not included is indeed not working as intended.

I think the best would be to let dehydrated_use_lexicon depend on dehydrated_challengetype (yes if dns-01, else no)

For the other part, the hook script would need to be converted to a template and only call lexicon, if the challengetype is dns-01 (while considering per cert configs).

I have some Ideas here I'll try out on the weekend or early next week.