Resolve dns name

2026-01-09 15:38:03 -05:00 · 2025-12-15 13:39:00 -08:00
parent 3cedb7aaaf
commit 4e7b3e45b1
3 changed files with 16 additions and 2 deletions
--- a/.github/workflows/run-backend-bdd-tests.yml
+++ b/.github/workflows/run-backend-bdd-tests.yml
@@ -52,6 +52,7 @@ jobs:
          echo "ACME_DEVELOPMENT_HTTP01_CHALLENGE_HOST_OVERRIDES={\"localhost\": \"host.docker.internal:8087\", \"infisical.com\": \"host.docker.internal:8087\", \"example.com\": \"host.docker.internal:8087\"}" >> .env
          echo "BDD_NOCK_API_ENABLED=true" >> .env
          # use Technitium DNS server for BDD tests
+          echo "ACME_DNS_RESOLVE_RESOLVER_SERVERS_HOST_ENABLED=true" >> .env
          echo "ACME_DNS_RESOLVER_SERVERS=technitium" >> .env
          # Skip upstream validation, otherwise the ACME client for the upstream will try to
          # validate the DNS records, which will fail because the DNS records are not actually created.
--- a/backend/src/ee/services/pki-acme/pki-acme-challenge-service.ts
+++ b/backend/src/ee/services/pki-acme/pki-acme-challenge-service.ts
@@ -1,4 +1,4 @@
-import { Resolver } from "node:dns/promises";
+import { resolve4, Resolver } from "node:dns/promises";

 import axios, { AxiosError } from "axios";

@@ -20,6 +20,7 @@ import {
 } from "./pki-acme-errors";
 import { AcmeAuthStatus, AcmeChallengeStatus, AcmeChallengeType } from "./pki-acme-schemas";
 import { TPkiAcmeChallengeServiceFactory } from "./pki-acme-types";
+import { isValidIp } from "@app/lib/ip";

 type TPkiAcmeChallengeServiceFactoryDep = {
  acmeChallengeDAL: Pick<
@@ -117,7 +118,18 @@ export const pkiAcmeChallengeServiceFactory = ({
  const validateDns01Challenge = async (challenge: ChallengeWithAuth): Promise<void> => {
    const resolver = new Resolver();
    if (appCfg.ACME_DNS_RESOLVER_SERVERS.length > 0) {
-      resolver.setServers(appCfg.ACME_DNS_RESOLVER_SERVERS);
+      const servers = appCfg.ACME_DNS_RESOLVE_RESOLVER_SERVERS_HOST_ENABLED
+        ? await Promise.all(
+            appCfg.ACME_DNS_RESOLVER_SERVERS.map(async (server) => {
+              if (isValidIp(server)) {
+                return server;
+              }
+              const ips = await resolve4(server);
+              return ips[0];
+            })
+          )
+        : appCfg.ACME_DNS_RESOLVER_SERVERS;
+      resolver.setServers(servers);
    }

    const recordName = `_acme-challenge.${challenge.auth.identifierValue}`;
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -128,6 +128,7 @@ const envSchema = z
          return val.split(",");
        })
    ),
+    ACME_DNS_RESOLVE_RESOLVER_SERVERS_HOST_ENABLED: zodStrBool.default("false").optional(),
    DNS_MADE_EASY_SANDBOX_ENABLED: zodStrBool.default("false").optional(),
    // smtp options
    SMTP_HOST: zpStr(z.string().optional()),