Hi, > In fact, the proposed "fix" I'm working on is to actually get the > version that is currently in backports directly in the oldstable > distribution, but I need to tweak it a bit as to do that I need to > reintroduce the 'letsencrypt.sh' compatibility packages/scripts.
unfortunately, that version (0.6.2-2+deb10u1~bpo9+1) is not backwards compatible with the current stretch version (0.3.1-3+deb9u2), in that it deploys all challenges for a certificate at once, and only then submits the verification requests for the individual host names. If you happen to deploy challenges for multiple host names to the same location, that fails because the last deployed challenge overwrites all other challenges in that location, and the verification request for the first host name then causes dehydrated to abort (also, without any useful error message). For anyone facing the same problem: A (temporary) workaround I found was to set HOOK_CHAIN=yes, which causes all challenges for a given domain to be deployed in a single call to the hook script. If your hook script simply ignores the additional parameters, that then causes only the first challenge to actually be deployed, and thus the verification for the first host name to succeed. Then you just have to re-run dehydrated until all the host names have been verified. Regards, Florian
