Renewal does not fail if "Attempt 100/100 gave wrong result"

[canton7]

Describe the bug

I was performing an automated renewal of a domain using dns-01, which failed because my DNS setup was wonky. getssl detected this, but did not fail the renewal, so the failure wasn't flagged to me.

Log below. <domain> and <token> are replaced by me.

checking DNS at 1.1.1.1 for <domain>. Attempt 97/100 gave wrong result,  waiting 10 secs before checking again
checking DNS at 1.1.1.1 for <domain>. Attempt 98/100 gave wrong result,  waiting 10 secs before checking again
checking DNS at 1.1.1.1 for <domain>. Attempt 99/100 gave wrong result,  waiting 10 secs before checking again
checking DNS at 1.1.1.1 for <domain>. Attempt 100/100 gave wrong result,  waiting 10 secs before checking again
getssl: checking _acme-challenge.<domain> gave  not <token>
<domain2>: certificate is valid for more than 30 days (until Apr 23 23:26:03 2021 GMT)

(It's checking 1.1.1.1 because I have it configured as in #600).

To Reproduce

1. Configure a domain using dns-01
2. Fail to set up the DNS correctly, (e.g. use _bad instead of _acme-challenge as the TXT subdomain)
3. /usr/bin/getssl -w /etc/acme --nocheck --all
4. Observe that it exits with 0

Expected behavior

Failure to renew a domain, for any reason, results in an exit status of non-zero so this failure can be noticed.

• OS: Arch Linux
• Bash Version: GNU bash, version 5.1.4(1)-release (x86_64-pc-linux-gnu)

[timkimber]

Hi Antony,

Thanks for reporting this, I suspect it's to do with the --all option not failing if one of the domains fails but a later domain succeeds. I'll add tests to reproduce and fix.

[canton7]

Looking back, it's possible that I haven't set up the systemd unit to fail if the status is nonzero, so this might be on me. I'll check tomorrow.

[canton7]

Ah no, confirmed properly and the issue is correct.