Follow-up patch to v2.8.3, which could not take effect. Closes the remaining part of #243.
Fix
- Azure DNS-01 alias mode still failed against sub-delegated validation zones (#243) — v2.8.3 set Lexicon's
resolve_zone_namein the flat config dict passed toClient(), but Lexicon's legacy dict resolver routes any key outside its fixed generic-parameter list into the provider namespace. The key landed atlexicon:azure:resolve_zone_name, while Lexicon'sClientreads it atlexicon:resolve_zone_name— so it resolved toNone, the dnspython SOA lookup never ran, and the delegated zone still fell back to tldextract, which collapses to the registered domain. Issuance kept failing with "does not contain the DNS zone". CertMate now builds a LexiconConfigResolverexplicitly — lexicon-level keys at the top level, provider credentials nested under the provider name — soresolve_zone_namereaches Lexicon where it is read. This applies to every Lexicon alias provider, not just Azure.
Upgrade recommended for anyone using Azure DNS alias mode (or any Lexicon alias provider) with a delegated validation zone. Thanks to @jensaops for the precise diagnosis and proof-of-concept across both attempts.