oraclecloud: PATCH does not work on non-exisiting _acme-challenge TXT records #2626
Description
Welcome
- Yes, I'm using a binary release within 2 latest releases.
- Yes, I've searched similar issues on GitHub and didn't find any.
- Yes, I've included all information below (version, config, etc).
What did you expect to see?
I expected LEGO to create a new TXT record for _acme-challenge in the domain I indicated, when one did not exist.
I even tried creating one from the OCI console usig clickOps, but LEGO deleted it.
What did you see instead?
No ACME challenge record created.
Manually created record deleted.
How do you use lego?
Through Terraform ACME provider
Reproduction steps
Try to create an ACME certificate from scratch with Domain challenge going to Oracle OCI.
Effective version of lego
v4.25.2Logs
acme_certificate.my_acme_certificate: Still creating... [1m10s elapsed]
╷
│ Error: error creating certificate: error: one or more domains had a problem:
│ [*.subdomain.mydomain.org] [*.subdomain.mydomain.org] acme: error presenting token: 2 errors occurred:
│ * rpc error: code = Unknown desc = oraclecloud: Error returned by Dns Service. Http Status Code: 404. Error Code: NotAuthorizedOrNotFound. Opc request id: 3f98f21ef40044d2f0f0a5dcc3bbb4f5/1BBDB9D9545165EBAA5BE4B37034F0A4/0A8D85DAD8AB4FC3C6A755A485B557A8. Message: Authorization failed or requested resource not found.
│ Operation Name: PatchDomainRecords
│ Timestamp: 2025-08-22 13:58:25 +0000 GMT
│ Client Version: Oracle-GoSDK/65.95.2
│ Request Endpoint: PATCH https://dns.us-phoenix-1.oci.oraclecloud.com/20180115/zones/mydomain.org./records/_acme-challenge.subdomain.mydomain.org?compartmentId=ocid1.compartment.oc00..aaaaaaaahjmabrw2gofibdvrc7j65loechpmm7v7gv65jal27dtlvvzwxxxx
│ Troubleshooting Tips: See https://docs.oracle.com/iaas/Content/API/References/apierrors.htm#apierrors_404__404_notauthorizedornotfound for more information about resolving this error.
│ Also see https://docs.oracle.com/iaas/api/#/en/dns/20180115/Records/PatchDomainRecords for details on this operation's requirements.
│ To get more info on the failing request, you can set OCI_GO_SDK_DEBUG env var to info or higher level to log the request/response details.
│ If you are unable to resolve this Dns issue, please contact Oracle support and provide them this full error message.
│ * error encountered while presenting token for DNS challenge: rpc error: code = Unknown desc = oraclecloud: Error returned by Dns Service. Http Status Code: 404. Error Code: NotAuthorizedOrNotFound. Opc request id: 3f98f21ef40044d2f0f0a5dcc3bbb4f5/1BBDB9D9545165EBAA5BE4B37034F0A4/0A8D85DAD8AB4FC3C6A755A485B557A8. Message: Authorization failed or requested resource not found.
│ Operation Name: PatchDomainRecords
│ Timestamp: 2025-08-22 13:58:25 +0000 GMT
│ Client Version: Oracle-GoSDK/65.95.2
│ Request Endpoint: PATCH https://dns.us-phoenix-1.oci.oraclecloud.com/20180115/zones/mydomain.org./records/_acme-challenge.subdomain.mydomain.org?compartmentId=ocid1.compartment.oc00..aaaaaaaahjmabrw2gofibdvrc7j65loechpmm7v7gv65jal27dtlvvzwxxxx
│ Troubleshooting Tips: See https://docs.oracle.com/iaas/Content/API/References/apierrors.htm#apierrors_404__404_notauthorizedornotfound for more information about resolving this error.
│ Also see https://docs.oracle.com/iaas/api/#/en/dns/20180115/Records/PatchDomainRecords for details on this operation's requirements.
│ To get more info on the failing request, you can set OCI_GO_SDK_DEBUG env var to info or higher level to log the request/response details.
│ If you are unable to resolve this Dns issue, please contact Oracle support and provide them this full error message.
│
│
│
│
│ with acme_certificate.my_acme_certificate,
│ on acme.tf line 30, in resource "acme_certificate" "my_acme_certificate":
│ 30: resource "acme_certificate" "my_acme_certificate" {
Go environment (if applicable)
N/A