Acme / letsencrypt failing with DNSMadeEasy



  • I've been able to get letsencrypt test certificates working using the HTTP validation method by forwarding the requests via haproxy. However, I am not able to get DNSMadeEasy based DNS validation working.

    If you look at the URL in /tmp/acme/test.razx.com/acme_issuecert.log, I believe there is an extra } in the API call, can anyone else confirm?

    The line I'm particularly interested in is:

    [Tue Feb 21 11:47:08 PST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/1234567}/records?recordName=_acme-challenge.test&type=TXT'
    

    More log details are here:

    [Tue Feb 21 11:47:06 PST 2017] name?domainname=razx.com
    [Tue Feb 21 11:47:07 PST 2017] GET
    [Tue Feb 21 11:47:07 PST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=razx.com'
    [Tue Feb 21 11:47:07 PST 2017] timeout
    [Tue Feb 21 11:47:07 PST 2017] curl exists=0
    [Tue Feb 21 11:47:07 PST 2017] wget exists=127
    [Tue Feb 21 11:47:07 PST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/test.razx.com//http.header '
    [Tue Feb 21 11:47:07 PST 2017] ret='0'
    [Tue Feb 21 11:47:07 PST 2017] response='{"created":1468454400000,"axfrServer":{"fqdn":"axfr2.dnsmadeeasy.com","ipv4":"208.94.147.18"},"delegateNameServers":["ns1.razx.com.","ns2.razx.com.","ns3.razx.com.","ns4.razx.com.","ns5.razx.com."],"folderId":17779,"gtdEnabled":false,"nameServers":[{"fqdn":"ns10.dnsmadeeasy.com","ipv4":"208.94.148.4","ipv6":"2600:1800:10::1"},{"fqdn":"ns11.dnsmadeeasy.com","ipv4":"208.80.124.4","ipv6":"2600:1801:11::1"},{"fqdn":"ns12.dnsmadeeasy.com","ipv4":"208.80.126.4","ipv6":"2600:1802:12::1"},{"fqdn":"ns13.dnsmadeeasy.com","ipv4":"208.80.125.4","ipv6":"2600:1801:13::1"},{"fqdn":"ns14.dnsmadeeasy.com","ipv4":"208.80.127.4","ipv6":"2600:1802:14::1"},{"fqdn":"ns15.dnsmadeeasy.com","ipv4":"208.94.149.4","ipv6":"2600:1800:15::1"}],"pendingActionId":0,"soaId":10757,"transferAclId":2960,"updated":1487658148703,"vanityId":23699,"vanityNameServers":[{"fqdn":"ns1.razx.com"},{"fqdn":"ns2.razx.com"},{"fqdn":"ns3.razx.com"},{"fqdn":"ns4.razx.com"},{"fqdn":"ns5.razx.com"}],"processMulti":false,"activeThirdParties":[],"name":"razx.com","id":1234567}'
    [Tue Feb 21 11:47:07 PST 2017] _domain_id='1234567}'
    [Tue Feb 21 11:47:07 PST 2017] _sub_domain='_acme-challenge.test'
    [Tue Feb 21 11:47:07 PST 2017] _domain='razx.com'
    [Tue Feb 21 11:47:07 PST 2017] Getting txt records
    [Tue Feb 21 11:47:07 PST 2017] 1234567}/records?recordName=_acme-challenge.test&type=TXT
    [Tue Feb 21 11:47:08 PST 2017] GET
    [Tue Feb 21 11:47:08 PST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/1234567}/records?recordName=_acme-challenge.test&type=TXT'
    [Tue Feb 21 11:47:08 PST 2017] timeout
    [Tue Feb 21 11:47:08 PST 2017] curl exists=0
    [Tue Feb 21 11:47:08 PST 2017] wget exists=127
    [Tue Feb 21 11:47:08 PST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/test.razx.com//http.header '
    [Tue Feb 21 11:47:08 PST 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
    [Tue Feb 21 11:47:08 PST 2017] ret='3'
    [Tue Feb 21 11:47:08 PST 2017] error 1234567}/records?recordName=_acme-challenge.test&type=TXT
    [Tue Feb 21 11:47:08 PST 2017] Error
    [Tue Feb 21 11:47:08 PST 2017] Error add txt for domain:_acme-challenge.test.razx.com
    [Tue Feb 21 11:47:08 PST 2017] pid
    [Tue Feb 21 11:47:08 PST 2017] _clearupdns
    [Tue Feb 21 11:47:08 PST 2017] Dns not added, skip.
    [Tue Feb 21 11:47:08 PST 2017] _on_issue_err
    

    The only modification is that I replaced the ID number as I'm unclear if this needs to be kept private, although I don't believe it matters.



  • Not seeing the same issue as you.  My log is below.  The error seems to be that it is not finding the API Key (Dynamic DNS ID) when connecting to DNSMadeEasy.  I have verified both the ID and Password and they are valid.

    [Thu Feb 23 09:01:23 AST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_me.sh
    [Thu Feb 23 09:01:23 AST 2017] dns_me_add exists=0
    [Thu Feb 23 09:01:23 AST 2017] APP
    [Thu Feb 23 09:01:23 AST 2017] 4:ME_Key='231XXXX'
    [Thu Feb 23 09:01:23 AST 2017] APP
    [Thu Feb 23 09:01:23 AST 2017] 5:ME_Secret='testforSecureXXXXX'
    [Thu Feb 23 09:01:23 AST 2017] First detect the root zone
    [Thu Feb 23 09:01:23 AST 2017] name?domainname=secure.accra.ca
    [Thu Feb 23 09:01:23 AST 2017] GET
    [Thu Feb 23 09:01:23 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=secure.accra.ca'
    [Thu Feb 23 09:01:23 AST 2017] timeout
    [Thu Feb 23 09:01:23 AST 2017] curl exists=0
    [Thu Feb 23 09:01:23 AST 2017] wget exists=127
    [Thu Feb 23 09:01:23 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
    [Thu Feb 23 09:01:24 AST 2017] ret='0'
    [Thu Feb 23 09:01:24 AST 2017] response='{error: ["API key not found"]}'
    [Thu Feb 23 09:01:24 AST 2017] name?domainname=accra.ca
    [Thu Feb 23 09:01:24 AST 2017] GET
    [Thu Feb 23 09:01:24 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=accra.ca'
    [Thu Feb 23 09:01:24 AST 2017] timeout
    [Thu Feb 23 09:01:24 AST 2017] curl exists=0
    [Thu Feb 23 09:01:24 AST 2017] wget exists=127
    [Thu Feb 23 09:01:24 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
    [Thu Feb 23 09:01:24 AST 2017] ret='0'
    [Thu Feb 23 09:01:24 AST 2017] response='{error: ["API key not found"]}'
    [Thu Feb 23 09:01:24 AST 2017] name?domainname=ca
    [Thu Feb 23 09:01:24 AST 2017] GET
    [Thu Feb 23 09:01:24 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=ca'
    [Thu Feb 23 09:01:24 AST 2017] timeout
    [Thu Feb 23 09:01:24 AST 2017] curl exists=0
    [Thu Feb 23 09:01:24 AST 2017] wget exists=127
    [Thu Feb 23 09:01:24 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
    [Thu Feb 23 09:01:25 AST 2017] ret='0'
    [Thu Feb 23 09:01:25 AST 2017] response='{error: ["API key not found"]}'
    [Thu Feb 23 09:01:25 AST 2017] invalid domain
    [Thu Feb 23 09:01:25 AST 2017] Error add txt for domain:_acme-challenge.secure.accra.ca
    [Thu Feb 23 09:01:25 AST 2017] pid
    [Thu Feb 23 09:01:25 AST 2017] _clearupdns
    [Thu Feb 23 09:01:25 AST 2017] Dns not added, skip.
    [Thu Feb 23 09:01:25 AST 2017] _on_issue_err
    [Thu Feb 23 09:01:25 AST 2017] Please check log file for more details: /tmp/acme/accra.ca/acme_issuecert.log



  • I don't believe you can use Dynamic DNS for this, I believe you need a proper API key. The reason is that acme needs to add/remove records, not just change existing records.

    Note that's API access is not included on the cheapest plan, you need to be on Business or higher, I think.



  • I am on a Business plan and located the API info and just tried the dnsMadeEasy option with the following error, I hope this can help:

    [Fri Feb 24 11:38:23 AST 2017] name?domainname=accra.ca
    [Fri Feb 24 11:38:23 AST 2017] GET
    [Fri Feb 24 11:38:23 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=accra.ca'
    [Fri Feb 24 11:38:23 AST 2017] timeout
    [Fri Feb 24 11:38:23 AST 2017] curl exists=0
    [Fri Feb 24 11:38:23 AST 2017] wget exists=127
    [Fri Feb 24 11:38:23 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
    [Fri Feb 24 11:38:24 AST 2017] ret='0'
    [Fri Feb 24 11:38:24 AST 2017] response='{"created":1336003200000,"delegateNameServers":["ns10.dnsmadeeasy.com.","ns11.dnsmadeeasy.com.","ns12.dnsmadeeasy.com.","ns13.dnsmadeeasy.com."],"folderId":2329,"gtdEnabled":false,"nameServers":[{"fqdn":"ns10.dnsmadeeasy.com","ipv4":"208.94.148.4","ipv6":"2600:1800:10::1"},{"fqdn":"ns11.dnsmadeeasy.com","ipv4":"208.80.124.4","ipv6":"2600:1801:11::1"},{"fqdn":"ns12.dnsmadeeasy.com","ipv4":"208.80.126.4","ipv6":"2600:1802:12::1"},{"fqdn":"ns13.dnsmadeeasy.com","ipv4":"208.80.125.4","ipv6":"2600:1801:13::1"},{"fqdn":"ns14.dnsmadeeasy.com","ipv4":"208.80.127.4","ipv6":"2600:1802:14::1"},{"fqdn":"ns15.dnsmadeeasy.com","ipv4":"208.94.149.4","ipv6":"2600:1800:15::1"}],"pendingActionId":0,"soaId":5348,"updated":1487863994446,"vanityId":5187,"vanityNameServers":[{"fqdn":"ns10.dnsmadeeasy.com"},{"fqdn":"ns11.dnsmadeeasy.com"},{"fqdn":"ns12.dnsmadeeasy.com"},{"fqdn":"ns13.dnsmadeeasy.com"}],"processMulti":false,"activeThirdParties":[{"label":"SendGrid","value":2}],"name":"accra.ca","id":789XXX}'
    [Fri Feb 24 11:38:24 AST 2017] _domain_id='789XXX}'
    [Fri Feb 24 11:38:24 AST 2017] _sub_domain='_acme-challenge.secure'
    [Fri Feb 24 11:38:24 AST 2017] _domain='accra.ca'
    [Fri Feb 24 11:38:24 AST 2017] Getting txt records
    [Fri Feb 24 11:38:24 AST 2017] 789249}/records?recordName=_acme-challenge.secure&type=TXT
    [Fri Feb 24 11:38:24 AST 2017] GET
    [Fri Feb 24 11:38:24 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/789249}/records?recordName=_acme-challenge.secure&type=TXT'
    [Fri Feb 24 11:38:24 AST 2017] timeout
    [Fri Feb 24 11:38:24 AST 2017] curl exists=0
    [Fri Feb 24 11:38:24 AST 2017] wget exists=127
    [Fri Feb 24 11:38:24 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
    [Fri Feb 24 11:38:24 AST 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
    [Fri Feb 24 11:38:24 AST 2017] ret='3'
    [Fri Feb 24 11:38:24 AST 2017] error 789XXX}/records?recordName=_acme-challenge.secure&type=TXT
    [Fri Feb 24 11:38:24 AST 2017] Error
    [Fri Feb 24 11:38:24 AST 2017] Error add txt for domain:_acme-challenge.secure.accra.ca
    [Fri Feb 24 11:38:24 AST 2017] pid
    [Fri Feb 24 11:38:24 AST 2017] _clearupdns
    [Fri Feb 24 11:38:24 AST 2017] Dns not added, skip.
    [Fri Feb 24 11:38:24 AST 2017] _on_issue_err
    [Fri Feb 24 11:38:24 AST 2017] Please check log file for more details: /tmp/acme/accra.ca/acme_issuecert.log



  • That looks identical to what I am seeing.



  • Okay, good news, there is a fix!

    https://github.com/Neilpang/acme.sh/commit/3cf85634ebb955ecee7616e88f4e1cef4458df41

    On pfSense this means you edit /usr/local/pkg/acme/dnsapi/dns_me.sh and replace the line as described in Github above.

    I'm not sure if changing this file is safe or whether it will cause issues updating the package in the future, but, it does strip the unwanted } and I am now able to complete DNS based validation and have successfully obtained LetsEncrypt certificates from their test service.



  • Or, be patient, there is a pull request pending to bring pfSense up to date with the latest acme.sh.

    https://github.com/pfsense/FreeBSD-ports/pull/318


Log in to reply