Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME USE DNS-NSupdate / RFC 2136 Add txt record error.

    Scheduled Pinned Locked Moved ACME
    3 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • yon 0Y
      yon 0
      last edited by

      xi.net
      Renewing certificate
      account: yon@xi.net
      server: letsencrypt-production-2

      /usr/local/pkg/acme/acme.sh --issue -d 'xi.net' -d '*.xi.net' --home '/tmp/acme/xi.net/' --accountconf '/tmp/acme/xi.net/accountconf.conf' --force --reloadCmd '/tmp/acme/xi.net/reloadcmd.sh' --dns 'dns_nsupdate' --ocsp-must-staple --log-level 3 --log '/tmp/acme/xi.net/acme_issuecert.log'

      Array
      (
      [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
      [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
      [NSUPDATE_SERVER] => /tmp/acme/xi.net/xi.net/nsupdate
      [NSUPDATE_KEYNAME] => xi
      [NSUPDATE_KEYALGO] => 157
      [NSUPDATE_KEY] => /tmp/acme/xi.net/xi.net/nsupdate
      )
      [Wed Jun 20 00:19:24 CST 2018] Multi domain='DNS:xi.net,DNS:.xi.net'
      [Wed Jun 20 00:19:24 CST 2018] Getting domain auth token for each domain
      [Wed Jun 20 00:19:35 CST 2018] Getting webroot for domain='xi.net'
      [Wed Jun 20 00:19:35 CST 2018] Getting webroot for domain='
      .xi.net'
      [Wed Jun 20 00:19:35 CST 2018] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
      [Wed Jun 20 00:19:35 CST 2018] adding _acme-challenge.xi.net. 60 in txt "BBuFWyHyKJSjqDvnU9QUq42Yvo2_BSVlAeTyPuouVi0"
      dns_request_getresponse: expected a TSIG or SIG(0)
      [Wed Jun 20 00:19:35 CST 2018] error updating domain
      [Wed Jun 20 00:19:35 CST 2018] Error add txt for domain:_acme-challenge.xi.net
      [Wed Jun 20 00:19:35 CST 2018] Please check log file for more details: /tmp/acme/xi.net/acme_issuecert.log

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It's working here with the current version of the ACME package. Make sure you are current and make sure the key in the GUI is correct.

        That looks more like a server-side error than a client-side error.

        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • yon 0Y
          yon 0
          last edited by

          i still can't fix it. i am using simple dns plus dns server.

          and why i can't input add EC PRIVATE KEY in custom key?

          -----BEGIN EC PRIVATE KEY-----
          MHQCAQEEIIJtk7xEZdevLY597iBUD59GQra/Uh/hzoQg9DCIAUy9oAcGBSuBBAAK
          oUQDQgAE6atp4nEZ1LapCAHdwY6REzljZHUZI0HYH16lCOOGQ+uh
          +z1ZmWWXuqSEEThQvpZjESy66GcGWQ==
          -----END EC PRIVATE KEY-----

          i try change to -----BEGIN PRIVATE KEY----- get log:
          getCertificatePSK updating custom key

          /usr/local/pkg/acme/acme.sh --renew -d 'xi.net' -d '*.xi.net' --home '/tmp/acme/xi.net/' --accountconf '/tmp/acme/xi.net/accountconf.conf' --force --reloadCmd '/tmp/acme/xi.net/reloadcmd.sh' --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns --ocsp-must-staple --log-level 3 --log '/tmp/acme/xi.net/acme_issuecert.log'

          Array
          (
          [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
          [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
          )
          [Sun Jun 24 02:27:14 CST 2018] Renew: 'xi.net'
          [Sun Jun 24 02:27:18 CST 2018] Multi domain='DNS:xi .net,DNS:*.xi.net'
          unable to load Private Key
          34380776392:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:1200:
          34380776392:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:374:Type=X509_ALGOR
          34380776392:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:700:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
          34380776392:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/pem/pem_pkey.c:142:
          [Sun Jun 24 02:27:18 CST 2018] Create CSR error.
          [Sun Jun 24 02:27:18 CST 2018] Please check log file for more details: /tmp/acme/xiaoyu.net/acme_issuecert.log
          [Sun Jun 24 02:27:18 CST 2018] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.