ACME USE DNS-NSupdate / RFC 2136 Add txt record error.



  • xi.net
    Renewing certificate
    account: yon@xi.net
    server: letsencrypt-production-2

    /usr/local/pkg/acme/acme.sh --issue -d 'xi.net' -d '*.xi.net' --home '/tmp/acme/xi.net/' --accountconf '/tmp/acme/xi.net/accountconf.conf' --force --reloadCmd '/tmp/acme/xi.net/reloadcmd.sh' --dns 'dns_nsupdate' --ocsp-must-staple --log-level 3 --log '/tmp/acme/xi.net/acme_issuecert.log'

    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [NSUPDATE_SERVER] => /tmp/acme/xi.net/xi.net/nsupdate
    [NSUPDATE_KEYNAME] => xi
    [NSUPDATE_KEYALGO] => 157
    [NSUPDATE_KEY] => /tmp/acme/xi.net/xi.net/nsupdate
    )
    [Wed Jun 20 00:19:24 CST 2018] Multi domain='DNS:xi.net,DNS:.xi.net'
    [Wed Jun 20 00:19:24 CST 2018] Getting domain auth token for each domain
    [Wed Jun 20 00:19:35 CST 2018] Getting webroot for domain='xi.net'
    [Wed Jun 20 00:19:35 CST 2018] Getting webroot for domain='
    .xi.net'
    [Wed Jun 20 00:19:35 CST 2018] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Wed Jun 20 00:19:35 CST 2018] adding _acme-challenge.xi.net. 60 in txt "BBuFWyHyKJSjqDvnU9QUq42Yvo2_BSVlAeTyPuouVi0"
    dns_request_getresponse: expected a TSIG or SIG(0)
    [Wed Jun 20 00:19:35 CST 2018] error updating domain
    [Wed Jun 20 00:19:35 CST 2018] Error add txt for domain:_acme-challenge.xi.net
    [Wed Jun 20 00:19:35 CST 2018] Please check log file for more details: /tmp/acme/xi.net/acme_issuecert.log


  • Rebel Alliance Developer Netgate

    It's working here with the current version of the ACME package. Make sure you are current and make sure the key in the GUI is correct.

    That looks more like a server-side error than a client-side error.



  • i still can't fix it. i am using simple dns plus dns server.

    and why i can't input add EC PRIVATE KEY in custom key?

    -----BEGIN EC PRIVATE KEY-----
    MHQCAQEEIIJtk7xEZdevLY597iBUD59GQra/Uh/hzoQg9DCIAUy9oAcGBSuBBAAK
    oUQDQgAE6atp4nEZ1LapCAHdwY6REzljZHUZI0HYH16lCOOGQ+uh
    +z1ZmWWXuqSEEThQvpZjESy66GcGWQ==
    -----END EC PRIVATE KEY-----

    i try change to -----BEGIN PRIVATE KEY----- get log:
    getCertificatePSK updating custom key

    /usr/local/pkg/acme/acme.sh --renew -d 'xi.net' -d '*.xi.net' --home '/tmp/acme/xi.net/' --accountconf '/tmp/acme/xi.net/accountconf.conf' --force --reloadCmd '/tmp/acme/xi.net/reloadcmd.sh' --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns --ocsp-must-staple --log-level 3 --log '/tmp/acme/xi.net/acme_issuecert.log'

    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    )
    [Sun Jun 24 02:27:14 CST 2018] Renew: 'xi.net'
    [Sun Jun 24 02:27:18 CST 2018] Multi domain='DNS:xi .net,DNS:*.xi.net'
    unable to load Private Key
    34380776392:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:1200:
    34380776392:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:374:Type=X509_ALGOR
    34380776392:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:700:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
    34380776392:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/pem/pem_pkey.c:142:
    [Sun Jun 24 02:27:18 CST 2018] Create CSR error.
    [Sun Jun 24 02:27:18 CST 2018] Please check log file for more details: /tmp/acme/xiaoyu.net/acme_issuecert.log
    [Sun Jun 24 02:27:18 CST 2018] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.


Log in to reply