ACME USE DNS-NSupdate / RFC 2136 Add txt record error.
-
xi.net
Renewing certificate
account: yon@xi.net
server: letsencrypt-production-2/usr/local/pkg/acme/acme.sh --issue -d 'xi.net' -d '*.xi.net' --home '/tmp/acme/xi.net/' --accountconf '/tmp/acme/xi.net/accountconf.conf' --force --reloadCmd '/tmp/acme/xi.net/reloadcmd.sh' --dns 'dns_nsupdate' --ocsp-must-staple --log-level 3 --log '/tmp/acme/xi.net/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[NSUPDATE_SERVER] => /tmp/acme/xi.net/xi.net/nsupdate
[NSUPDATE_KEYNAME] => xi
[NSUPDATE_KEYALGO] => 157
[NSUPDATE_KEY] => /tmp/acme/xi.net/xi.net/nsupdate
)
[Wed Jun 20 00:19:24 CST 2018] Multi domain='DNS:xi.net,DNS:.xi.net'
[Wed Jun 20 00:19:24 CST 2018] Getting domain auth token for each domain
[Wed Jun 20 00:19:35 CST 2018] Getting webroot for domain='xi.net'
[Wed Jun 20 00:19:35 CST 2018] Getting webroot for domain='.xi.net'
[Wed Jun 20 00:19:35 CST 2018] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Wed Jun 20 00:19:35 CST 2018] adding _acme-challenge.xi.net. 60 in txt "BBuFWyHyKJSjqDvnU9QUq42Yvo2_BSVlAeTyPuouVi0"
dns_request_getresponse: expected a TSIG or SIG(0)
[Wed Jun 20 00:19:35 CST 2018] error updating domain
[Wed Jun 20 00:19:35 CST 2018] Error add txt for domain:_acme-challenge.xi.net
[Wed Jun 20 00:19:35 CST 2018] Please check log file for more details: /tmp/acme/xi.net/acme_issuecert.log
-
It's working here with the current version of the ACME package. Make sure you are current and make sure the key in the GUI is correct.
That looks more like a server-side error than a client-side error.
-
i still can't fix it. i am using simple dns plus dns server.
and why i can't input add EC PRIVATE KEY in custom key?
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIIJtk7xEZdevLY597iBUD59GQra/Uh/hzoQg9DCIAUy9oAcGBSuBBAAK
oUQDQgAE6atp4nEZ1LapCAHdwY6REzljZHUZI0HYH16lCOOGQ+uh
+z1ZmWWXuqSEEThQvpZjESy66GcGWQ==
-----END EC PRIVATE KEY-----i try change to -----BEGIN PRIVATE KEY----- get log:
getCertificatePSK updating custom key/usr/local/pkg/acme/acme.sh --renew -d 'xi.net' -d '*.xi.net' --home '/tmp/acme/xi.net/' --accountconf '/tmp/acme/xi.net/accountconf.conf' --force --reloadCmd '/tmp/acme/xi.net/reloadcmd.sh' --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns --ocsp-must-staple --log-level 3 --log '/tmp/acme/xi.net/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
)
[Sun Jun 24 02:27:14 CST 2018] Renew: 'xi.net'
[Sun Jun 24 02:27:18 CST 2018] Multi domain='DNS:xi .net,DNS:*.xi.net'
unable to load Private Key
34380776392:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:1200:
34380776392:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:374:Type=X509_ALGOR
34380776392:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:700:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
34380776392:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/pem/pem_pkey.c:142:
[Sun Jun 24 02:27:18 CST 2018] Create CSR error.
[Sun Jun 24 02:27:18 CST 2018] Please check log file for more details: /tmp/acme/xiaoyu.net/acme_issuecert.log
[Sun Jun 24 02:27:18 CST 2018] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
