Cert Renewal Failed using DNS-Godaddy



  • I been using the acme package about a 18 months without any issues.
    2.4.4-RELEASE-p1
    acme 0.3.2_4 using DNS-Godaddy plugin method

    I upgraded to 2.4.4-p1 on 12/5. On 12/7 I received email notification that "3:18:22 ACME, Failed to renew certificate for WebConfigurator". I don't know if this is a bug in 2.4.4-p1 or just a coincidence that my cert was due for renewal 2 days after upgrading.

    I looked at the acme_issuecert.log and it shows that the DNS record was added but it fails verification.

    I logged into GoDaddy admin and saw that I have an existing TXT record for _acme-challenge.xxxx with an empty value. I reran the cert renewal from pfSense and refreshed the DNS manager and saw that a new TXT record had been created with a value. I now suspected why the verification was failing - I have 2 records for _acme-challenge.xxxx.
    I knew from the acme log that it sleeps 120 seconds for the TXT record to go into affect, so I delete the acme_challenge record with empty value. Verification was successful and my cert was renewed.

    My question is this a reproducible bug? And how should the cert renewal process work?

    1. does it create a new DNS entry each time it renews? Cleaning up after itself and removing the record.
    2. should it look for and use an existing DNS record, updating the value? Cleaning up after itself and removing the record value only.

    It seems like it should be #2 and looking at the acme log there is a lookup for existing records.

    Getting existing records
    [Mon Dec 10 09:48:05 PST 2018] domains/gesi.net/records/TXT/_acme-challenge.firewall
    [Mon Dec 10 09:48:05 PST 2018] GET
    [Mon Dec 10 09:48:05 PST 2018] url='https://api.godaddy.com/v1/domains/gesi.net/records/TXT/_acme-challenge.firewall'
    [Mon Dec 10 09:48:05 PST 2018] timeout=
    [Mon Dec 10 09:48:05 PST 2018] curl exists=0
    [Mon Dec 10 09:48:05 PST 2018] wget exists=127
    [Mon Dec 10 09:48:05 PST 2018] _CURL='curl -L --silent --dump-header /tmp/acme/WebConfigurator//http.header -g '
    [Mon Dec 10 09:48:05 PST 2018] ret='0'
    [Mon Dec 10 09:48:05 PST 2018] response='[{"data":"","name":"_acme-challenge.firewall","ttl":600,"type":"TXT"},{"data":"Ez7qNRaHeqSsfRFhn7dKGEoIdwlqwthwgxxxxxxxxxx","name":"_acme-challenge.firewall","ttl":600,"type":"TXT"}]'

    After my cert was renewed I refreshed the DNS manager and I do still have the _acme-challenge record but the value is now empty again.

    Thanks
    -Andrew


Log in to reply