• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Error validating wildcar *.domain using duckdns.org

ACME
2
5
1.9k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    luisenrique
    last edited by Feb 6, 2019, 10:41 PM

    Hi i’m traying to validate a domain wildcar to get my multidomain certificate.
    i’ using duck dns to host my txt record because i’m unable to make my dns server work dinamically as 2136 …
    so i make a account on duckdns.org, made my domain.duckdns.org… on my dns server added an cname like :
    _acme-challenge IN CNAME bicsa.duckdns.org.
    dig _acme-challenge.ibicsa.co.cu txt
    ;; ANSWER SECTION:
    _acme-challenge.ibicsa.co.cu. 1200 IN CNAME _acme-challenge.bicsa.duckdns.org.
    _acme-challenge.bicsa.duckdns.org. 60 IN TXT “”
    Them add add an entry on the certificate acme configuration :
    domain name: ibicsa.co.cu
    my API token account ********
    Enable DNS alias mode: _acme-challenge.bicsa.duckdns.org
    Enable DNS domain alias mode: Checkbox Enabled
    when issue certificate fine it run ok and get the certificate without problem for ibicsa.co.cu
    Son i need a wildcar certificate *.ibicsa.co.cu them add another entry under ibicsa.co.cu SAN with same config and .ibicsa.co.cu as domain name for wildcar.
    i get an error:
    ed Feb 6 17:25:52 CST 2019] Multi domain='DNS:ibicsa.co.cu,DNS:.ibicsa.co.cu’
    [Wed Feb 6 17:25:52 CST 2019] Getting domain auth token for each domain
    [Wed Feb 6 17:25:55 CST 2019] Getting webroot for domain=‘ibicsa.co.cu’
    [Wed Feb 6 17:25:55 CST 2019] Getting webroot for domain=’.ibicsa.co.cu’
    [Wed Feb 6 17:25:55 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_duckdns.sh
    [Wed Feb 6 17:25:55 CST 2019] Trying to add TXT record
    [Wed Feb 6 17:25:57 CST 2019] TXT record has been successfully added to your DuckDNS domain.
    [Wed Feb 6 17:25:57 CST 2019] Note that all subdomains under this domain uses the same TXT record.
    [Wed Feb 6 17:25:57 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_duckdns.sh
    [Wed Feb 6 17:25:57 CST 2019] Trying to add TXT record
    [Wed Feb 6 17:26:00 CST 2019] TXT record has been successfully added to your DuckDNS domain.
    [Wed Feb 6 17:26:00 CST 2019] Note that all subdomains under this domain uses the same TXT record.
    [Wed Feb 6 17:26:00 CST 2019] Sleep 30 seconds for the txt records to take effect
    [Wed Feb 6 17:26:30 CST 2019] Verifying: ibicsa.co.cu
    [Wed Feb 6 17:26:33 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_duckdns.sh
    [Wed Feb 6 17:26:33 CST 2019] Removing DNS records.
    [Wed Feb 6 17:26:33 CST 2019] Trying to remove TXT record
    [Wed Feb 6 17:26:34 CST 2019] TXT record has been successfully removed from your DuckDNS domain.
    [Wed Feb 6 17:26:34 CST 2019] Trying to remove TXT record
    [Wed Feb 6 17:26:37 CST 2019] TXT record has been successfully removed from your DuckDNS domain.
    [Wed Feb 6 17:26:33 CST 2019] ibicsa.co.cu:Verify error:Incorrect TXT record
    [Wed Feb 6 17:26:33 CST 2019] Error extracting the domain.
    [Wed Feb 6 17:26:33 CST 2019] Error rm webroot api for domain:dns_duckdns
    While the scrip wait fo propagation 60sec i make a dig query
    _acme-challenge.ibicsa.co.cu. 32 IN CNAME _acme-challenge.bicsa.duckdns.org.
    _acme-challenge.bicsa.duckdns.org. 57 IN TXT “6h7_W2zzqIDGGb6kFSAk2r9LK8lmSkSN1UPKdWY_lZA”
    i’m missing some config in dns please help thanks

    1 Reply Last reply Reply Quote 0
    • G
      Gertjan
      last edited by Gertjan Feb 7, 2019, 9:59 PM Feb 7, 2019, 9:19 PM

      Is this question different as the other question ?

      The fact that "rm" didn't work isn't a show-stopper.

      I'm seeing the same thing : I found several several

      _acme-challenge.my-zone.tld. 60 IN TXT “blablabla”

      in my zone file.
      Looking at the log file ( not the rudimentary GUI log, the real log file as mentioned in the GUI log (a wild card demand ) ) :

      At the end, it's clean-up time :

      [Thu Feb  7 14:39:38 CET 2019] Removing DNS records.
......
[Thu Feb  7 14:39:38 CET 2019] key /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate.key is unreadable
[Thu Feb  7 14:39:38 CET 2019] Error removing txt for domain:_acme-challenge.brit-hotel-fumel.net

      Oops.
      The file " /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate.key " doesn't exists indeed.
      It should be
      /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate._acme-challenge.brit-hotel-fumel.net.key
      the "_acme-challenge.brit-hotel-fumel.net" part is missing.

      The same for the second part of the wild card request :

      .....
[Thu Feb  7 14:39:38 CET 2019] key /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate.key is unreadable
[Thu Feb  7 14:39:38 CET 2019] Error removing txt for domain:_acme-challenge.brit-hotel-fumel.net

      I has to "repair" this file
      /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
      The first call to _checkKeyFile() in dns_nsupdate_rm() is wrong.
      It should be :

      _checkKeyFile $fulldomain || return 1

      instead of

      _checkKeyFile|| return 1

      I guess ;)

      which forms a file name that doesn't exists.
      The "$fulldomain " part is missing.

      Btw : this is a "nsupdate" (RFD1236) issue, not a duckduck issue.
      Also : this is a acme upstream issue. Not a acme package pfSense issue.

      So : rm isn't working well - the "_acme-challenge" TXT records aren't destroyed after usage.
      Certs are delivered and put in place.

      edit : oops again : this https://github.com/Neilpang/acme.sh/blob/master/dnsapi/dns_nsupdate.sh
      isn't https://github.com/pfsense/FreeBSD-ports/blob/b7024a0b261280d456317f37c3e1deff8290d682/security/pfSense-pkg-acme/files/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh

      Not a big deal actually.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      L 1 Reply Last reply Feb 7, 2019, 9:47 PM Reply Quote 0
      • L
        luisenrique @Gertjan
        last edited by Feb 7, 2019, 9:47 PM

        @gertjan said in Error validating wildcar *.domain using duckdns.org:

        isn't working well

        yes are different.
        When i validate a simple domain name like bicsa.cu it work fine ( but later see a simple error i described (https://forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns) ,
        this cuestion is about when i add to * .mydomain.cu to same SAN to get certificate for both (bicsa.cu,*bicsa.cu) and get the errordescribed in this post,
        So i desided to validate only a *.bicsa.cu i get the certificate fine
        but and get the error
        https://forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns
        [Wed Feb 6 17:26:33 CST 2019] Error extracting the domain.
        [Wed Feb 6 17:26:33 CST 2019] Error rm webroot api for domain: dns_duckdns
        anywayi got the certificate fine but with this litte error.
        sorry for my english that makes it harder to make me understand.

        1 Reply Last reply Reply Quote 0
        • G
          Gertjan
          last edited by Feb 7, 2019, 9:57 PM

          When demanding a wildcard, you should setup for a domain twice :
          domaine.tld
          *.domaine.tld

          Only using
          *.domain.tld
          isn't wrong, but excludes the base domain name being valid for the certificate
          See https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578.

          Btw : don't know nothing about alias mode.
          See https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          L 1 Reply Last reply Feb 8, 2019, 2:42 AM Reply Quote 0
          • L
            luisenrique @Gertjan
            last edited by Feb 8, 2019, 2:42 AM

            @gertjan
            Yes, I know the requirement to demand a wild car certificate domaine.tld

            • .domaine.tld, but I am detecting many errors, on the other hand, I am not planning using my base domain at this time to publish and protect some services using my base domain name.
              I read about the alias mode, added to my dns _acme-challenge IN CNAME _acme-challenge.b1c54cu.duckdns.org.

            bicsa.co.cu
            _acme-challenge IN CNAME _acme-challenge.b1c54c0cu.duckdns.org.

            ibicsa.co.cu
            _acme-challenge IN CNAME _acme-challenge.ib1c54c0cu.duckdns.org.
            these domains under duckdns.org exist ... but I am detecting these errors, when I request a wildcard certificate for domaine.tld, * .domaine.tld / *. domaine.tld, so if a certificate for * .domaine.tld covers My hosts under * .domaine.tld alone (no base domain) they are fine, it works for me,
            but in this case I get the certificate for * .domaine.tld fine! hurra! but in the end I see the error:
            @gertjan
            Yes, I know the requirement to demand a wild car certificate domaine.tld

            • .domaine.tld, but I am detecting many errors, on the other hand, I am not planning using my base domain at this time to publish and protect some services using my base domain name.
              I read about the alias mode, added to my dns _acme-challenge IN CNAME _acme-challenge.b1c54cu.duckdns.org.

            bicsa.co.cu
            _acme-challenge IN CNAME _acme-challenge.b1c54c0cu.duckdns.org.

            ibicsa.co.cu
            _acme-challenge IN CNAME _acme-challenge.ib1c54c0cu.duckdns.org.
            these domains under duckdns.org exist ... but I am detecting these errors, when I request a wildcard certificate for domaine.tld, * .domaine.tld / *. domaine.tld, so if a certificate for * .domaine.tld covers My hosts under * .domaine.tld alone (no base domain) they are fine, it works for me,
            but in this case I get the certificate for * .domaine.tld fine! hurra! but in the end I see the error:
            [Thu, 7 February 10:58:35 CST 2019] Failed to extract the domain.
            [Thu, 7 February 10:58:35 CST 2019] Error rm webroot api for the domain: dns_duckdns
            related in the other post
            https://forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns
            You tell me that the error is an error or error in aceme.sh?
            the error described for you, I see that error before in some test "netnsupdate.key is illegible"
            related in the other post
            https: //forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns.
            You tell me that the error is an error or error in aceme.sh? si u or some developer most repair the problem.
            I've seen the error described for you, many times read read change, compare etc but nothing, by now get a *.mydomain.net without base domain is my solution.
            What I can do?
            thanks

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.