Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Error validating wildcar *.domain using duckdns.org

    Scheduled Pinned Locked Moved
    ACME
    2
    5
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luisenrique
      last edited by

      Hi i’m traying to validate a domain wildcar to get my multidomain certificate.
      i’ using duck dns to host my txt record because i’m unable to make my dns server work dinamically as 2136 …
      so i make a account on duckdns.org, made my domain.duckdns.org… on my dns server added an cname like :
      _acme-challenge IN CNAME bicsa.duckdns.org.
      dig _acme-challenge.ibicsa.co.cu txt
      ;; ANSWER SECTION:
      _acme-challenge.ibicsa.co.cu. 1200 IN CNAME _acme-challenge.bicsa.duckdns.org.
      _acme-challenge.bicsa.duckdns.org. 60 IN TXT “”
      Them add add an entry on the certificate acme configuration :
      domain name: ibicsa.co.cu
      my API token account ********
      Enable DNS alias mode: _acme-challenge.bicsa.duckdns.org
      Enable DNS domain alias mode: Checkbox Enabled
      when issue certificate fine it run ok and get the certificate without problem for ibicsa.co.cu
      Son i need a wildcar certificate *.ibicsa.co.cu them add another entry under ibicsa.co.cu SAN with same config and .ibicsa.co.cu as domain name for wildcar.
      i get an error:
      ed Feb 6 17:25:52 CST 2019] Multi domain='DNS:ibicsa.co.cu,DNS:.ibicsa.co.cu’
      [Wed Feb 6 17:25:52 CST 2019] Getting domain auth token for each domain
      [Wed Feb 6 17:25:55 CST 2019] Getting webroot for domain=‘ibicsa.co.cu’
      [Wed Feb 6 17:25:55 CST 2019] Getting webroot for domain=’.ibicsa.co.cu’
      [Wed Feb 6 17:25:55 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_duckdns.sh
      [Wed Feb 6 17:25:55 CST 2019] Trying to add TXT record
      [Wed Feb 6 17:25:57 CST 2019] TXT record has been successfully added to your DuckDNS domain.
      [Wed Feb 6 17:25:57 CST 2019] Note that all subdomains under this domain uses the same TXT record.
      [Wed Feb 6 17:25:57 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_duckdns.sh
      [Wed Feb 6 17:25:57 CST 2019] Trying to add TXT record
      [Wed Feb 6 17:26:00 CST 2019] TXT record has been successfully added to your DuckDNS domain.
      [Wed Feb 6 17:26:00 CST 2019] Note that all subdomains under this domain uses the same TXT record.
      [Wed Feb 6 17:26:00 CST 2019] Sleep 30 seconds for the txt records to take effect
      [Wed Feb 6 17:26:30 CST 2019] Verifying: ibicsa.co.cu
      [Wed Feb 6 17:26:33 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_duckdns.sh
      [Wed Feb 6 17:26:33 CST 2019] Removing DNS records.
      [Wed Feb 6 17:26:33 CST 2019] Trying to remove TXT record
      [Wed Feb 6 17:26:34 CST 2019] TXT record has been successfully removed from your DuckDNS domain.
      [Wed Feb 6 17:26:34 CST 2019] Trying to remove TXT record
      [Wed Feb 6 17:26:37 CST 2019] TXT record has been successfully removed from your DuckDNS domain.
      [Wed Feb 6 17:26:33 CST 2019] ibicsa.co.cu:Verify error:Incorrect TXT record
      [Wed Feb 6 17:26:33 CST 2019] Error extracting the domain.
      [Wed Feb 6 17:26:33 CST 2019] Error rm webroot api for domain:dns_duckdns
      While the scrip wait fo propagation 60sec i make a dig query
      _acme-challenge.ibicsa.co.cu. 32 IN CNAME _acme-challenge.bicsa.duckdns.org.
      _acme-challenge.bicsa.duckdns.org. 57 IN TXT “6h7_W2zzqIDGGb6kFSAk2r9LK8lmSkSN1UPKdWY_lZA”
      i’m missing some config in dns please help thanks

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by Gertjan

        Is this question different as the other question ?

        The fact that "rm" didn't work isn't a show-stopper.

        I'm seeing the same thing : I found several several

        _acme-challenge.my-zone.tld. 60 IN TXT “blablabla”

        in my zone file.
        Looking at the log file ( not the rudimentary GUI log, the real log file as mentioned in the GUI log (a wild card demand ) ) :

        At the end, it's clean-up time :

        [Thu Feb  7 14:39:38 CET 2019] Removing DNS records.
......
[Thu Feb  7 14:39:38 CET 2019] key /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate.key is unreadable
[Thu Feb  7 14:39:38 CET 2019] Error removing txt for domain:_acme-challenge.brit-hotel-fumel.net

        Oops.
        The file " /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate.key " doesn't exists indeed.
        It should be
        /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate._acme-challenge.brit-hotel-fumel.net.key
        the "_acme-challenge.brit-hotel-fumel.net" part is missing.

        The same for the second part of the wild card request :

        .....
[Thu Feb  7 14:39:38 CET 2019] key /tmp/acme/V2_brit-hotel-fumel.net/brit-hotel-fumel.netnsupdate.key is unreadable
[Thu Feb  7 14:39:38 CET 2019] Error removing txt for domain:_acme-challenge.brit-hotel-fumel.net

        I has to "repair" this file
        /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
        The first call to _checkKeyFile() in dns_nsupdate_rm() is wrong.
        It should be :

        _checkKeyFile $fulldomain || return 1

        instead of

        _checkKeyFile|| return 1

        I guess ;)

        which forms a file name that doesn't exists.
        The "$fulldomain " part is missing.

        Btw : this is a "nsupdate" (RFD1236) issue, not a duckduck issue.
        Also : this is a acme upstream issue. Not a acme package pfSense issue.

        So : rm isn't working well - the "_acme-challenge" TXT records aren't destroyed after usage.
        Certs are delivered and put in place.

        edit : oops again : this https://github.com/Neilpang/acme.sh/blob/master/dnsapi/dns_nsupdate.sh
        isn't https://github.com/pfsense/FreeBSD-ports/blob/b7024a0b261280d456317f37c3e1deff8290d682/security/pfSense-pkg-acme/files/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh

        Not a big deal actually.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        L 1 Reply Last reply Reply Quote 0
        • L
          luisenrique @Gertjan
          last edited by

          @gertjan said in Error validating wildcar *.domain using duckdns.org:

          isn't working well

          yes are different.
          When i validate a simple domain name like bicsa.cu it work fine ( but later see a simple error i described (https://forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns) ,
          this cuestion is about when i add to * .mydomain.cu to same SAN to get certificate for both (bicsa.cu,*bicsa.cu) and get the errordescribed in this post,
          So i desided to validate only a *.bicsa.cu i get the certificate fine
          but and get the error
          https://forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns
          [Wed Feb 6 17:26:33 CST 2019] Error extracting the domain.
          [Wed Feb 6 17:26:33 CST 2019] Error rm webroot api for domain: dns_duckdns
          anywayi got the certificate fine but with this litte error.
          sorry for my english that makes it harder to make me understand.

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            When demanding a wildcard, you should setup for a domain twice :
            domaine.tld
            *.domaine.tld

            Only using
            *.domain.tld
            isn't wrong, but excludes the base domain name being valid for the certificate
            See https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578.

            Btw : don't know nothing about alias mode.
            See https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            L 1 Reply Last reply Reply Quote 0
            • L
              luisenrique @Gertjan
              last edited by

              @gertjan
              Yes, I know the requirement to demand a wild car certificate domaine.tld

              • .domaine.tld, but I am detecting many errors, on the other hand, I am not planning using my base domain at this time to publish and protect some services using my base domain name.
                I read about the alias mode, added to my dns _acme-challenge IN CNAME _acme-challenge.b1c54cu.duckdns.org.

              bicsa.co.cu
              _acme-challenge IN CNAME _acme-challenge.b1c54c0cu.duckdns.org.

              ibicsa.co.cu
              _acme-challenge IN CNAME _acme-challenge.ib1c54c0cu.duckdns.org.
              these domains under duckdns.org exist ... but I am detecting these errors, when I request a wildcard certificate for domaine.tld, * .domaine.tld / *. domaine.tld, so if a certificate for * .domaine.tld covers My hosts under * .domaine.tld alone (no base domain) they are fine, it works for me,
              but in this case I get the certificate for * .domaine.tld fine! hurra! but in the end I see the error:
              @gertjan
              Yes, I know the requirement to demand a wild car certificate domaine.tld

              • .domaine.tld, but I am detecting many errors, on the other hand, I am not planning using my base domain at this time to publish and protect some services using my base domain name.
                I read about the alias mode, added to my dns _acme-challenge IN CNAME _acme-challenge.b1c54cu.duckdns.org.

              bicsa.co.cu
              _acme-challenge IN CNAME _acme-challenge.b1c54c0cu.duckdns.org.

              ibicsa.co.cu
              _acme-challenge IN CNAME _acme-challenge.ib1c54c0cu.duckdns.org.
              these domains under duckdns.org exist ... but I am detecting these errors, when I request a wildcard certificate for domaine.tld, * .domaine.tld / *. domaine.tld, so if a certificate for * .domaine.tld covers My hosts under * .domaine.tld alone (no base domain) they are fine, it works for me,
              but in this case I get the certificate for * .domaine.tld fine! hurra! but in the end I see the error:
              [Thu, 7 February 10:58:35 CST 2019] Failed to extract the domain.
              [Thu, 7 February 10:58:35 CST 2019] Error rm webroot api for the domain: dns_duckdns
              related in the other post
              https://forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns
              You tell me that the error is an error or error in aceme.sh?
              the error described for you, I see that error before in some test "netnsupdate.key is illegible"
              related in the other post
              https: //forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns.
              You tell me that the error is an error or error in aceme.sh? si u or some developer most repair the problem.
              I've seen the error described for you, many times read read change, compare etc but nothing, by now get a *.mydomain.net without base domain is my solution.
              What I can do?
              thanks

              1 Reply Last reply Reply Quote 0
              • First post
                Last post