ACME renewal fails for DNS Made Easy

danielvanderwal

After some time working without error the renewal stopped working in my pfsense. At the moment I'm running
2.5.0-DEVELOPMENT (amd64)
built on Tue Feb 25 09:05:17 EST 2020 with acme v0.6.5

1. I did try to set a longer DNS sleep (600)
2. I get a valid response when going to 'https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=xxx'
3. With the same domain and dns service I was able to renew for an other server with certbot a certificate.

This seems isolated to the implementation on PFsense. Anybody having the same issues? Or a suggestion?

Thanks, Daniel

Sat Feb 29 15:26:06 CET 2020] GET
[Sat Feb 29 15:26:06 CET 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=xxx'
[Sat Feb 29 15:26:06 CET 2020] timeout=
[Sat Feb 29 15:26:06 CET 2020] Http already initialized.
[Sat Feb 29 15:26:06 CET 2020] _CURL='curl -L --silent --dump-header /tmp/acme/pfsensexxx.xx
//http.header -g '
[Sat Feb 29 15:26:06 CET 2020] ret='0'
[Sat Feb 29 15:26:06 CET 2020] response='{"folderId":97153,"pendingActionId":0,"gtdEnabled":false,"nameServers":[{"ipv6":"2600:1800:0::1","id":1,"fqdn":"ns0.dnsmadeeasy.com","groupId":1,"ipv4":"208.94.148.2"},{"ipv6":"2600:1801:1::1","id":2,"fqdn":"ns1.dnsmadeeasy.com","groupId":1,"ipv4":"208.80.124.2"},{"ipv6":"2600:1802:2::1","id":3,"fqdn":"ns2.dnsmadeeasy.com","groupId":1,"ipv4":"208.80.126.2"},{"ipv6":"2600:1801:3::1","id":4,"fqdn":"ns3.dnsmadeeasy.com","groupId":1,"ipv4":"208.80.125.2"},{"ipv6":"2600:1802:4::1","id":5,"fqdn":"ns4.dnsmadeeasy.com","groupId":1,"ipv4":"208.80.127.2"}],"updated":1578306776203,"created":1538006400000,"processMulti":false,"activeThirdParties":[],"delegateNameServers":["ns0.dnsmadeeasy.com.","ns1.dnsmadeeasy.com.","ns2.dnsmadeeasy.com.","ns3.dnsmadeeasy.com.","ns4.dnsmadeeasy.com."],"name":"xxx.xx","id":603667912}'
[Sat Feb 29 15:26:06 CET 2020] invalid domain
[Sat Feb 29 15:26:06 CET 2020] Error add txt for domain:_acme-challenge.pfsense.xxxx.xx
[Sat Feb 29 15:26:06 CET 2020] _on_issue_err
[Sat Feb 29 15:26:06 CET 2020] Please check log file for more details: /tmp/acme/pfsense.xxx.xx/acme_issuecert.log

latez

Similar behavior on 2.4.4.-RELEASE-p3

[Sun Mar  1 02:31:06 EST 2020] Adding txt value: 5u-3yLUAGGj18Wule9kNs8jgZm0xGzmGSRdn5IdJ-28 for domain:  _acme-challenge.some.domain.com
[Sun Mar  1 02:31:06 EST 2020] APP
[Sun Mar  1 02:31:06 EST 2020] 5:ME_Key='a0237826-cbcd-48b3-8573-2f9aa43dd303'
[Sun Mar  1 02:31:06 EST 2020] APP
[Sun Mar  1 02:31:06 EST 2020] 6:ME_Secret='7d470065-0409-43a4-aeb5-4a235b6c61bb'
[Sun Mar  1 02:31:06 EST 2020] First detect the root zone
[Sun Mar  1 02:31:06 EST 2020] name?domainname=some.domain.com
[Sun Mar  1 02:31:06 EST 2020] od exists=0
[Sun Mar  1 02:31:06 EST 2020] GET
[Sun Mar  1 02:31:06 EST 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=some.domain.com'
[Sun Mar  1 02:31:06 EST 2020] timeout=
[Sun Mar  1 02:31:06 EST 2020] curl exists=0
[Sun Mar  1 02:31:06 EST 2020] wget exists=127
[Sun Mar  1 02:31:06 EST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header  -g '
[Sun Mar  1 02:31:07 EST 2020] ret='0'
[Sun Mar  1 02:31:07 EST 2020] response='<html><head><title>Apache Tomcat/7.0.12 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-col
or:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D
76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Not Found</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p
><p><b>message</b> <u>Not Found</u></p><p><b>description</b> <u>The requested resource (Not Found) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.12</h3></body></html>'
[Sun Mar  1 02:31:07 EST 2020] name?domainname=exodus.pw
[Sun Mar  1 02:31:07 EST 2020] od exists=0
[Sun Mar  1 02:31:07 EST 2020] GET
[Sun Mar  1 02:31:07 EST 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=exodus.pw'
[Sun Mar  1 02:31:07 EST 2020] timeout=
[Sun Mar  1 02:31:07 EST 2020] curl exists=0
[Sun Mar  1 02:31:07 EST 2020] wget exists=127
[Sun Mar  1 02:31:07 EST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header  -g '
[Sun Mar  1 02:31:07 EST 2020] ret='0'

Gertjan

After 'curl' out :
@latez said in ACME renewal fails for DNS Made Easy:

https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=some.domain.com

the answer was ' page not found' : "HTTP Status 404 - Not Found" : note that the 404 is an error code coming from the web server of the dnsmadeeasy API (the "Apache Tomcat")

Yeah, acme.sh can't proceed afterwards.

Your message and the one from @danielvanderwal dnsmadeeasy changed something in their API, the way it should be used (called).

danielvanderwal

Thanks for the confirmation. As this module uses a DNS plugin for acme.sh it make sense to have the plugin there fixed.

tumtumsback already opened a ticket:
https://github.com/acmesh-official/acme.sh/issues/2767
There seems to be a fix merged alread:
https://github.com/acmesh-official/acme.sh/issues/2031
But in my setup they don't work. See also:
https://github.com/acmesh-official/acme.sh/pull/2726

I added my error to acmesh-official

Gertjan

Most if not all issues above propose solutions - some of them are already merged in.

What about putting in place the latest dns_me file from https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_me.sh and testing it ?

It's clear that DNS Made Easy changed the data expected to be returned. That can happen.

danielvanderwal

I see the last version of the code is already there on the Pfsense. I tested the suggestions and only when changing the code in line 117 to: _domain_id=$(printf "%s\n" "$response" | jq .id ) I can renew.

https://github.com/acmesh-official/acme.sh/issues/2031#issuecomment-583234440

Strange thing is after the edit of the script the webs-interface renewal does not work, but when running the command on the terminal all is fine.

/usr/local/pkg/acme/acme.sh --issue -d 'xxx.xxxxx.xx' --dns 'dns_me' --home '/tmp/acme/xxx.xxxxx.xx/' --accountconf '/tmp/acme/xxx.xxxxx.xx/accountconf.conf' --force --reloadCmd '/tmp/acme/xxx.xxxxx.xx/reloadcmd.sh' --log-level 3 --log '/tmp/acme/xxx.xxxxx.xx/acme_issuecert.log'

Blfrg

@danielvanderwal Thank you for reporting the issue!
Though it appears you're using an old version of acme.sh

As @Gertjan notes the DNS Made Easy API did change recently.

A fix was implemented for that API change,
however you have also reported an issue stemming from that most recent fix.

In response to this new issue;
A pull request has been created here

Please watch for that pull request to be merged
and the fix should be available in the next acme.sh release (>2.8.6)

danielvanderwal

@Blfrg Thanks, that worked perfectly. Your last fix also works with the GUI of PFSense when added from hand. After merge all should be fine again. Thanks for your patch!