Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME renewal fails for DNS Made Easy

    Scheduled Pinned Locked Moved ACME
    8 Posts 4 Posters 990 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danielvanderwal
      last edited by danielvanderwal

      After some time working without error the renewal stopped working in my pfsense. At the moment I'm running
      2.5.0-DEVELOPMENT (amd64)
      built on Tue Feb 25 09:05:17 EST 2020 with acme v0.6.5

      1. I did try to set a longer DNS sleep (600)
      2. I get a valid response when going to 'https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=xxx'
      3. With the same domain and dns service I was able to renew for an other server with certbot a certificate.

      This seems isolated to the implementation on PFsense. Anybody having the same issues? Or a suggestion?

      Thanks, Daniel

      Sat Feb 29 15:26:06 CET 2020] GET
      [Sat Feb 29 15:26:06 CET 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=xxx'
      [Sat Feb 29 15:26:06 CET 2020] timeout=
      [Sat Feb 29 15:26:06 CET 2020] Http already initialized.
      [Sat Feb 29 15:26:06 CET 2020] _CURL='curl -L --silent --dump-header /tmp/acme/pfsensexxx.xx
      //http.header -g '
      [Sat Feb 29 15:26:06 CET 2020] ret='0'
      [Sat Feb 29 15:26:06 CET 2020] response='{"folderId":97153,"pendingActionId":0,"gtdEnabled":false,"nameServers":[{"ipv6":"2600:1800:0::1","id":1,"fqdn":"ns0.dnsmadeeasy.com","groupId":1,"ipv4":"208.94.148.2"},{"ipv6":"2600:1801:1::1","id":2,"fqdn":"ns1.dnsmadeeasy.com","groupId":1,"ipv4":"208.80.124.2"},{"ipv6":"2600:1802:2::1","id":3,"fqdn":"ns2.dnsmadeeasy.com","groupId":1,"ipv4":"208.80.126.2"},{"ipv6":"2600:1801:3::1","id":4,"fqdn":"ns3.dnsmadeeasy.com","groupId":1,"ipv4":"208.80.125.2"},{"ipv6":"2600:1802:4::1","id":5,"fqdn":"ns4.dnsmadeeasy.com","groupId":1,"ipv4":"208.80.127.2"}],"updated":1578306776203,"created":1538006400000,"processMulti":false,"activeThirdParties":[],"delegateNameServers":["ns0.dnsmadeeasy.com.","ns1.dnsmadeeasy.com.","ns2.dnsmadeeasy.com.","ns3.dnsmadeeasy.com.","ns4.dnsmadeeasy.com."],"name":"xxx.xx","id":603667912}'
      [Sat Feb 29 15:26:06 CET 2020] invalid domain
      [Sat Feb 29 15:26:06 CET 2020] Error add txt for domain:_acme-challenge.pfsense.xxxx.xx
      [Sat Feb 29 15:26:06 CET 2020] _on_issue_err
      [Sat Feb 29 15:26:06 CET 2020] Please check log file for more details: /tmp/acme/pfsense.xxx.xx/acme_issuecert.log

      1 Reply Last reply Reply Quote 0
      • L
        latez
        last edited by

        Similar behavior on 2.4.4.-RELEASE-p3
        
        [Sun Mar  1 02:31:06 EST 2020] Adding txt value: 5u-3yLUAGGj18Wule9kNs8jgZm0xGzmGSRdn5IdJ-28 for domain:  _acme-challenge.some.domain.com
        [Sun Mar  1 02:31:06 EST 2020] APP
        [Sun Mar  1 02:31:06 EST 2020] 5:ME_Key='a0237826-cbcd-48b3-8573-2f9aa43dd303'
        [Sun Mar  1 02:31:06 EST 2020] APP
        [Sun Mar  1 02:31:06 EST 2020] 6:ME_Secret='7d470065-0409-43a4-aeb5-4a235b6c61bb'
        [Sun Mar  1 02:31:06 EST 2020] First detect the root zone
        [Sun Mar  1 02:31:06 EST 2020] name?domainname=some.domain.com
        [Sun Mar  1 02:31:06 EST 2020] od exists=0
        [Sun Mar  1 02:31:06 EST 2020] GET
        [Sun Mar  1 02:31:06 EST 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=some.domain.com'
        [Sun Mar  1 02:31:06 EST 2020] timeout=
        [Sun Mar  1 02:31:06 EST 2020] curl exists=0
        [Sun Mar  1 02:31:06 EST 2020] wget exists=127
        [Sun Mar  1 02:31:06 EST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header  -g '
        [Sun Mar  1 02:31:07 EST 2020] ret='0'
        [Sun Mar  1 02:31:07 EST 2020] response='<html><head><title>Apache Tomcat/7.0.12 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-col
        or:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D
        76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Not Found</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p
        ><p><b>message</b> <u>Not Found</u></p><p><b>description</b> <u>The requested resource (Not Found) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.12</h3></body></html>'
        [Sun Mar  1 02:31:07 EST 2020] name?domainname=exodus.pw
        [Sun Mar  1 02:31:07 EST 2020] od exists=0
        [Sun Mar  1 02:31:07 EST 2020] GET
        [Sun Mar  1 02:31:07 EST 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=exodus.pw'
        [Sun Mar  1 02:31:07 EST 2020] timeout=
        [Sun Mar  1 02:31:07 EST 2020] curl exists=0
        [Sun Mar  1 02:31:07 EST 2020] wget exists=127
        [Sun Mar  1 02:31:07 EST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header  -g '
        [Sun Mar  1 02:31:07 EST 2020] ret='0'
        
        
        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          After 'curl' out :
          @latez said in ACME renewal fails for DNS Made Easy:

          https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=some.domain.com

          the answer was ' page not found' : "HTTP Status 404 - Not Found" : note that the 404 is an error code coming from the web server of the dnsmadeeasy API (the "Apache Tomcat")

          Yeah, acme.sh can't proceed afterwards.

          Your message and the one from @danielvanderwal dnsmadeeasy changed something in their API, the way it should be used (called).

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • D
            danielvanderwal
            last edited by

            Thanks for the confirmation. As this module uses a DNS plugin for acme.sh it make sense to have the plugin there fixed.

            tumtumsback already opened a ticket:
            https://github.com/acmesh-official/acme.sh/issues/2767
            There seems to be a fix merged alread:
            https://github.com/acmesh-official/acme.sh/issues/2031
            But in my setup they don't work. See also:
            https://github.com/acmesh-official/acme.sh/pull/2726

            I added my error to acmesh-official

            1 Reply Last reply Reply Quote 1
            • GertjanG
              Gertjan
              last edited by

              Most if not all issues above propose solutions - some of them are already merged in.

              What about putting in place the latest dns_me file from https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_me.sh and testing it ?

              It's clear that DNS Made Easy changed the data expected to be returned. That can happen.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • D
                danielvanderwal
                last edited by

                I see the last version of the code is already there on the Pfsense. I tested the suggestions and only when changing the code in line 117 to: _domain_id=$(printf "%s\n" "$response" | jq .id ) I can renew.

                https://github.com/acmesh-official/acme.sh/issues/2031#issuecomment-583234440

                Strange thing is after the edit of the script the webs-interface renewal does not work, but when running the command on the terminal all is fine.

                /usr/local/pkg/acme/acme.sh --issue -d 'xxx.xxxxx.xx' --dns 'dns_me' --home '/tmp/acme/xxx.xxxxx.xx/' --accountconf '/tmp/acme/xxx.xxxxx.xx/accountconf.conf' --force --reloadCmd '/tmp/acme/xxx.xxxxx.xx/reloadcmd.sh' --log-level 3 --log '/tmp/acme/xxx.xxxxx.xx/acme_issuecert.log'

                1 Reply Last reply Reply Quote 0
                • B
                  Blfrg
                  last edited by

                  @danielvanderwal Thank you for reporting the issue!
                  Though it appears you're using an old version of acme.sh

                  As @Gertjan notes the DNS Made Easy API did change recently.

                  A fix was implemented for that API change,
                  however you have also reported an issue stemming from that most recent fix.

                  In response to this new issue;
                  A pull request has been created here

                  Please watch for that pull request to be merged
                  and the fix should be available in the next acme.sh release (>2.8.6)

                  D 1 Reply Last reply Reply Quote 0
                  • D
                    danielvanderwal @Blfrg
                    last edited by

                    @Blfrg Thanks, that worked perfectly. Your last fix also works with the GUI of PFSense when added from hand. After merge all should be fine again. Thanks for your patch!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.