Acme issue with DNSMadeEasy
-
Trying to get a subdomain working with Acme and keep getting that the domain is not valid.
Trying to have support.filopto.com use https with let's encrypt. When I try creating the certificate I get that the Domain is not valid. Do not know what I'm doing wrong. The domain does exist and working
Any help would be appreciated.
Here is part of the log file showing the error:
[Tue Mar 10 11:43:52 ADT 2020] d_api='/usr/local/pkg/acme/dnsapi/dns_me.sh'
[Tue Mar 10 11:43:52 ADT 2020] dns_entry='support.filopto.com,_acme-challenge.support.filopto.com,,dns_me,R2XXXXX,/usr/local/pkg/acme/dnsapi/dns_me.sh'
[Tue Mar 10 11:43:52 ADT 2020] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_me.sh
[Tue Mar 10 11:43:52 ADT 2020] dns_me_add exists=0
[Tue Mar 10 11:43:52 ADT 2020] Adding txt value: R2XXXXfor domain: _acme-challenge.support.filopto.com
[Tue Mar 10 11:43:52 ADT 2020] APP
[Tue Mar 10 11:43:52 ADT 2020] 5:ME_Key='XXXXXX'
[Tue Mar 10 11:43:52 ADT 2020] APP
[Tue Mar 10 11:43:52 ADT 2020] 6:ME_Secret='XXXXXX'
[Tue Mar 10 11:43:52 ADT 2020] First detect the root zone
[Tue Mar 10 11:43:52 ADT 2020] name?domainname=support.filopto.com
[Tue Mar 10 11:43:52 ADT 2020] od exists=0
[Tue Mar 10 11:43:52 ADT 2020] GET
[Tue Mar 10 11:43:52 ADT 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=support.filopto.com'
[Tue Mar 10 11:43:52 ADT 2020] timeout=
[Tue Mar 10 11:43:52 ADT 2020] Http already initialized.
[Tue Mar 10 11:43:52 ADT 2020] _CURL='curl -L --silent --dump-header /tmp/acme/filopto.com//http.header -g '
[Tue Mar 10 11:43:53 ADT 2020] ret='0'
[Tue Mar 10 11:43:53 ADT 2020] response='<html><head><title>Apache Tomcat/7.0.12 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Not Found</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Not Found</u></p><p><b>description</b> <u>The requested resource (Not Found) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.12</h3></body></html>'
[Tue Mar 10 11:43:53 ADT 2020] name?domainname=filopto.com
[Tue Mar 10 11:43:53 ADT 2020] od exists=0
[Tue Mar 10 11:43:53 ADT 2020] GET
[Tue Mar 10 11:43:53 ADT 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=filopto.com'
[Tue Mar 10 11:43:53 ADT 2020] timeout=
[Tue Mar 10 11:43:53 ADT 2020] Http already initialized.
[Tue Mar 10 11:43:53 ADT 2020] _CURL='curl -L --silent --dump-header /tmp/acme/filopto.com//http.header -g '
[Tue Mar 10 11:43:53 ADT 2020] ret='0'
[Tue Mar 10 11:43:53 ADT 2020] response='{"folderId":2329,"pendingActionId":0,"gtdEnabled":false,"vanityId":5577,"nameServers":[{"ipv6":"2600:1800:10::1","id":10,"fqdn":"ns10.dnsmadeeasy.com","groupId":2,"ipv4":"208.94.148.4"},{"ipv6":"2600:1801:11::1","id":11,"fqdn":"ns11.dnsmadeeasy.com","groupId":2,"ipv4":"208.80.124.4"},{"ipv6":"2600:1802:12::1","id":12,"fqdn":"ns12.dnsmadeeasy.com","groupId":2,"ipv4":"208.80.126.4"},{"ipv6":"2600:1801:13::1","id":13,"fqdn":"ns13.dnsmadeeasy.com","groupId":2,"ipv4":"208.80.125.4"},{"ipv6":"2600:1802:14::1","id":14,"fqdn":"ns14.dnsmadeeasy.com","groupId":2,"ipv4":"208.80.127.4"},{"ipv6":"2600:1800:15::1","id":15,"fqdn":"ns15.dnsmadeeasy.com","groupId":2,"ipv4":"208.94.149.4"}],"updated":1583850681789,"created":1336003200000,"processMulti":false,"activeThirdParties":[],"axfrServer":{"fqdn":"axfr2.dnsmadeeasy.com","groupId":2,"ipv4":"208.94.147.18"},"delegateNameServers":["ns10.dnsmadeeasy.com.","ns11.dnsmadeeasy.com.","ns12.dnsmadeeasy.com.","ns13.dnsmadeeasy.com.","ns14.dnsmadeeasy.com."],"transferAclId":2362,"vanityNameServers":[{"id":5577,"fqdn":"ns10.dnsmadeeasy.com"},{"id":5577,"fqdn":"ns11.dnsmadeeasy.com"},{"id":5577,"fqdn":"ns12.dnsmadeeasy.com"},{"id":5577,"fqdn":"ns13.dnsmadeeasy.com"},{"id":5577,"fqdn":"ns14.dnsmadeeasy.com"}],"name":"filopto.com","id":789227}'
[Tue Mar 10 11:43:53 ADT 2020] invalid domain
[Tue Mar 10 11:43:53 ADT 2020] Error add txt for domain:_acme-challenge.support.filopto.com
[Tue Mar 10 11:43:53 ADT 2020] _on_issue_err
[Tue Mar 10 11:43:53 ADT 2020] Please check log file for more details: /tmp/acme/filopto.com/acme_issuecert.log -
Tried to use wild car and now I'm getting a different error "illegal byte count -- -2"
filopto
Renewing certificate
account: filopto
server: letsencrypt-production-2/usr/local/pkg/acme/acme.sh --issue -d 'filopto.com' --dns 'dns_me' -d '.filopto.com' --dns 'dns_me' --home '/tmp/acme/filopto/' --accountconf '/tmp/acme/filopto/accountconf.conf' --force --reloadCmd '/tmp/acme/filopto/reloadcmd.sh' --log-level 3 --log '/tmp/acme/filopto/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[ME_Key] => XXXXX
[ME_Secret] => XXXXXXX
[Tue Mar 10 14:06:42 ADT 2020] Multi domain='DNS:filopto.com,DNS:.filopto.com'
[Tue Mar 10 14:06:42 ADT 2020] Getting domain auth token for each domain
[Tue Mar 10 14:06:43 ADT 2020] Getting webroot for domain='filopto.com'
[Tue Mar 10 14:06:43 ADT 2020] Getting webroot for domain='*.filopto.com'
[Tue Mar 10 14:06:44 ADT 2020] Adding txt value: kcqby-j_ZBVFtYKIWtAgieJ-LG2fMqC4Ta26NmGDFas for domain: _acme-challenge.filopto.com
head: illegal byte count -- -2
[Tue Mar 10 14:06:44 ADT 2020] invalid domain
[Tue Mar 10 14:06:44 ADT 2020] Error add txt for domain:_acme-challenge.filopto.com
[Tue Mar 10 14:06:44 ADT 2020] Please check log file for more details: /tmp/acme/filopto/acme_issuecert.log -
@cjbujold said in Acme issue with DNSMadeEasy:
"illegal byte count -- -2"
I get the same "illegal byte count -- -2" when I use just a single node machine.example.com
I played with this until I hit the LE limits and then had to wait for the next hour and try again. I ended up doing DNS Manual and adding the record myself.
In other programs that get certs, you have to select the domain and the machine in different fields so it looks up the correct domain and then adds the txt record using just the machine name since DNSMadeEsasy automatically appends the domain.
-
This happening across all devices that were working just fine would be nice understand how to fix we are the latest stable for pfsense and acme?
-
Yes this is happening on all device here is an example of the error log we get:
The error is saying invalid domain but the domain is valid. I presume that the acme program is adding some spaces or character that breaks the domain Key or name when adding the TXT record from being valid but the log is not pointing to anything useful.
How can we fix is still the question??????
accra
Renewing certificate
account: accra
server: letsencrypt-production-2/usr/local/pkg/acme/acme.sh --issue -d 'protector.accra.ca' --dns 'dns_me' --home '/tmp/acme/accra/' --accountconf '/tmp/acme/accra/accountconf.conf' --force --reloadCmd '/tmp/acme/accra/reloadcmd.sh' --log-level 3 --log '/tmp/acme/accra/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[ME_Key] => XXXXXX
[ME_Secret] => XXXXX
)
[Sun Apr 26 09:31:50 ADT 2020] Single domain='protector.accra.ca'
[Sun Apr 26 09:31:50 ADT 2020] Getting domain auth token for each domain
[Sun Apr 26 09:31:51 ADT 2020] Getting webroot for domain='protector.accra.ca'
[Sun Apr 26 09:31:51 ADT 2020] Adding txt value: lBCp8Wt4-qAaJhFXujd6ahh4nz0SqGSTUoSLW5kB-Ys for domain: _acme-challenge.protector.accra.ca
head: illegal byte count -- -2
[Sun Apr 26 09:31:52 ADT 2020] invalid domain
[Sun Apr 26 09:31:52 ADT 2020] Error add txt for domain:_acme-challenge.protector.accra.ca
[Sun Apr 26 09:31:52 ADT 2020] Please check log file for more details: /tmp/acme/accra/acme_issuecert.logPertinent section of detail log:
[Sun Apr 26 09:31:51 ADT 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=protector.accra.ca'
[Sun Apr 26 09:31:51 ADT 2020] timeout=
[Sun Apr 26 09:31:51 ADT 2020] Http already initialized.
[Sun Apr 26 09:31:51 ADT 2020] _CURL='curl -L --silent --dump-header /tmp/acme/accra//http.header -g '
[Sun Apr 26 09:31:51 ADT 2020] ret='0'
[Sun Apr 26 09:31:51 ADT 2020] response='<html><head><title>Apache Tomcat/7.0.12 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Not Found</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Not Found</u></p><p><b>description</b> <u>The requested resource (Not Found) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.12</h3></body></html>'
[Sun Apr 26 09:31:51 ADT 2020] name?domainname=accra.ca
[Sun Apr 26 09:31:51 ADT 2020] od exists=0
[Sun Apr 26 09:31:51 ADT 2020] GET
[Sun Apr 26 09:31:51 ADT 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=accra.ca'
[Sun Apr 26 09:31:51 ADT 2020] timeout=
[Sun Apr 26 09:31:51 ADT 2020] Http already initialized.
[Sun Apr 26 09:31:51 ADT 2020] _CURL='curl -L --silent --dump-header /tmp/acme/accra//http.header -g '
[Sun Apr 26 09:31:52 ADT 2020] ret='0'
[Sun Apr 26 09:31:52 ADT 2020] response='{"created":1336003200000,"delegateNameServers":["ns10.dnsmadeeasy.com.","ns11.dnsmadeeasy.com.","ns12.dnsmadeeasy.com.","ns13.dnsmadeeasy.com."],"soaId":5348,"vanityNameServers":[{"id":5187,"fqdn":"ns10.dnsmadeeasy.com"},{"id":5187,"fqdn":"ns11.dnsmadeeasy.com"},{"id":5187,"fqdn":"ns12.dnsmadeeasy.com"},{"id":5187,"fqdn":"ns13.dnsmadeeasy.com"}],"processMulti":false,"activeThirdParties":[{"label":"SendGrid","value":2}],"gtdEnabled":false,"vanityId":5187,"nameServers":[{"ipv6":"2600:1800:10::1","id":10,"ipv4":"208.94.148.4","fqdn":"ns10.dnsmadeeasy.com","groupId":2},{"ipv6":"2600:1801:11::1","id":11,"ipv4":"208.80.124.4","fqdn":"ns11.dnsmadeeasy.com","groupId":2},{"ipv6":"2600:1802:12::1","id":12,"ipv4":"208.80.126.4","fqdn":"ns12.dnsmadeeasy.com","groupId":2},{"ipv6":"2600:1801:13::1","id":13,"ipv4":"208.80.125.4","fqdn":"ns13.dnsmadeeasy.com","groupId":2},{"ipv6":"2600:1802:14::1","id":14,"ipv4":"208.80.127.4","fqdn":"ns14.dnsmadeeasy.com","groupId":2},{"ipv6":"2600:1800:15::1","id":15,"ipv4":"208.94.149.4","fqdn":"ns15.dnsmadeeasy.com","groupId":2}],"updated":1587753489876,"folderId":2329,"pendingActionId":0,"name":"accra.ca","id":789249}'
[Sun Apr 26 09:31:52 ADT 2020] invalid domain
[Sun Apr 26 09:31:52 ADT 2020] Error add txt for domain:_acme-challenge.protector.accra.ca
[Sun Apr 26 09:31:52 ADT 2020] _on_issue_err
[Sun Apr 26 09:31:52 ADT 2020] Please check log file for more details: /tmp/acme/accra/acme_issuecert.log
[Sun Apr 26 09:31:52 ADT 2020] -
Update the ACME package and try again. There was a change in the acme.sh script for DNSMadeEasy which may help.
-
Hi,
Updated to version 0.6.8 and added a new entry to acme and submitted a request using the DSN Made Easy option. The error code 60 seems to indicate that acme is locked to Cloudflare and not using DNSMadeEasy for the connection. Here is what I get back as an error:
[Thu Apr 30 09:21:38 ADT 2020] Multi domain='DNS:help10.filopto.com,DNS:support.filopto.com,DNS:update.filopto.com'
[Thu Apr 30 09:21:38 ADT 2020] Getting domain auth token for each domain
[Thu Apr 30 09:21:40 ADT 2020] Getting webroot for domain='help10.filopto.com'
[Thu Apr 30 09:21:40 ADT 2020] Getting webroot for domain='support.filopto.com'
[Thu Apr 30 09:21:40 ADT 2020] Getting webroot for domain='update.filopto.com'
[Thu Apr 30 09:21:40 ADT 2020] Adding txt value: gTPi8XXXXXX for domain: _acme-challenge.update.filopto.com
[Thu Apr 30 09:21:42 ADT 2020] Adding record
[Thu Apr 30 09:21:42 ADT 2020] Add txt record error.
[Thu Apr 30 09:21:42 ADT 2020] Error add txt for domain:_acme-challenge.update.filopto.com
[Thu Apr 30 09:21:42 ADT 2020] Please check log file for more details:Detail Log:
[Thu Apr 30 09:22:58 ADT 2020] d='update.filopto.com'
[Thu Apr 30 09:22:58 ADT 2020] txtdomain='_acme-challenge.update.filopto.com'
[Thu Apr 30 09:22:58 ADT 2020] aliasDomain='_acme-challenge.update.filopto.com'
[Thu Apr 30 09:22:58 ADT 2020] txt='gTPi8VXXXXX'
[Thu Apr 30 09:22:58 ADT 2020] d_api='/usr/local/pkg/acme/dnsapi/dns_me.sh'
[Thu Apr 30 09:22:58 ADT 2020] Checking update.filopto.com for _acme-challenge.update.filopto.com
[Thu Apr 30 09:22:58 ADT 2020] _c_txtdomain='_acme-challenge.update.filopto.com'
[Thu Apr 30 09:22:58 ADT 2020] _c_aliasdomain='_acme-challenge.update.filopto.com'
[Thu Apr 30 09:22:58 ADT 2020] _c_txt='gTPi8XXXXXX'
[Thu Apr 30 09:22:58 ADT 2020] Detect dns server first.
[Thu Apr 30 09:22:58 ADT 2020] GET
[Thu Apr 30 09:22:58 ADT 2020] url='https://cloudflare-dns.com'
[Thu Apr 30 09:22:58 ADT 2020] timeout=
[Thu Apr 30 09:22:58 ADT 2020] Http already initialized.
[Thu Apr 30 09:22:58 ADT 2020] _CURL='curl -L --silent --dump-header /tmp/acme/filopto//http.header -g '
[Thu Apr 30 09:22:58 ADT 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Thu Apr 30 09:22:58 ADT 2020] ret='60'
[Thu Apr 30 09:22:58 ADT 2020] Use google doh server
[Thu Apr 30 09:22:58 ADT 2020] _ns_ep='https://dns.google/resolve'
[Thu Apr 30 09:22:58 ADT 2020] _ns_domain='_acme-challenge.update.filopto.com'
[Thu Apr 30 09:22:58 ADT 2020] _ns_type='TXT'
[Thu Apr 30 09:22:58 ADT 2020] GET
[Thu Apr 30 09:22:58 ADT 2020] url='https://dns.google/resolve?name=_acme-challenge.update.filopto.com&type=TXT'
[Thu Apr 30 09:22:58 ADT 2020] timeout=
[Thu Apr 30 09:22:58 ADT 2020] Http already initialized.
[Thu Apr 30 09:22:58 ADT 2020] _CURL='curl -L --silent --dump-header /tmp/acme/filopto//http.header -g '
[Thu Apr 30 09:22:58 ADT 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Thu Apr 30 09:22:58 ADT 2020] ret='60'
[Thu Apr 30 09:22:58 ADT 2020] response
[Thu Apr 30 09:22:58 ADT 2020] Not valid yet, let's wait 10 seconds and check next one.
[Thu Apr 30 09:22:58 ADT 2020] _p_txtdomain='_acme-challenge.update.filopto.com'
[Thu Apr 30 09:22:58 ADT 2020] Cloudflare purge TXT record for domain _acme-challenge.update.filopto.com
[Thu Apr 30 09:22:58 ADT 2020] POST
[Thu Apr 30 09:22:58 ADT 2020] _post_url='https://cloudflare-dns.com/api/v1/purge?domain=_acme-challenge.update.filopto.com&type=TXT'
[Thu Apr 30 09:22:58 ADT 2020] body
[Thu Apr 30 09:22:58 ADT 2020] _postContentType
[Thu Apr 30 09:22:58 ADT 2020] Http already initialized.
[Thu Apr 30 09:22:58 ADT 2020] _CURL='curl -L --silent --dump-header /tmp/acme/filopto//http.header -g '
[Thu Apr 30 09:22:58 ADT 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Thu Apr 30 09:22:58 ADT 2020] _ret='60'
[Thu Apr 30 09:22:58 ADT 2020] response
[Thu Apr 30 09:23:08 ADT 2020] Let's wait 10 seconds and check again./tmp/acme/filopto/acme_issuecert.log
-
0.6.8 worked for us...Thank You
-
I am seeing a similar issue trying to use godaddy dns. It's trying to go to cloudflare. I am on the latest version of acme 0.6.8.
-
No matter what method you use to verify,
acme.shuses Cloudflare DoH to check DNS records: https://redmine.pfsense.org/issues/10411It's not optional (yet?) if it was, we'd probably default that to off. I may look into adding an option to disable it, or even patch it out of the code. Some people block CF DoH.
-
I can open new thread if needed for this, but I am no longer able to update my cert with godaddy dns. I am getting the error 60 as well. The odd thing is, the staging cert works fine. The production cert is throwing the error. I can see that the TXT record is updating in my godaddy dns account, it just isn't able to confirm it's there after the fact. Any suggestions?
-
That would be an issue for a new thread.
-
Finally got time to go back to the certificates and I can confirm that the latest update has fixed my issue.
Thanks much appreciated.
