ACME 0.6.8_2 - DNS-NSupdate / RFC 2136 issue



  • Hi,
    I try to validate domain through RFC 2136 using --domain-alias but I am getting error.
    I am not sure if I am doing something wrong or there is some issue with scripts.

    Generated command in log is:

    /usr/local/pkg/acme/acme.sh  --issue  -d 'ImportantDomain1.com' --domain-alias '_1.OnlyAcmeUpdateDomain.com' --dns 'dns_nsupdate'  -d '*.ImportantDomain.com' --domain-alias '_1.OnlyAcmeUpdateDomain.com' --dns 'dns_nsupdate'  --home '/tmp/acme/_1/' --accountconf '/tmp/acme/_1/accountconf.conf' --force --reloadCmd '/tmp/acme/_1/reloadcmd.sh' --log-level 3 --log '/tmp/acme/_1/acme_issuecert.log'
    

    And the error I get:

    [Tue Sep  8 20:11:33 CEST 2020] key /tmp/acme/_1/ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.key is unreadable
    [Tue Sep  8 20:11:33 CEST 2020] Error add txt for domain:_1.OnlyAcmeUpdateDomain.com
    [Tue Sep  8 20:11:33 CEST 2020] Please check log file for more details: /tmp/acme/_1/acme_issuecert.log
    
    

    But when I check folder '/tmp/acme/_1/' I can see the key but with different name:

    drwxr-xr-x  2 root  wheel     512 Sep  8 18:54 *.ImportantDomain1.com
    -rw-r--r--  1 root  wheel     100 Sep  8 19:12 *.ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.key
    -rw-r--r--  1 root  wheel       9 Sep  8 19:12 *.ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.server
    drwxr-xr-x  6 root  wheel     512 Sep  8 19:17 .
    drwxr-xr-x  3 root  wheel     512 Sep  8 18:40 ..
    -rw-r--r--  1 root  wheel     167 Sep  8 20:11 accountconf.conf
    -rw-r--r--  1 root  wheel  113604 Sep  8 20:11 acme_issuecert.log
    drwxr-xr-x  3 root  wheel     512 Sep  8 18:40 ca
    drwxr-xr-x  2 root  wheel     512 Sep  8 19:17 ImportantDomain1.com
    -rw-r--r--  1 root  wheel     100 Sep  8 20:11 ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.key
    -rw-r--r--  1 root  wheel       9 Sep  8 20:11 ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.server
    -rw-r--r--  1 root  wheel     571 Sep  8 20:11 http.header
    drwxr-xr-x  2 root  wheel     512 Sep  8 18:40 httpapi
    -rwxr-xr-x  1 root  wheel     211 Sep  8 20:11 reloadcmd.sh
    

    Of course I have replaced my domain with fake name: ImportantDomain1.com
    And my domain CNAME updates for ACME with fake name: _1.OnlyAcmeUpdateDomain.com

    Could you please confirm or deny is it an issue or my mistake ?

    I think that there is an issue that omits '--domain-alias' check box in WEB UI and generates key file with prefix: '_acme-challenge', which should be used only when we use option for '--challenge-alias'



  • UPDATE:
    I have run some tests and by creating symlinks:

    ln -s ./\*.ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.key ./\*.ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.key
    ln -s ./\*.ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.server ./\*.ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.server
    ln -s ./ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.key ./ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.key
    ln -s ./ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.server  ./ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.server
    

    I can successfully receive certificates.
    Therefore there is a bug in scripts.
    Could you please let me know where should I report this BUG to be corrected in next version of package?


Log in to reply