Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME 0.6.8_2 - DNS-NSupdate / RFC 2136 issue

    Scheduled Pinned Locked Moved ACME
    2 Posts 1 Posters 338 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dyleks
      last edited by

      Hi,
      I try to validate domain through RFC 2136 using --domain-alias but I am getting error.
      I am not sure if I am doing something wrong or there is some issue with scripts.

      Generated command in log is:

      /usr/local/pkg/acme/acme.sh  --issue  -d 'ImportantDomain1.com' --domain-alias '_1.OnlyAcmeUpdateDomain.com' --dns 'dns_nsupdate'  -d '*.ImportantDomain.com' --domain-alias '_1.OnlyAcmeUpdateDomain.com' --dns 'dns_nsupdate'  --home '/tmp/acme/_1/' --accountconf '/tmp/acme/_1/accountconf.conf' --force --reloadCmd '/tmp/acme/_1/reloadcmd.sh' --log-level 3 --log '/tmp/acme/_1/acme_issuecert.log'
      

      And the error I get:

      [Tue Sep  8 20:11:33 CEST 2020] key /tmp/acme/_1/ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.key is unreadable
      [Tue Sep  8 20:11:33 CEST 2020] Error add txt for domain:_1.OnlyAcmeUpdateDomain.com
      [Tue Sep  8 20:11:33 CEST 2020] Please check log file for more details: /tmp/acme/_1/acme_issuecert.log
      
      

      But when I check folder '/tmp/acme/_1/' I can see the key but with different name:

      drwxr-xr-x  2 root  wheel     512 Sep  8 18:54 *.ImportantDomain1.com
      -rw-r--r--  1 root  wheel     100 Sep  8 19:12 *.ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.key
      -rw-r--r--  1 root  wheel       9 Sep  8 19:12 *.ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.server
      drwxr-xr-x  6 root  wheel     512 Sep  8 19:17 .
      drwxr-xr-x  3 root  wheel     512 Sep  8 18:40 ..
      -rw-r--r--  1 root  wheel     167 Sep  8 20:11 accountconf.conf
      -rw-r--r--  1 root  wheel  113604 Sep  8 20:11 acme_issuecert.log
      drwxr-xr-x  3 root  wheel     512 Sep  8 18:40 ca
      drwxr-xr-x  2 root  wheel     512 Sep  8 19:17 ImportantDomain1.com
      -rw-r--r--  1 root  wheel     100 Sep  8 20:11 ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.key
      -rw-r--r--  1 root  wheel       9 Sep  8 20:11 ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.server
      -rw-r--r--  1 root  wheel     571 Sep  8 20:11 http.header
      drwxr-xr-x  2 root  wheel     512 Sep  8 18:40 httpapi
      -rwxr-xr-x  1 root  wheel     211 Sep  8 20:11 reloadcmd.sh
      

      Of course I have replaced my domain with fake name: ImportantDomain1.com
      And my domain CNAME updates for ACME with fake name: _1.OnlyAcmeUpdateDomain.com

      Could you please confirm or deny is it an issue or my mistake ?

      I think that there is an issue that omits '--domain-alias' check box in WEB UI and generates key file with prefix: '_acme-challenge', which should be used only when we use option for '--challenge-alias'

      1 Reply Last reply Reply Quote 0
      • D
        dyleks
        last edited by

        UPDATE:
        I have run some tests and by creating symlinks:

        ln -s ./\*.ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.key ./\*.ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.key
        ln -s ./\*.ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.server ./\*.ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.server
        ln -s ./ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.key ./ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.key
        ln -s ./ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.server  ./ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.server
        

        I can successfully receive certificates.
        Therefore there is a bug in scripts.
        Could you please let me know where should I report this BUG to be corrected in next version of package?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.