Unable to get cert with Namesilo

1reason

I have tried the automated method and manual, and neither are working.

With the automated, it appears the TXT content updates and then is removed, albeit that appears to happen before the statement of "can't find it" I'm at a loss and am repeating things over and over (which of course is a good sign to reach out for help).

I've changed the domain name to son

With the manual method I pushed "issue" to get the text and then uploaded it to namesilo, then just the renew button, and the following is the message.

Thanks in advance for any help.

son_cert
Renewing certificate
account: son Account Key
server: letsencrypt-staging-2

/usr/local/pkg/acme/acme.sh --renew -d 'son.com' --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns --home '/tmp/acme/son_cert/' --accountconf '/tmp/acme/son_cert/accountconf.conf' --force --reloadCmd '/tmp/acme/son_cert/reloadcmd.sh' --dnssleep '455' --log-level 3 --log '/tmp/acme/son_cert/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
)
[Wed Sep 23 20:49:09 CDT 2020] Renew: 'som.com'
[Wed Sep 23 20:49:10 CDT 2020] Single domain='son.com'
[Wed Sep 23 20:49:10 CDT 2020] Getting domain auth token for each domain
[Wed Sep 23 20:49:10 CDT 2020] Verifying: son.com
[Wed Sep 23 20:49:13 CDT 2020] son.com:Verify error:No TXT record found at _acme-challenge.son.com
[Wed Sep 23 20:49:13 CDT 2020] Please check log file for more details: /tmp/acme/son_cert/acme_issuecert.log
[Wed Sep 23 20:49:13 CDT 2020] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

Gertjan

@1reason said in Unable to get cert with Namesilo:

With the manual method I pushed "issue" to get the text and then uploaded it to namesilo,

Then pause.
Tale a windows cmd prompt, or better, the pfSense console prompt, and do a simple check first :

Check if you have a sub domain called .well-known and a TXT record "/acme-challenge" for each ( ! ) of your domain name servers :

You'll get a list like :

ns3. your-domain.tld.
ns1. your-domain.tld.
ns2. your-domain.tld.

For each nsx, do :

dig @nsx.your-domain.tld.

dig .well-known.acme-challenge.your-domain.tld TXT

This should return the unique token that Letenscrypt gave you, the token you stored manually into the TXT record .well-known.acme-challenge.your-domain.tld

When you use the automatic mode the first (couple of) times, you should introduce a delay using acme.sh the "--dnssleep 300 " parameter.
This give you 5 minutes to test if the master DNS server, which was updated by the acme.sh API script, and if the slave DNS name servers have synchronised, as this is never been done 'right away'.

If this https://www.varstack.com/2017/12/08/Automating-HTTPS-certs/ is still valid and actual, then at least 15 minutes or 900 seconds are needed : you find it out during the manual 'dig' spam testing : as soon as the TXT record ".well-known.acme-challenge.your-domain.tld" pops up, you have the (average) delay.

@1reason said in Unable to get cert with Namesilo:

am repeating things over and over

You are testing using the LE test stage server, right ?
If not, LE will blacklist you for an hour, day or more.

1reason

Thanks so much for your help, I greatly appreciate it.

I'm using a staging (for TESTING) cert, yes.

I also tried again the automated method (neither is working) today.

I can see the txt file in the namesilo DNS, albeit here's the error message received (altered to remove sensitive info).

son_cert
Renewing certificate
account: son Account Key
server: letsencrypt-staging-2

/usr/local/pkg/acme/acme.sh --issue -d 'son.com' --dns 'dns_namesilo' --home '/tmp/acme/son_cert/' --accountconf '/tmp/acme/son_cert/accountconf.conf' --force --reloadCmd '/tmp/acme/zson_cert/reloadcmd.sh' --dnssleep '2700' --log-level 3 --log '/tmp/acme/zson_cert/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[Namesilo_Key] => zzzzzzx
)
[Thu Sep 24 11:04:42 CDT 2020] Single domain='son.com'
[Thu Sep 24 11:04:42 CDT 2020] Getting domain auth token for each domain
[Thu Sep 24 11:04:44 CDT 2020] Getting webroot for domain='son.com'
[Thu Sep 24 11:04:44 CDT 2020] Adding txt value: YTKvsY3dzIcMVxgQzzxdxVXJeJRPQqTpEDecCFbM for domain: _acme-challenge.son.com
[Thu Sep 24 11:04:45 CDT 2020] Unable to add the DNS record.
[Thu Sep 24 11:04:45 CDT 2020] Error add txt for domain:_acme-challenge.son.com
[Thu Sep 24 11:04:45 CDT 2020] Please check log file for more details: /tmp/acme/zson_cert/acme_issuecert.log*****

Do I need to open any ports? None of this makes sense other than there's a problem with the software??

performing dig acme-challenge.1reason.com TXT in the pfsense command prompt displays the following:

***; <<>> DiG 9.14.12 <<>> acme-challenge.son.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53255
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;acme-challenge.son.com. IN TXT

;; AUTHORITY SECTION:
son.com. 3394 IN SOA loes.son.com. root.loes.son.com. 1600379537 3600 600 1209600 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 24 11:27:24 CDT 2020
;; MSG SIZE rcvd: 102***

Thanks again

1reason

Also, I gave it 2700 seconds to sleep, albeit the "spinning gear" stops before that and updates the renewal button to a broken link with "issue/renew" ---- Could the system time out before the sleep time is completed?