Problem with cert renew, NameSilo/DuckDNS (logs included) - Unable to add the DNS record.

Flemmingss · Oct 10, 2020, 2:09 PM

My certificate is valid until 18.10.20 so I need to fix this in not so long.
anyway.
I have my new LetsEncrypt certificate working from when I made it in the summer, but now when I will have my first renewal it will not work. I have tried to reboot PFsense and I have altso tried to manualy delete the _acme-challenge that is made by pfSense on NameSilo.

But renewal always fail

General System Log: https://pastebin.com/hVDc28BX
acme_issuecert.log https://pastebin.ubuntu.com/p/Z4RWx7hFff/

×LE_Root_Cert
Renewing certificate 
account: LE_Cert 
server: letsencrypt-production-2 

/usr/local/pkg/acme/acme.sh  --issue  -d '*.my_domain_name.top' --dns 'dns_namesilo'  --home '/tmp/acme/LE_Root_Cert/' --accountconf '/tmp/acme/LE_Root_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Root_Cert/reloadcmd.sh' --log-level 3 --log '/tmp/acme/LE_Root_Cert/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [Namesilo_Key] => 744***************fa30
)
[Sat Oct 10 16:04:54 CEST 2020] Single domain='*.my_domain_name.top'
[Sat Oct 10 16:04:54 CEST 2020] Getting domain auth token for each domain
[Sat Oct 10 16:04:56 CEST 2020] Getting webroot for domain='*.my_domain_name.top'
[Sat Oct 10 16:04:56 CEST 2020] Adding txt value: E4WS7aqoxaCLbIw-uUb-uq-cprjpnh3U6UnoRQ_j4cs for domain:  _acme-challenge.my_domain_name.top
[Sat Oct 10 16:04:57 CEST 2020] Unable to add the DNS record.
[Sat Oct 10 16:04:57 CEST 2020] Error add txt for domain:_acme-challenge.my_domain_name.top
[Sat Oct 10 16:04:57 CEST 2020] Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log

NameSilo:

CNAME flemmingss.duckdns.org NA 7207* 3rd-party
www CNAME flemmingss.duckdns.org

cert config:

blekken · Oct 21, 2020, 7:34 AM

encountering the same issue; @Flemmingss - have you had any more sucess with this?

i noticed this happend for my last renew date in August however regenerated a new API key fom namesilo, and it resolved itself, put it down to a hiccup... not the case this time

Flemmingss · Oct 21, 2020, 1:07 PM

Nop.

I changed my DNS records to A records to my IP insted of CNAME to my duckdns.
It still did not work for 3 days or somthing, but then just one morning I had a updated certificate. So i dont know if this change had anything to do with it or not.

*	A	MY-IP	NA	7207*	3rd-party		
www	A	MY-IP	NA	7207*	3rd-party

blekken · Oct 21, 2020, 9:06 PM

@Flemmingss Thanks for the info,

every time ACME was able to successfully change the txt record in NameSilo, then was reporting a failure identical to yours, at this stage can only assume is related to DNS propegation and the script timing out.

Had no issue renewing via DNS-Manual and waiting ~10min for the txt file update.

will revist this in 2021 for the next renewal :)

ngui1975 · Feb 16, 2021, 5:50 PM

@blekken @Flemmingss

Anyone found a solution?
I have the same issue.

LE_Root_Cert
Renewing certificate
account: LE_Cert
server: letsencrypt-production-2

/usr/local/pkg/acme/acme.sh --issue --domain '.domain.cloud' --dns 'dns_namesilo' --home '/tmp/acme/LE_Root_Cert/' --accountconf '/tmp/acme/LE_Root_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Root_Cert/reloadcmd.sh' --log-level 3 --log '/tmp/acme/LE_Root_Cert/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[Namesilo_Key] => Token_Key
)
[Tue Feb 16 17:43:50 UTC 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Feb 16 17:43:50 UTC 2021] Single domain='.domain.cloud'
[Tue Feb 16 17:43:50 UTC 2021] Getting domain auth token for each domain
[Tue Feb 16 17:43:55 UTC 2021] Getting webroot for domain='*.domain.cloud'
[Tue Feb 16 17:43:55 UTC 2021] Adding txt value: pfH4ZsfW_6Xf5gjQTX6tJ-Jkq1YhmaA43L0JLizMZ_I for domain: _acme-challenge.domain.cloud
[Tue Feb 16 17:43:58 UTC 2021] Unable to add the DNS record.
[Tue Feb 16 17:43:58 UTC 2021] Error add txt for domain:_acme-challenge.domain.cloud
[Tue Feb 16 17:43:58 UTC 2021] Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log

blekken · Feb 16, 2021, 9:06 PM

@ngui1975
Hey Ngui,

co-incidently i replaced my firewall a couple of months ago, yesterday morning was its first auto renew which worked without intervention;

i can only put it down to the script timing out before the updated record could propegate;

Flemmingss · Feb 17, 2021, 1:30 PM

I never got this working
I did a workaround without duckdns

I ACME i added *.mydomain.com and DNS-Namesilo
And in namesilo I have:

HOSTNAME	TYPE	ADDRESS / VALUE	DISTANCE/PRIO	TTL	SERVICE	EDIT	DELETE
*	A	MY_IP_HERE	NA	7207*	3rd-party		
www	A	MY_IP_HERE	NA	7207*	3rd-party

mcury · Feb 18, 2021, 3:27 AM

New .sh for duckdns released 4 days ago, try that to confirm if it's going to work for you.

ssh to your pfsense

cd /usr/local/pkg/acme/dnsapi
mv dns_duckdns.sh dns_duckdns.sh.backup
vi dns_duckdns.sh
copy the code from github and save
chmod 555 dns_duckdns.sh

then try again.

This worked for me 12th Jan 2021

https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_duckdns.sh

Tested today, working!

ngui1975 · Feb 20, 2021, 3:48 PM

@flemmingss

Hi Flemmings,

I do the same and worked.
After you can change again to cname *.duckdns.org and renew certificate again.
now is working fine.

thanks to all