DNS-DuckDNS does not renew
-
Compare this :
@alwindb said in DNS-DuckDNS does not renew:
Oh something changed: https://github.com/pfsense/FreeBSD-ports/commit/52dc75765cf5610985a2a6ba175f7e67714800c8#diff-2cb7db41d3c31b1e9a1b39707fd41c0254a5ed02b070682cff2624a8224ad558
with the source :
https://github.com/acmesh-official/acme.sh/commits/master/dnsapi/dns_duckdns.sh== the same.
So, if issues, I advise you (also) to check here : pulls and here issues -
Same issue here.
Still no fix. :(
-
Can you share more details about the errors you are getting?
My cert will expire soon -
@mcury said in DNS-DuckDNS does not renew:
Can you share more details about the errors you are getting?
My cert will expire soonWhen DuckDNS cert goes to renew, it fails:
[Mon Jan 11 08:29:02 EST 2021] d='yourDomain.duckdns.org' [Mon Jan 11 08:29:02 EST 2021] _d_alias [Mon Jan 11 08:29:02 EST 2021] txtdomain='_acme-challenge.yourDomain.duckdns.org' [Mon Jan 11 08:29:02 EST 2021] base64 single line. [Mon Jan 11 08:29:02 EST 2021] txt='responseCode' [Mon Jan 11 08:29:02 EST 2021] d_api='/usr/local/pkg/acme/dnsapi/dns_duckdns.sh' [Mon Jan 11 08:29:02 EST 2021] dns_entry='yourDomain.duckdns.org,_acme-challenge.yourDomain.duckdns.org,,dns_duckdns,responseCode,/usr/local/pkg/acme/dnsapi/dns_duckdns.sh' [Mon Jan 11 08:29:02 EST 2021] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_duckdns.sh [Mon Jan 11 08:29:02 EST 2021] dns_duckdns_add exists=0 [Mon Jan 11 08:29:02 EST 2021] Adding txt value: responseCode for domain: _acme-challenge.yourDomain.duckdns.org [Mon Jan 11 08:29:02 EST 2021] APP [Mon Jan 11 08:29:02 EST 2021] 5:SAVED_DuckDNS_Token='yourToken' [Mon Jan 11 08:29:02 EST 2021] Trying to add TXT record [Mon Jan 11 08:29:02 EST 2021] param='domains=_acme-challenge.yourDomain.duckdns.org&token=yourToken&txt=responseCode' [Mon Jan 11 08:29:02 EST 2021] url='https://www.duckdns.org/update?domains=_acme-challenge.yourDomain.duckdns.org&token=yourToken&txt=responseCode' [Mon Jan 11 08:29:02 EST 2021] GET [Mon Jan 11 08:29:02 EST 2021] url='https://www.duckdns.org/update?domains=_acme-challenge.yourDomain.duckdns.org&token=yourToken&txt=responseCode [Mon Jan 11 08:29:02 EST 2021] timeout= [Mon Jan 11 08:29:02 EST 2021] Http already initialized. [Mon Jan 11 08:29:02 EST 2021] _CURL='curl -L --silent --dump-header /tmp/acme/pfsense//http.header -g ' [Mon Jan 11 08:29:03 EST 2021] ret='0' [Mon Jan 11 08:29:03 EST 2021] response='KO' [Mon Jan 11 08:29:03 EST 2021] Errors happened during adding the TXT record, response=KO [Mon Jan 11 08:29:03 EST 2021] Error add txt for domain:_acme-challenge.yourDomain.duckdns.org [Mon Jan 11 08:29:03 EST 2021] _on_issue_err
Notice the
response='KO'
Per https://www.duckdns.org/spec.jsp that means "bad response".
Something has changed and new version of Acme will fail.
I switched over to using Dynu for now, no issue with it, so I know it's not Acme itself failing.
Quick google search shows that there has been an API change at DuckDNS. Has to do with "sub domains".
Leads you to https://github.com/acmesh-official/acme.sh/issues/2933
Already tried the "--domain-alias mydomain.duckdns.org" as mentioned but same error.
FYI to manually renew the cert:
/usr/local/pkg/acme/acme.sh --issue -d 'yourDomain.duckdns.org' --dns 'dns_duckdns' --domain-alias 'yourDomain.duckdns.org' --home '/tmp/acme/pfsense/' --accountconf '/tmp/acme/pfsense/accountconf.conf' --force --reloadCmd '/tmp/acme/pfsense/reloadcmd.sh' --log-level 3 --log '/tmp/acme/pfsense/acme_issuecert.log'
-
I've managed to renew just using the regular method (ACME > DuckDNS) on the 29th of December 2020.
Based on the other replies, tried it again today it fails using the above mentioned feedback.Running ACME 0.6.9_3
DuckDNS Renewing certificate account: Lets Encrypt Production ACMEv2 server: letsencrypt-production-2 /usr/local/pkg/acme/acme.sh --issue --domain 'userdomain.duckdns.org' --dns 'dns_duckdns' --home '/tmp/acme/DuckDNS/' --accountconf '/tmp/acme/DuckDNS/accountconf.conf' --force --reloadCmd '/tmp/acme/DuckDNS/reloadcmd.sh' --ocsp-must-staple --log-level 3 --log '/tmp/acme/DuckDNS/acme_issuecert.log' Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [DuckDNS_Token] => ) [Tue Jan 12 18:59:01 CET 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory [Tue Jan 12 18:59:01 CET 2021] Single domain='userdomain.duckdns.org' [Tue Jan 12 18:59:01 CET 2021] Getting domain auth token for each domain [Tue Jan 12 18:59:04 CET 2021] Getting webroot for domain='userdomain.duckdns.org' [Tue Jan 12 18:59:04 CET 2021] Adding txt value: BpXXFuhE3WEEmo1FcN3djlY8cBCx7HwjsFCHX-FcN3djlY8cBCx7for domain: _acme-challenge.userdomain.duckdns.org [Tue Jan 12 18:59:04 CET 2021] Trying to add TXT record [: : bad number [: : bad number [Tue Jan 12 18:59:05 CET 2021] Errors happened during adding the TXT record, response=KO [Tue Jan 12 18:59:05 CET 2021] Error add txt for domain:_acme-challenge.userdomain.duckdns.org [Tue Jan 12 18:59:05 CET 2021] Please check log file for more details: /tmp/acme/DuckDNS/acme_issuecert.log
I'm going to check in the DuckDNS usergroup to find out what changed on their end.
-
I just tried, and got the same KO error through acme package in pfsense.
<...> [Tue Jan 12 15:12:14 -03 2021] Trying to add TXT record [: : bad number [: : bad number [Tue Jan 12 15:12:16 -03 2021] Errors happened during adding the TXT record, response=KO [Tue Jan 12 15:12:16 -03 2021] Error add txt for domain:_acme-challenge.userdomain.duckdns.org [Tue Jan 12 15:12:16 -03 2021] Please check log file for more details: /tmp/acme/duckdns/acme_issuecert.log
-
Managed to update the dns_duckdns.sh which is included in the current package that is installed on my system (ACME 0.6.9_3) with the content of https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_duckdns.sh
Which incorporates this regex fix: https://github.com/acmesh-official/acme.sh/commit/cee20c4eb96ec8ec3ad789ae5e3902689598b0ee
Now the script runs flawlessly, does that mean that the package maintainer needs to pull this from the repository to permanently fix this issue?
The updated script does not add _acme-challenge.userdomain.duckdns.org to the GET request for DuckDNS, it only uses the domain part "userdomain"
-
@alwindb This is a good question, I don't know how to proceed either..
My last successfully renew was on the Oct 26th -
This post is deleted! -
@alwindb said in DNS-DuckDNS does not renew:
Now the script runs flawlessly, does that mean that the package maintainer needs to pull this from the repository to permanently fix this issue?
The maintainer (jimp) will sync the pfsense acme package from that source. He doesn't do so every day, as there is more work as only copying the source in.
Btw : funny : look who proposed the regex fix :
Coincidence ?
-
-
@alwindb said in DNS-DuckDNS does not renew:
Managed to update the dns_duckdns.sh...
...Now the script runs flawlessly...I'm surprised this hasn't yet been resolved in the current/published package. Thanks for that! I'm running the current acme 0.6.9_3 package on pfSense 2.5.1 and encountered the same problem today. Updating dns_duckdns.sh as you indicated worked here. For others who may need a little more help:
TLDR: copy/paste the following command (string of commands) to the Execute Shell Command textbox in the pfSense web gui (Diagnostics > Command Prompt) and click the Execute button.
mv /usr/local/pkg/acme/dnsapi/dns_duckdns.sh /usr/local/pkg/acme/dnsapi/dns_duckdns.pkgnew; curl -o /usr/local/pkg/acme/dnsapi/dns_duckdns.sh https://raw.githubusercontent.com/acmesh-official/acme.sh/master/dnsapi/dns_duckdns.sh; chmod 555 /usr/local/pkg/acme/dnsapi/dns_duckdns.sh
-
Backup pfSense before doing anything else. This should go without saying, but the force is strong with root/admin SSH access to your pfSense install, and you can bork your pfSense if you're not careful.
-
Enable Secure Shell Server (ssh) in your pfSense install, if not already enabled. See the Secure Shell section in System > Advanced.
-
Use something like PuTTY or the Ubuntu/Bash shell for WSL, if you use Windows, Terminal on macOS, xterm or similar on Linux, and connect to your pfSense: ssh admin@pfSense_IP_address_or_hostname
where pfSense_IP_address_or_hostname is an IP address or resolvable hostname for your pfSense, and where admin is the username for an administrator on your pfSense. Enter the admin password when prompted. -
Enter 8 (for Shell) to get to a command line interface
-
Enter the command cd /usr/local/pkg/acme/dnsapi
-
Enter the command mv dns_duckdns.sh dns_duckdns.pkgnew
This renames dns_duckdns.sh so you can quickly revert to the original script, if needed. -
Enter the command vi dns_duckdns.sh
This will create a new file using the vi editor (you will see a lot of ~ characters on the left. Type i to enter insert/entry mode. Select and copy all the text at https://raw.githubusercontent.com/acmesh-official/acme.sh/master/dnsapi/dns_duckdns.sh
Paste the copied text in vi. If you use Windows, this can usually be accomplished by right-clicking in the ssh client (e.g. PuTTY) window (while in vi insert/entry mode). Press the Esc key to enter vi command mode, then type :wq to save (write) the file and close (quit) vi. -
Enter the command chmod 555 dns_duckdns.sh to make the replacement script executable.
-
You can enter the command ls -l duckdns to confirm that read/write/execute permissions are identical for the original and replacement scripts.
-
For good measure, try the command diff dns_duckdns.sh dns_duckdns.pkgnew
This will show you differences between the original and replacement scripts. This can help you confirm you created the replacement script correctly. This can also help you be reasonably certain the replacement script does nothing malicious, though you probably should have done some due diligence before getting this far anyway. The point is that you shouldn't copy/add/replace scripts on your pfSense without understanding the potential security implications. -
Enter the command exit, then type/select 0 (to logout).
Try requesting/renewing your DuckDNS certificate(s) in the pfSense gui. The process can take several minutes. Be patient and good luck!
-
-
Alternative ways to kill the duck-bug :
Instead of the always needed SSH - so ok to have it set up ones : use the classic console access, as this should work to.
Or : install the System_Patches pfSense package, which exists for doing just that.
Now, if we can get our hand on raw the diff file (and get the paths correctly) its just a question of copying the commit ID URL and two more clicks (patching without a keyboard).