Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unabl to renew cert / Unable to add the DNS record (NameSilo)

    ACME
    3
    13
    971
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Flemmingss
      last edited by

      Hi.

      I have tried to renew my domain today and yesterday, but it is not working (has worked before).

      Sat, 30 Jul 2022 03:36:06 +0200
      Issued Certificate Dates:
      Valid From: Sat, 30 Jul 2022 02:36:05 +0200
      Valid Until: Fri, 28 Oct 2022 02:36:04 +0200
      

      Tried update the package pfSense-pkg-acme from 0.6.10_1 to 0.7.3 but the issue is the same.

      Getting this:

      LE_Root_Cert
      Renewing certificate 
      account: LE_Cert 
      server: letsencrypt-production-2 
      
      /usr/local/pkg/acme/acme.sh  --issue  --domain '*.flemmingss.top' --dns 'dns_namesilo'  --home '/tmp/acme/LE_Root_Cert/' --accountconf '/tmp/acme/LE_Root_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Root_Cert/reloadcmd.sh' --log-level 3 --log '/tmp/acme/LE_Root_Cert/acme_issuecert.log'
      Array
      (
          [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
          [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
          [Namesilo_Key] => 74XXXXXXXXXXXXXXXXXX30
      )
      [Thu Oct 20 14:28:25 CEST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
      [Thu Oct 20 14:28:25 CEST 2022] Single domain='*.flemmingss.top'
      [Thu Oct 20 14:28:25 CEST 2022] Getting domain auth token for each domain
      [Thu Oct 20 14:28:27 CEST 2022] Getting webroot for domain='*.flemmingss.top'
      [Thu Oct 20 14:28:27 CEST 2022] Adding txt value: xuhXXXXXXXXXXXXXRb--Up7OAiitBLSCFhdyrBc8i-I for domain:  _acme-challenge.flemmingss.top
      [Thu Oct 20 14:28:29 CEST 2022] Unable to add the DNS record.
      [Thu Oct 20 14:28:29 CEST 2022] Error add txt for domain:_acme-challenge.flemmingss.top
      [Thu Oct 20 14:28:29 CEST 2022] Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log
      

      edit.png

      anyone can point to whats wrong here?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Flemmingss
        last edited by Gertjan

        @flemmingss said in Unabl to renew cert / Unable to add the DNS record (NameSilo):

        anyone can point to whats wrong here?

        What, no.
        But where you can find more info about what went wrong :

        @flemmingss said in Unabl to renew cert / Unable to add the DNS record (NameSilo):

        Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log

        The domain name you've shown above is an example, right ?

        edit :
        If you want a wild card cert, you have to 2 SAN, not one :
        test-domain.tld
        and
        *.test-domain.tld

        @flemmingss said in Unabl to renew cert / Unable to add the DNS record (NameSilo):

        but it is not working (has worked before)

        Remember : small and big systems, know or less known, they can have issues ones in a while.

        I'm using a "Certificate renewal after" like 40 days or so. Gives me plenty of time if there are upstream issues.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        F 1 Reply Last reply Reply Quote 0
        • F
          Flemmingss @Gertjan
          last edited by

          Thank you, does this help? The log, idk if it is the right part.
          https://pastebin.com/ydrhemvg

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @Flemmingss
            last edited by Gertjan

            @flemmingss said in Unabl to renew cert / Unable to add the DNS record (NameSilo):

            https://pastebin.com/ydrhemvg

            [Thu Oct 20 15:13:45 CEST 2022] Adding txt value: 7Dfbx**********************Gs5Mk for domain: _acme-challenge.flemmingss.top
            ....
            [Thu Oct 20 15:13:46 CEST 2022] ret='0'
            ....
            [Thu Oct 20 15:13:48 CEST 2022] Successfully added TXT record, ready for validation.
            [Thu Oct 20 15:13:48 CEST 2022] The txt record is added: Success.

            So that looks fine.
            The detailed log doesn't show the same things as your initial :
            "Unable to add the DNS record."

            [Thu Oct 20 15:14:08 CEST 2022] You can use '--dnssleep' to disable public dns checks

            What have you set as a "dns sleep" ?
            Make that 120 or so.
            You have 'none' or 0 ???

            Cloudflare is used to check the TXT record for "_acme-challenge.flemmingss.top" ..... but Cloudflare has a hard time finding the zone info.

            Btw : Are you sure about he domain name ??
            It's a 'mess' : https://www.zonemaster.net/result/417e30f2d6147744

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            F 1 Reply Last reply Reply Quote 0
            • F
              Flemmingss @Gertjan
              last edited by

              @gertjan
              I am sure about the domain. I use it for self-hosted services at home.

              https://<services>.flemmingss.top
              

              DNS sleep option was empty, tried to set it to 120 now
              Now I got this respons:

              LE_Root_Cert
              Renewing certificate 
              account: LE_Cert 
              server: letsencrypt-production-2 
              
              /usr/local/pkg/acme/acme.sh  --issue  --domain '*.flemmingss.top' --dns 'dns_namesilo'  --home '/tmp/acme/LE_Root_Cert/' --accountconf '/tmp/acme/LE_Root_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Root_Cert/reloadcmd.sh' --dnssleep '120' --log-level 3 --log '/tmp/acme/LE_Root_Cert/acme_issuecert.log'
              Array
              (
                  [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
                  [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
                  [Namesilo_Key] => 74436e5aea2722010efa30
              )
              [Thu Oct 20 17:33:34 CEST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
              [Thu Oct 20 17:33:34 CEST 2022] Single domain='*.flemmingss.top'
              [Thu Oct 20 17:33:34 CEST 2022] Getting domain auth token for each domain
              [Thu Oct 20 17:33:36 CEST 2022] Getting webroot for domain='*.flemmingss.top'
              [Thu Oct 20 17:33:36 CEST 2022] Adding txt value: 7Df*********************************5Mk for domain:  _acme-challenge.flemmingss.top
              [Thu Oct 20 17:33:38 CEST 2022] Successfully added TXT record, ready for validation.
              [Thu Oct 20 17:33:38 CEST 2022] The txt record is added: Success.
              [Thu Oct 20 17:33:38 CEST 2022] Sleep 120 seconds for the txt records to take effect
              [Thu Oct 20 17:35:38 CEST 2022] Verifying: *.flemmingss.top
              [Thu Oct 20 17:35:39 CEST 2022] Pending, The CA is processing your order, please just wait. (1/30)
              [Thu Oct 20 17:35:41 CEST 2022] Removing DNS records.
              [Thu Oct 20 17:35:41 CEST 2022] Removing txt: 7Df*********************************5Mk for domain: _acme-challenge.flemmingss.top
              [Thu Oct 20 17:35:44 CEST 2022] Successfully retrieved the record id for ACME challenge.
              [Thu Oct 20 17:35:45 CEST 2022] Successfully removed the TXT record.
              [Thu Oct 20 17:35:45 CEST 2022] Removed: Success
              [Thu Oct 20 17:35:41 CEST 2022] *.flemmingss.top:Verify error:No TXT record found at _acme-challenge.flemmingss.top
              [Thu Oct 20 17:35:45 CEST 2022] Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log
              

              Still say "Valid Until: Fri, 28 Oct 2022 02:36:04 +0200", maybe I have to wait a little?

              F 1 Reply Last reply Reply Quote 0
              • F
                Flemmingss @Flemmingss
                last edited by Flemmingss

                Okay, 1-2 h has past and still the same.
                New test and new log:
                /tmp/acme/LE_Root_Cert/acme_issuecert.log -> https://pastebin.com/nJSPpPS8

                ×LE_Root_Cert
                Renewing certificate 
                account: LE_Cert 
                server: letsencrypt-production-2 
                
                /usr/local/pkg/acme/acme.sh  --issue  --domain '*.flemmingss.top' --dns 'dns_namesilo'  --home '/tmp/acme/LE_Root_Cert/' --accountconf '/tmp/acme/LE_Root_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Root_Cert/reloadcmd.sh' --dnssleep '120' --log-level 3 --log '/tmp/acme/LE_Root_Cert/acme_issuecert.log'
                Array
                (
                    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
                    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
                    [Namesilo_Key] => 74436e5aea2722010efa30
                )
                [Thu Oct 20 19:29:41 CEST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
                [Thu Oct 20 19:29:41 CEST 2022] Single domain='*.flemmingss.top'
                [Thu Oct 20 19:29:41 CEST 2022] Getting domain auth token for each domain
                [Thu Oct 20 19:29:43 CEST 2022] Getting webroot for domain='*.flemmingss.top'
                [Thu Oct 20 19:29:43 CEST 2022] Adding txt value: oJ3***********6A4 for domain:  _acme-challenge.flemmingss.top
                [Thu Oct 20 19:29:45 CEST 2022] Successfully added TXT record, ready for validation.
                [Thu Oct 20 19:29:45 CEST 2022] The txt record is added: Success.
                [Thu Oct 20 19:29:45 CEST 2022] Sleep 120 seconds for the txt records to take effect
                [Thu Oct 20 19:31:45 CEST 2022] Verifying: *.flemmingss.top
                [Thu Oct 20 19:31:46 CEST 2022] Pending, The CA is processing your order, please just wait. (1/30)
                [Thu Oct 20 19:31:48 CEST 2022] Removing DNS records.
                [Thu Oct 20 19:31:48 CEST 2022] Removing txt: oJ3Es*********V6A4 for domain: _acme-challenge.flemmingss.top
                [Thu Oct 20 19:31:50 CEST 2022] Successfully retrieved the record id for ACME challenge.
                [Thu Oct 20 19:31:51 CEST 2022] Successfully removed the TXT record.
                [Thu Oct 20 19:31:51 CEST 2022] Removed: Success
                [Thu Oct 20 19:31:48 CEST 2022] *.flemmingss.top:Verify error:No TXT record found at _acme-challenge.flemmingss.top
                [Thu Oct 20 19:31:51 CEST 2022] Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log
                
                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @Flemmingss
                  last edited by johnpoz

                  @flemmingss said in Unabl to renew cert / Unable to add the DNS record (NameSilo):

                  [Thu Oct 20 19:29:45 CEST 2022] Sleep 120 seconds for the txt records to take effect

                  I ran into a sleep thing while back with cloudflare. I changed my sleep value to 180, and that seemed to clear up the issues I was having.

                  sleep.jpg

                  edit: I just updated to the latest acme 0.7.3 and updated my cert, didn't have any issues - use dns-cloudflare.

                  newcert.jpg

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  F 1 Reply Last reply Reply Quote 0
                  • F
                    Flemmingss @johnpoz
                    last edited by

                    Thanks, but not here :[]
                    Testet with 1000 and 500 yesterday, 180 today.
                    5a1dce14-07f5-470a-aba8-28ff61f68396-image.png

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @Flemmingss
                      last edited by

                      @flemmingss

                      Your request can't really work out.

                      Last two examples had no issue to add the two names for your certificate request.
                      Be aware, you are asking a cert for xxx.flemmingss.top, wjhatever.flemmingss.top, www.flemmingss.top etc, but not "flemmingss.top", as I've already said above. This might be intentional.
                      Anyway : about the second try you posted above :

                      [Thu Oct 20 19:29:45 CEST 2022] The txt record is added: Success.
                      

                      So the master domain name server has accepted the adding of a text TXT record for this host name : _acme-challenge.flemmingss.top. Good.

                      Normally, to proof for yourself that you've understood that it works, you should take a break, and test. This is called fact-checking ^^

                      Like, on the pfSense console :

                      dig _acme-challenge.flemmingss.top TXT
                      

                      You have the time to do so, because this one is counting down for 120 seconds :

                      [Thu Oct 20 19:29:45 CEST 2022] Sleep 120 seconds for the txt records to take effect
                      

                      Now comes the issue : look at the time stamps :
                      Your request isn't pausing 120 seconds, it goes on right away.
                      Or, a wait, for 120 seconds or so, is mandatory as domain name servers (at least 2, probably more) need to sync with the master domain name server.
                      This takes time.

                      What happens next : the text record is removed, and this succeeds.

                      Then there is a fail :

                      [Thu Oct 20 17:35:41 CEST 2022] *.flemmingss.top:Verify error:No TXT record found at _acme-challenge.flemmingss.top
                      [Thu Oct 20 17:35:45 CEST 2022] Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log
                      

                      This is strange : it was testing after the TXT record was removed ???

                      The first log shows the good sequence : There is a 120 sec wait here :

                      [Thu Oct 20 17:33:38 CEST 2022] Sleep 120 seconds for the txt records to take effect
                      [Thu Oct 20 17:35:38 CEST 2022] Verifying: *.flemmingss.top
                      

                      But :

                      [Thu Oct 20 17:35:38 CEST 2022] Verifying: *.flemmingss.top
                      [Thu Oct 20 17:35:39 CEST 2022] Pending, The CA is processing your order, please just wait. (1/30)
                      

                      Then, :

                      [Thu Oct 20 19:31:50 CEST 2022] Successfully retrieved the record id for ACME challenge.
                      [Thu Oct 20 19:31:51 CEST 2022] Successfully removed the TXT record.
                      [Thu Oct 20 19:31:51 CEST 2022] Removed: Success
                      [Thu Oct 20 19:31:48 CEST 2022] *.flemmingss.top:Verify error:No TXT record found at _acme-challenge.flemmingss.to
                      

                      So, first the TXT record gets deleted.
                      Then, some generic error :

                      *.flemmingss.top:Verify error:No TXT record found at _acme-challenge.flemmingss.top
                      

                      and as usual, we are looking at the generic non conclusive GUI logs (without the needed details).
                      So, back to

                      [Thu Oct 20 19:31:51 CEST 2022] Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log
                      

                      for the real answers.

                      I guess the real error now is :
                      You had to many attempts ( max 5 per day or so !!) so any further attempts just fail.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      F 1 Reply Last reply Reply Quote 0
                      • F
                        Flemmingss @Gertjan
                        last edited by

                        I tried again today with DNS-Manual. The 2 minutes wait according to documentation resulted in no TXT found.

                        Last try worked (i think), i did a "issue", added the TXT manually at namesilo, waited 30 minutes and did a renew. Now it is showing like this:
                        424dba90-8da5-4bf7-9be1-2b3e7ee7a31a-image.png
                        Browser still show the old date:
                        9fd40045-e8c7-4376-ab7a-a8bef2f74765-image.png

                        GertjanG 1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan @Flemmingss
                          last edited by Gertjan

                          @flemmingss said in Unabl to renew cert / Unable to add the DNS record (NameSilo):

                          Last try worked (i think), i did a "issue", added the TXT manually at namesilo, waited 30 minutes and did a renew

                          You've started to understand how things work 👍

                          You should always do a manual request first. acme.sh has the manual mode for that.
                          This makes you understand how Letsencrypt does the test that proves that you 'own' that domain name.

                          @flemmingss said in Unabl to renew cert / Unable to add the DNS record (NameSilo):

                          waited 30 minutes and did a renew

                          The wait period is defined and known, as you can test it.
                          I told you to dig for it.
                          As soon as the returned TXT record obtained from all ( !) your domain name servers the correct 'secret' TXT value, you know the domain name servers are synced with the latest info, and you can proceed.

                          Example :
                          My domain :
                          test-domain.fr

                          So I ask the list of all domain name servers :

                          dig test-domaine.fr NS +short
                          ns3.test-domaine.fr.
                          ns2.test-domaine.fr.
                          ns1.test-domaine.fr.
                          

                          I also want to know who the master is :

                          dig test-domaine.fr SOA +short
                          ns1.test-domaine.fr. postmaster.test-domaine.fr. 2021034612 14400 7200 1209600 43200
                          

                          Ok, ns1 is the master.
                          The master will be the domain name server that gets updated using the acme.sh "method"
                          Let's test :

                          dig @ns1.test-domaine.fr _acme-challenge/test-domaine.fr TXT +short
                          

                          as soon as you get an answer, like :

                          7Df*********************************5Mk
                          

                          you should test your other domain name servers :

                          dig @ns2.test-domaine.fr _acme-challenge/test-domaine.fr TXT +short
                          
                          dig @ns3.test-domaine.fr _acme-challenge/test-domaine.fr TXT +short
                          

                          ( for me, 3 tests as I have 3 domain name servers for my domain )

                          They should all return the same :

                          7Df*********************************5Mk
                          

                          If this is the case, the wait is over.

                          @flemmingss said in Unabl to renew cert / Unable to add the DNS record (NameSilo):

                          Browser still show the old date:

                          That's another story.
                          Your browser gets the certificate from the (a) web server.
                          The web server can do 'https' for you if it has the cert.
                          Upon web server startup, it reads the cert files, and now it can offer "https".
                          So, to get rid of the issue : easy : goto : System > Certificate Manager > Certificates and export both PEM files (key and crt), and/or the P12 file.
                          Now, as you are the admin of your web server, do your job : import the P12 or both PEM files.
                          When done, restart the web server.
                          And then ..... by magic ..... it works.

                          You'll say : hey ? Do I have to do this every time my cert renews ?
                          Answer : yes.
                          The good news is : like acme.sh, a scripts that requests a new certificate, you can make you own scrip that :
                          Gets the certificate files from pfSense, as you know where they are stored :

                          35c01f88-1045-4836-a0d1-b43a0430aef1-image.png

                          I mean : a script on pfSense could copy these files to your device, and then inform your device that the web server should restart as certs have changed.

                          The bad news :
                          It's your pfSense.
                          It's your "navidrome" device (whatever that might be).
                          Up to you to discover if the "navidrome" has a (for example) SSH access, which could permit you to copy over the files by a script you have to write up from the ground.
                          With a bit of luck there is even a way to 'restart' the web server on that device.
                          Doing so, you automate the entire process.

                          Yes, you might call this 'programming'.
                          I've done so myself for my synology disk station, and I managed to do so also for one of our networked printers, as I wanted to know if it could be done.
                          ( it was tedious, with a nice good old fashioned learning curve )

                          You could also check if this the "navidrome" device has it's own Letsencrypt/acme.sh tools build in. In that case, use it to renew navidrome.yourdomain.tld on that device. Most probably, when succeeded, it will restart the services that use the obtained certificate. case solved.

                          If this is not possible, you will be GUI bound : do it yourself, with the mouse and your fingers, every 60 days or so.

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          F 1 Reply Last reply Reply Quote 0
                          • F
                            Flemmingss @Gertjan
                            last edited by

                            @gertjan Thank you for a very informative reply. I will read it in more detail when I have more time.
                            In my usecase I use HAProxy (reverse proxy) and all my services uses http behind my firewall. I did this change and it is now showing the "new" cert in browser:

                            714cf588-83d4-4dfd-86b1-d9989d28670b-image.png

                            GertjanG 1 Reply Last reply Reply Quote 0
                            • GertjanG
                              Gertjan @Flemmingss
                              last edited by

                              @flemmingss

                              Aha : You are using the pfSense HAproxy package.

                              Go back to the

                              2e218531-a3fd-4bbb-8478-530e10807cc3-image.png

                              page, and start reading.
                              This time, up until the bottom.

                              You will find the very important dns sleep.
                              That's why it's there.

                              And also this one :

                              f3426682-5bbe-4a3e-920a-8bef7be592c6-image.png

                              as it was made for you.

                              The certificate name will not change when it is renewed. No need to select 'another' cert in the HA Proxy settings.

                              Now, when acme.sh successfully renewed the certificate, it will also restart HAproxy. So it takes in account the renewed certificate.
                              And you can go back to the admin's main task : constantly ( 😊 ) checking if all automated tasks are correctly executed.

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.