ACME v0.8 Let's Encrypt certificate renewal issue

HeMaN

Working fine for a long time, but since the update of this package to v0.8 I have an issue with the renewal of my Let's Encrypt certificates.
I use the ACME package in combination with the Direct Admin api call for DNS validation.

This was working for at least 2 years, till a week ago (after the update of ACME) I get warnings that the renewal of my LE certificates failed, which were just up for renewal the day after I did the update.

I checked the DNS panel for the _acme-challenge entry in Direct Admin and they are created. The error message however says validation failed after it succesfully added and removed the entries.

Log from GUI after manual renew request
(Replaced my actual domain with mydomain, Obfuscated user, pw and keys, repalced . with <dot> to beat the spam check):

home<dot>mydomain<dot>nl-wildcard
Renewing certificate 
account: ACME Productieserver 
server: letsencrypt-production-2 

/usr/local/pkg/acme/acme.sh  --issue  --domain 'home<dot>mydomain<dot>nl' --dns 'dns_da'  --domain '*<dot>home<dot>mydomain<dot>nl' --dns 'dns_da'  --home '/tmp/acme/home<dot>mydomain<dot>nl-wildcard/' --accountconf '/tmp/acme/home<dot>mydomain<dot>nl-wildcard/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/home<dot>mydomain<dot>nl-wildcard/reloadcmd.sh' --dnssleep '60' --log-level 3 --log '/tmp/acme/home<dot>mydomain<dot>nl-wildcard/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [SSL_CERT_DIR] => /etc/ssl/certs/
    [DA_Api] => https://user:password@mywebhostingserver<dot>nl:2223
    [DA_Api_Insecure] => 1
)
[Wed May  8 17:12:36 CEST 2024] Using CA: https://acme-v02<dot>api<dot>letsencrypt<dot>org/directory
[Wed May  8 17:12:36 CEST 2024] Using pre generated key: /tmp/acme/home<dot>mydomain<dot>nl-wildcard/home<dot>mydomain<dot>nl/home<dot>mydomain<dot>nl<dot>key<dot>next
[Wed May  8 17:12:36 CEST 2024] Generate next pre-generate key.
[Wed May  8 17:12:36 CEST 2024] Multi domain='DNS:home<dot>mydomain<dot>nl,DNS:*<dot>home<dot>mydomain<dot>nl'
[Wed May  8 17:12:39 CEST 2024] Getting webroot for domain='home<dot>mydomain<dot>nl'
[Wed May  8 17:12:39 CEST 2024] Getting webroot for domain='*<dot>home<dot>mydomain<dot>nl'
[Wed May  8 17:12:39 CEST 2024] Adding txt value: <obfuscated half>0pKyJmEtgyvUQ for domain:  _acme-challenge<dot>home<dot>mydomain<dot>nl
[Wed May  8 17:12:44 CEST 2024] The txt record is added: Success.
[Wed May  8 17:12:44 CEST 2024] Adding txt value: <obfuscated half>9dBOg5ekASCJM for domain:  _acme-challenge<dot>home<dot>mydomain<dot>nl
[Wed May  8 17:12:48 CEST 2024] The txt record is added: Success.
[Wed May  8 17:12:48 CEST 2024] Sleep 60 seconds for the txt records to take effect
[Wed May  8 17:13:48 CEST 2024] Verifying: home<dot>mydomain<dot>nl
[Wed May  8 17:13:49 CEST 2024] Pending, The CA is processing your order, please just wait. (1/30)
[Wed May  8 17:13:52 CEST 2024] Removing DNS records.
[Wed May  8 17:13:52 CEST 2024] Removing txt:  <obfuscated half>0pKyJmEtgyvUQ for domain: _acme-challenge<dot>home<dot>mydomain<dot>nl
[Wed May  8 17:13:56 CEST 2024] Removed: Success
[Wed May  8 17:13:56 CEST 2024] Removing txt: <obfuscated half>9dBOg5ekASCJM for domain: _acme-challenge<dot>home<dot>mydomain<dot>nl
[Wed May  8 17:14:01 CEST 2024] Removed: Success
[Wed May  8 17:13:52 CEST 2024] Invalid status, home<dot>mydomain<dot>nl:Verify error detail:DNS problem: NXDOMAIN looking up TXT for _acme-challenge<dot>home<dot>mydomain<dot>nl - check that a DNS record exists for this domain
[Wed May  8 17:14:01 CEST 2024] Please check log file for more details: /tmp/acme/home<dot>mydomain<dot>nl-wildcard/acme_issuecert.log

Anyone experiencing this as well, or maybe even have a solution?

Gertjan

@HeMaN said in ACME v0.8 Let's Encrypt certificate renewal issue:

Anyone experiencing this as well, or maybe even have a solution?

No, and I've probably a solution.

Didn't know who or what dns_da (Direct Admin ?) is, but I guess this is the one : https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_da.sh
That page shows, some what hidden, that it hasn't been updated since 2020....

Your logs shows all the important steps, and they were all 'success', so from a acme.sh point of view.
One small issue, though : why are the last 4, 5 lines out of order ? Look at the time stamps.

Did you do the suggestion ?

DNS problem: NXDOMAIN looking up TXT for _acme-challenge<dot>home<dot>mydomain<dot>nl - check that a DNS record exists for this domain

This says: check for yourself if a TXT record exist for
_acme-challenge<dot>home<dot>mydomain<dot>nl

This can be done with dig in the blick of an eye :

dig _acme-challenge<dot>home<dot>mydomain<dot>nl TXT

and it should exist. As Letenscrypt is going to do exactly that same test (the dig) to check if you control the domain == because only you can place the TXT in the sub domains "_acme-challenge<dot>home" of your domain "mydomain<dot>nl".

You'll say : hey, I've only 60 seconds to that, and that's probably the issue : that way to optimistic - to short.
Keep in mind that the API script communicates with "somewhere". That backend will then contact the master DNS domain name server of your domain, and make the update.
The master will then signal the DNS domain name slave.
This slave, and here it comes, will contact the master back when it he sees fit (whenever he wants), and asks for a domain resync. This could be more then 60 seconds !
Only when the slave did this, the TXT filed/info will be present on all DNS domain name servers.
Only from now on the Letenscrypt test should be executed.

I propose the some what silly :

which also gives you the time to do for yourself the test with the dig command.
Remember that you 'dig' the (your !) domain name servers directly.

Example :

dig mydomain<dot>nl NS

and now you have the list of all your domain name servers - there are at least two of them.
from here :

dig @NS1.mydomain<dot>nl _acme-challenge<dot>home<dot>mydomain<dot>nl TXT

and

dig @NS2.mydomain<dot>nl _acme-challenge<dot>home<dot>mydomain<dot>nl TXT

HeMaN

@Gertjan said in ACME v0.8 Let's Encrypt certificate renewal issue:

dig @NS1.mydomain<dot>nl _acme-challenge<dot>home<dot>mydomain<dot>nl TXT

Hi Gertjan, thank you for your extensive answer!

I did check my Direct Admin DNS panel for the creation of the entries, they were there, but I did not check the nameservers themself.

Since the module has been working for years I did not think that the 60 seconds timeframe would be an issue. I had it already increased to 90 seconds and even tried with the auto detect. Both were failing.

Tried it again yesterday after your suggestion to use an ever larger timeframe and check the dig result manually from the prompt.
First attempt with 120 sec (I was in a hurry to go to bed) failed again, and indeed no entries in the nameservers with the dig command.
Second attempt with 150 seconds did give me renewed certificates, although the dig commands I did in the meantime did not show any entries. So probably for some reason the time it takes my provider to propagate the new entries has increased a lot to almost 150 seconds or I was just lucky the last time.

Since it is usually an unattended cron job, I just put it at 300 sec for now and will check next time when the certificates needs to be renewed if that goes without issue.

As for the log entries, I do not know why they are out of order in the GUI. I checked the actual log and everything is in the right order there. I suppose to create the GUI log there is some grepping done that presents the resulting lines out of order?

Thank you so much for your help and insights!

Gertjan

@HeMaN said in ACME v0.8 Let's Encrypt certificate renewal issue:

check next time when the certificates

You can test for 'free' every week or so, check with Letsencrypt documentation, as renewal is rate limited.
Also, ones Letsencrypt verified you as an owner of a domain, they will cache that info for several (7 or 10 days ?).

And yes, when the acme.sh API does it work, and updated your Direct Admin account, the work isn't over yet.
For you, acme.sh, it is, but the info yet has to be send to to the actual master domain name server. That could be done "right away", or take some time. How much ? You'll never now for sure, and it can always change.
When the master has been updated, a second delay kicks in : the "slave with master sync" and again, that's out of your control.
Anyway, told you already.

This unknown factor was for me one of the reasons to handle the DNS of my domain names myself, and as such I'm not using the DNS facilities of my registrar anymore.
My two, 3 actually, domain names servers are only handling 'my' domain names and I can control them like I see fit.

HeMaN

Noticed there was a new version today 0.8_1 with changes reverted from 0.8 regarding failing challenge checks that were working previously.

Installed this update, changed the dns wait to 60 seconds again and tested the certificate renewal.
Worked like a charm again on the first try.