Print Page - ACME Client mit DNS-01 challange seit letztem update bugged?

Title: ACME Client mit DNS-01 challange seit letztem update bugged?
Post by: W0nderW0lf on October 07, 2024, 02:54:06 PM

Hi @ll,

ich bin seit ein paar stunden am rödeln und überlegen was schief läuft. Ich hatte seit Jahren kein Problem mit meiner ACME config..

Seit gestern ist mein Zertifikat ausgelaufen und hätte heute erneuert werden sollen. Allerdings bekomme ich immer einen Fehler:

Code Select

2024-10-07T14:25:41	acme.sh	[Mon Oct 7 14:25:41 CEST 2024] _on_issue_err
2024-10-07T14:25:41	acme.sh	[Mon Oct 7 14:25:41 CEST 2024] Error add txt for domain:_acme-challenge.mydomain.com
2024-10-07T14:25:41	acme.sh	[Mon Oct 7 14:25:41 CEST 2024] invalid domain
2024-10-07T14:25:41	acme.sh	[Mon Oct 7 14:25:41 CEST 2024] response='{"success":false,"errors":[{"code":9109,"message":"Invalid access token"}],"messages":[],"result":null}'

Wenn man das so liest denkt man "logisch, muss wohl der API Token futsch sein".
Hab um auf Nummer sicher zu gehen einen neuen Token erstellt.

Code Select

Zone.Zone (Read), Zone.DNS (Edit) Ressources: All zones
Direkt in den challange types unter restricted API Token eingetragen

Gleicher Fehler...

Um mangelnde Rechte auszuschließen habe ich zum test meinen Global API Key getestet, aber da bekomme ich das gleiche Ergebnis.
Werdet ihr aus dem Log schlau? Diese Tokens im Log spiegeln nicht meine eingetragenen Token wieder.

Code Select


2024-10-07T14:25:41	acme.sh	[Mon Oct 7 14:25:41 CEST 2024] Error add txt for domain:_acme-challenge.mydomain.com
2024-10-07T14:25:41	acme.sh	[Mon Oct 7 14:25:41 CEST 2024] invalid domain
2024-10-07T14:25:41	acme.sh	[Mon Oct 7 14:25:41 CEST 2024] response='{"success":false,"errors":[{"code":9109,"message":"Invalid access token"}],"messages":[],"result":null}'
2024-10-07T14:25:41	acme.sh	[Mon Oct 7 14:25:41 CEST 2024] ret='0'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.Qe7UxsMNNc -g '
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] Http already initialized.
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] timeout=
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] url='https://api.cloudflare.com/client/v4/zones/cf6666f77f5b50840cc4f8691d04a99c'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] GET
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] zones/cf6666f77f5b50840cc4f8691d04a99c
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] First detect the root zone
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] Adding txt value: iiOVah5YgiApm_W8j3cqevUJ8_bmE_MRfcG2wF3KmMLO for domain: _acme-challenge.mydomain.com
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_cf.sh
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] dns_entry='mydomain.com,_acme-challenge.mydomain.com,,dns_cf,iiOVah5YgiApm_W8j3cqevUJ8_bmE_MRfcG2wF3KmMLO,/usr/local/share/examples/acme.sh/dnsapi/dns_cf.sh'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_cf.sh'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] txt='iiOVah5YgiApm_W8j3cqevUJ8_bmE_MRfcG2wF3KmMLO'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] txtdomain='_acme-challenge.mydomain.com'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] _d_alias
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] d='mydomain.com'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] vlist='mydomain.com#rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48.Kg40Apx66il6cLWEg_W5cG5XoDgRmcWoSy11ohHmzt8#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/xpXTKg#dns-01#dns_cf#https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14315805543,'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] d
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] dvlist='mydomain.com#rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48.Kg40Apx66il6cLWEg_W5cG5XoDgRmcWoSy11ohHmzt8#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/xpXTKg#dns-01#dns_cf#https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14315805543'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] keyauthorization='rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48.Kg40Apx66il6cLWEg_W5cG5XoDgRmcWoSy11ohHmzt8'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] uri='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/xpXTKg'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] token='rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] entry='"type":"dns-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/xpXTKg","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] _authz_url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14315805543'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] response='{"identifier":{"type":"dns","value":"mydomain.com"},"status":"pending","expires":"2024-10-14T12:25:39Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/jkxsOA","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"},{"type":"http-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/-B_sZg","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"},{"type":"dns-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/xpXTKg","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"}]}#https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14315805543'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] _candidates='mydomain.com,{"identifier":{"type":"dns","value":"mydomain.com"},"status":"pending","expires":"2024-10-14T12:25:39Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/jkxsOA","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"},{"type":"http-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/-B_sZg","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"},{"type":"dns-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/xpXTKg","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"}]}#https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14315805543'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] _idn_temp
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] _is_idn_d='mydomain.com'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] _currentRoot='dns_cf'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] _w='dns_cf'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] Getting webroot for domain='mydomain.com'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] d='mydomain.com'
 	 	'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] _authorizations_map='mydomain.com,{"identifier":{"type":"dns","value":"mydomain.com"},"status":"pending","expires":"2024-10-14T12:25:39Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/jkxsOA","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"},{"type":"http-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/-B_sZg","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"},{"type":"dns-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/xpXTKg","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"}]}#https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/14315805543
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] _d='mydomain.com'
2024-10-07T14:25:40	acme.sh	[Mon Oct 7 14:25:40 CEST 2024] response='{"identifier":{"type":"dns","value":"mydomain.com"},"status":"pending","expires":"2024-10-14T12:25:39Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/jkxsOA","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"},{"type":"http-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/-B_sZg","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"},{"type":"dns-01","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14315805543/xpXTKg","status":"pending","token":"rstTYQYmrB3SCdyMSO_C2-KuKVWhfpP8w-UjWiA_L48"}]}'

Title: Re: ACME Client mit DNS-01 challange seit letztem update bugged?
Post by: W0nderW0lf on October 07, 2024, 03:30:47 PM

*Solved*
Also scheinbar hat sich tatsächlich irgendwo ein Fehlerteufel in ACME eingeschlichen.

Hat alles wunderbar geklappt nach dem in in den Einstellungen von ACME Client "Reset ACME Client" betätigt habe.

Stutzig macht mich das ganze trotzdem. Trotz dem speichern von neuen Tokens/Keys wurde die Änderung nicht angenommen.
Erst der Reset hat das bereinigt...

Title: Re: ACME Client mit DNS-01 challange seit letztem update bugged?
Post by: loaded on October 08, 2024, 12:23:03 AM

ich habe es so gemacht und es funktioniert.

https://www.youtube.com/watch?v=bY5mLytgDek
(https://www.youtube.com/watch?v=bY5mLytgDek)

https://homenetworkguy.com/how-to/replace-opnsense-web-ui-self-signed-certificate-with-lets-encrypt/
(https://homenetworkguy.com/how-to/replace-opnsense-web-ui-self-signed-certificate-with-lets-encrypt/)

OPNsense Forum

International Forums => German - Deutsch => Topic started by: W0nderW0lf on October 07, 2024, 02:54:06 PM