acme broken?

Started by dMopp, March 27, 2025, 07:16:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 27, 2025, 07:16:57 PM
I cant add any new certificate NOR recerify them. Iam using ionos and i see no issues regarding DNS record adding... But i see errors like:

Code Select
[Thu Mar 27 19:15:51 CET 2025] Not valid yet, let's wait for 10 seconds then check the next one.
2025-03-27 19:15:51.000 OPNsense.quolke.net
[Thu Mar 27 19:15:51 CET 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
2025-03-27 19:15:51.000 OPNsense.quolke.net
[Thu Mar 27 19:15:51 CET 2025] No DOH
2025-03-27 19:15:51.000 OPNsense.quolke.net
And its repeating for all my certis. There where working before and as mentioned, i can see the DNS records without any issue (and usually, in the past, in 10-30 secods as ionos is fast AF  .. :D)
March 27, 2025, 07:31:24 PM #1
Try using a "DNS Sleep Time" of 60 in the ACME Challenge Type. The message "No DOH" plus libcurl error 6 is a dead giveaway that the DNS resolution is tried over DOH, which may be blocked. Using a DNS sleep time disables DOH checks completely.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
March 27, 2025, 10:46:26 PM #2
Setting 30s was enough and Problem fixed (+ a reboot due to that hanging loop).. thanks  :)
March 28, 2025, 12:00:27 PM #3
I was running 25.1.3 and updated to 25.1.4, rebooted router but still can see that my validation (luadns) is being ignored?

QuoteDate
Process
Line
2025-03-28T11:49:57   acme.sh   [Fri Mar 28 11:49:57 CET 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2025-03-28T11:49:57   acme.sh   [Fri Mar 28 11:49:57 CET 2025] Please add '--debug' or '--log' to see more information.
2025-03-28T11:49:57   acme.sh   [Fri Mar 28 11:49:57 CET 2025] Error adding TXT record to domain: _acme-challenge.OPNSENSE.
2025-03-28T11:49:57   acme.sh   [Fri Mar 28 11:49:57 CET 2025] Add txt record error.
2025-03-28T11:49:57   acme.sh   [Fri Mar 28 11:49:57 CET 2025] Adding record
2025-03-28T11:49:56   acme.sh   [Fri Mar 28 11:49:56 CET 2025] Adding TXT value: k2S8diRcEzt8 for domain: _acme-challenge.OPNSENSE.
2025-03-28T11:49:56   acme.sh   [Fri Mar 28 11:49:56 CET 2025] Getting webroot for domain='OPNSENSE.'
2025-03-28T11:49:54   acme.sh   [Fri Mar 28 11:49:54 CET 2025] Single domain='OPNSENSE.'
2025-03-28T11:49:54   acme.sh   [Fri Mar 28 11:49:54 CET 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory

record is being added to Lua DNS but time is being ignored from Challenge type, i did try to setup 0, 30, 300 or more.

is something you face with after 25 version? I didn't have issue with 24.

Thank you,
jakub
March 28, 2025, 02:13:15 PM #4
Nope. The error clearly says that the TXT record was not added to your DNS. And it cannot, if the name "OPENSENSE." is really what you want to add.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
March 28, 2025, 08:44:03 PM #5
Hi,

thank you for coming back to me.

the domain name im using is FQDN name that I don't want to post and it's why all beside hostname was deleted. It's recognized by public dns.

Quote2025-03-28T20:39:50   acme.sh   [Fri Mar 28 20:39:50 CET 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2025-03-28T20:39:50   acme.sh   [Fri Mar 28 20:39:50 CET 2025] Please add '--debug' or '--log' to see more information.
2025-03-28T20:39:50   acme.sh   [Fri Mar 28 20:39:50 CET 2025] Error adding TXT record to domain: _acme-challenge.OPNSENSE.XXX.ovh
2025-03-28T20:39:50   acme.sh   [Fri Mar 28 20:39:50 CET 2025] Add txt record error.
2025-03-28T20:39:50   acme.sh   [Fri Mar 28 20:39:50 CET 2025] Adding record
2025-03-28T20:39:49   acme.sh   [Fri Mar 28 20:39:49 CET 2025] Adding TXT value: dSrNFANja1EiimgW_5B3AeQ5EraUJeK3GbEZWw7ylrg for domain: _acme-challenge.OPNSENSE.XXX.ovh
2025-03-28T20:39:49   acme.sh   [Fri Mar 28 20:39:49 CET 2025] Getting webroot for domain='OPNSENSE.XXX.ovh'
2025-03-28T20:39:46   acme.sh   [Fri Mar 28 20:39:46 CET 2025] Single domain='OPNSENSE.XXX.ovh'
2025-03-28T20:39:46   acme.sh   [Fri Mar 28 20:39:46 CET 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory

few seconds later in luadns i can see record is present:
_acme-challenge.opnsense.XXX.ovh.   TXT   dSrNFANja1EiimgW_5B3AeQ5EraUJeK3GbEZWw7ylrg   300


if you look on time please notice there is no any wait time, after 1 second he say's error, instead of checking periodicly untill 20 minutes when you setup dns sleep time to 0 like in documentation for public dns.


hope its more clear now

thank you
jakub
March 28, 2025, 10:07:36 PM #6 Last Edit: March 28, 2025, 10:15:18 PM by meyergru
No, it does not work like that. The sequence is:

1. Put entry into DNS and see if that is successful.
2. Check DNS entries to arrive at public servers.
3. Ask CA to verify DNS01 and check success.
4. Either way, delete DNS entries again.
5. Ask CA to sign the request.
6. Wait for certificate.

Your update fails in step 1 (or at least the return code says so). I do not see the DNS verification step, because it is not even tried. If the DNS entry is indeed updated, at least it generates a return code that keeps acme.sh from even trying to start step 2.

The best proof would be that because acme.sh thinks the DNS entry was not successfully added, it never deletes it again. That would be done after checking DNS in any case.

You can set debug2 so you have more debug output on why your luadns request fails. The way it looks to me is that the DNS entry is actually added, but seems to fail.

BTW: If you set the DNS sleep time on the challenge to a value > 0, you will force to use normal DNS requests. Otherwise, DOH is used, which sometimes fails.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
March 29, 2025, 10:08:31 AM #7
Hi,

Quote from: meyergru on March 28, 2025, 10:07:36 PMThe best proof would be that because acme.sh thinks the DNS entry was not successfully added, it never deletes it again. That would be done after checking DNS in any case.

yes you right, record is not being deleted for this request.

i have setup debug2 and it's the output:

sorry for long quotation

Quote2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] Skipping dns.
2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] dns_entries
2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] _clearupdns
2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] No need to restore nginx config, skipping.
2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] pid
        socat version 1.8.
        socat by Gerhard Rieger and contributors - see www.dest-unreach.org
        socat:
        configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --with-pcre --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_v3_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_smtp_module --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/ngx_brotli-a71f931 --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/headers-more-nginx-module-06dc0be --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/naxsi-1.6/naxsi_src --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/njs-0.8.5/nginx --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/nginx-module-vts-bf64dbf --with-ld-opt='-L /usr/local/lib'
        TLS SNI support enabled
        built with OpenSSL 3.0.16 11 Feb 2025
        nginx version: nginx/1.26.3
        nginx:
        Apache doesn't exist.
        Apache:
        OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
        openssl:openssl
2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] Diagnosis versions:
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] response='{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}';
        }'
        "token": "_TOKEN_"
        "status": "pending",
        "url": "https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q",
        "type": "dns-01",
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] original='{
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] code='200'
        '
        strict-transport-security: max-age=604800
        x-frame-options: DENY
        replay-nonce: KQqMGbQ5AYOsYKqWEI2xw9ZxohXffgVMJ6e82HKg-HWSM1b65iw
        location: https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q
        link: <https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957>;rel="up"
        link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
        cache-control: public, max-age=0, no-cache
        boulder-requester: _letsencrypt_NR_
        content-length: 193
        content-type: application/json
        date: Sat, 29 Mar 2025 08:34:49 GMT
        server: nginx
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] responseHeaders='HTTP/2 200
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _ret='0'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g '
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] Http already initialized.
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _postContentType='application/jose+json'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] body='{"protected": "_XXX_a0NvQ043RDh4UmRFUW1yNGNKNHMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzEwMTg4NjI1MC80OTcxNjgwNTQ5NTcvXzJtVzFRIiwgImFsZyI6ICJSUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDE4ODYyNTAifQ", "payload": "e30", "signature": "d5BfCGcA3Yp_o_-dxHdBygKGwC2MTHkKbz-7ds_j803UUnGms7dgVzPO1GMATSTbNXXRac2ykAGvCF3bSRGUkV6TwdvVZisOim5LI9SPl4JqjD5Zf9_VTwJif9q2Kpqcqf0XxyMh0Vm0ZZuuJzakGxlaertqGtQ_MP7Fuwa5m2SdfsknWYh9GaWk_dfnjR2vnUwnaw99Pp4KlmTDxI-pTPqtU9Y6Mb8qufg9J_3OiWgCnhN5MXkj05XIH-Ow2cUBUR11mqFZsc7xfDDoMvJCRtC1beqUUNnQp9Z54qMVMG28PcuB6fNZmz2DKCZVXlG0OcGrzHQI90V7QMuHR60GcUMaOj6Ie3dAE52cwfTS_00TUNGQ6l2XYzGSOxS0Md3ZZYjXWcI0GWgzYhHTm-18VoqQPCJGnk_nSopLOvVdJ12RY3sTUHfLwB_ze442d6BeAMSz0AG4-koqZ-IM-El-2-BwBR55D-hhUj18XVau0aBW-nDZZwyRrJM4P5388b7d86DGHSnXO9su2zZ2u8MqixqeqgQLnDryZzcO1E8iQO96ng6IhqhPHwyKGVKSiPw6YckIz7RTaVtS8BBJSjWB97Wrxbb4hrg43XVHk_IGaVztSJ7R6i4eLg-17HMLcv_X1EQnyYrizxBLZ2FFIAav0Lwa5HXwc5Zj5dfI5EUxZ-k"}'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q';
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] POST
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] nonce='_NONCE_'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] Use _CACHED_NONCE='_NONCE_'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] Use cached jwk for file: /var/etc/acme-client/accounts/5faaa839612575.44326968_prod/account.key
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] payload='{}'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] url='https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q';
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] =======Sending Signed Request=======
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _t_vtype
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _t_key_authz='_TOKEN_.__VLIST_'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _t_url='https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q';
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] Trigger domain validation.
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] start to deactivate authz
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _chk_vlist='OPNSENSE.XXX.ovh#_TOKEN_.__VLIST_#https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q#dns-01#dns_lua#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957,';
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Please add '--debug' or '--log' to see more information.
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _on_issue_err
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Error adding TXT record to domain: _acme-challenge.OPNSENSE.XXX.ovh
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Add txt record error.
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] response='{"id":185022797,"name":"_acme-challenge.OPNSENSE.XXX.ovh.","type":"TXT","content":"XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ","ttl":300,"zone_id":_DOMAIN_ID_,"created_at":"2025-03-29T08:34:48.865874041Z","updated_at":"2025-03-29T08:34:48.865874142Z"}'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _ret='0'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g '
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Http already initialized.
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _postContentType
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] body='{"type":"TXT","name":"_acme-challenge.OPNSENSE.XXX.ovh.","content":"XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ","ttl":120}'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _post_url='https://api.luadns.com/v1/zones/_DOMAIN_ID_/records';
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] POST
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] data='{"type":"TXT","name":"_acme-challenge.OPNSENSE.XXX.ovh.","content":"XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ","ttl":120}'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] zones/_DOMAIN_ID_/records
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Adding record
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _domain='XXX.ovh'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _sub_domain='_acme-challenge.OPNSENSE'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _domain_id='_DOMAIN_ID_'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _domain_id='_DOMAIN_ID_'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] h='XXX.ovh'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] h='OPNSENSE.XXX.ovh'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] response='[{"id":92349,"name":"itlup.ovh","template_id":0,"synced":true,"queries_count":6329,"records_count":10,"aliases_count":0,"redirects_count":0,"forwards_count":0},{"id":_DOMAIN_ID_,"name":"XXX.ovh","template_id":0,"synced":true,"queries_count":9851,"records_count":8,"aliases_count":0,"redirects_count":0,"forwards_count":0}]'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] ret='0'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g '
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] Http already initialized.
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] timeout=
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] url='https://api.luadns.com/v1/zones';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] GET
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] zones
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] First detect the root zone
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] Adding TXT value: XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ for domain: _acme-challenge.OPNSENSE.XXX.ovh
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] Found domain API file: /usr/local/share/examples/acme.sh/dnsapi/dns_lua.sh
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] dns_entry='OPNSENSE.XXX.ovh,_acme-challenge.OPNSENSE.XXX.ovh,,dns_lua,XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ,/usr/local/share/examples/acme.sh/dnsapi/dns_lua.sh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_lua.sh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] txt='XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] txtdomain='_acme-challenge.OPNSENSE.XXX.ovh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _d_alias
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] vlist='OPNSENSE.XXX.ovh#_TOKEN_.__VLIST_#https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q#dns-01#dns_lua#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957,';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] d
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] dvlist='OPNSENSE.XXX.ovh#_TOKEN_.__VLIST_#https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q#dns-01#dns_lua#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] keyauthorization='_TOKEN_.__VLIST_'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] uri='https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] token='_TOKEN_'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] entry='"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] response='OPNSENSE.XXX.ovh,{"identifier":{"type":"dns","value":"OPNSENSE.XXX.ovh"},"status":"pending","expires":"2025-04-05T08:34:46Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg","status":"pending","token":"_TOKEN_"},{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA","status":"pending","token":"_TOKEN_"},{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}]}#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _candidates='OPNSENSE.XXX.ovh,{"identifier":{"type":"dns","value":"OPNSENSE.XXX.ovh"},"status":"pending","expires":"2025-04-05T08:34:46Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg","status":"pending","token":"_TOKEN_"},{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA","status":"pending","token":"_TOKEN_"},{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}]}#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _idn_temp
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _is_idn_d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _currentRoot='dns_lua'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _w='dns_lua'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] Getting webroot for domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] d='OPNSENSE.XXX.ovh'
        '
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _authorizations_map='OPNSENSE.XXX.ovh,{"identifier":{"type":"dns","value":"OPNSENSE.XXX.ovh"},"status":"pending","expires":"2025-04-05T08:34:46Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg","status":"pending","token":"_TOKEN_"},{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA","status":"pending","token":"_TOKEN_"},{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}]}#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] response='{"identifier":{"type":"dns","value":"OPNSENSE.XXX.ovh"},"status":"pending","expires":"2025-04-05T08:34:46Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg","status":"pending","token":"_TOKEN_"},{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA","status":"pending","token":"_TOKEN_"},{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}]}'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] response='{"identifier":{"type":"dns","value":"OPNSENSE.XXX.ovh"},"status":"pending","expires":"2025-04-05T08:34:46Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg","status":"pending","token":"_TOKEN_"},{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA","status":"pending","token":"_TOKEN_"},{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}]}'
        }'
        ]
        }
        "token": "_TOKEN_"
        "status": "pending",
        "url": "https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q",
        "type": "dns-01",
        {
        },
        "token": "_TOKEN_"
        "status": "pending",
        "url": "https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA",
        "type": "http-01",
        {
        },
        "token": "_TOKEN_"
        "status": "pending",
        "url": "https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg",
        "type": "tls-alpn-01",
        {
        "challenges": [
        "expires": "2025-04-05T08:34:46Z",
        "status": "pending",
        },
        "value": "OPNSENSE.XXX.ovh"
        "type": "dns",
        "identifier": {
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] original='{
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] code='200'
        '
        strict-transport-security: max-age=604800
        x-frame-options: DENY
        replay-nonce: _NONCE_
        link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
        cache-control: public, max-age=0, no-cache
        boulder-requester: _letsencrypt_NR_
        content-length: 824
        content-type: application/json
        date: Sat, 29 Mar 2025 08:34:46 GMT
        server: nginx
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] responseHeaders='HTTP/2 200
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _ret='0'
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g '
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] Http already initialized.
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _postContentType='application/jose+json'
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] body='{"protected": "XXXBCVlY0TzFBc1FmcnVUd0plQlFPNkllc2h0UF9FQXBkV1RnOEozc1h5a3MiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzEwMTg4NjI1MC80OTcxNjgwNTQ5NTciLCAiYWxnIjogIlJTMjU2IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEwMTg4NjI1MCJ9", "payload": "", "signature": "kpcT33ruKKbyvH5CIxBQV-SV2trS74pnwmRZV00yM-YVuWQmrCLv8gcwmE2OFftdK4mRCZ0mphHC_XieCjrvcRksA7jSpMAVmmM0fxwngEbVDlHjbPHBrvsMM-AHr4Z82j9gV4-cH0laC1JprjWgCg5L6CMMA6TX1_O-v2G8mTxV4G-_AgYizPwxhv1nDf587fkLUGs4EjeCS145o6Xn8Z4BUGbUkELagL9oK-lMvuH6iHGkh6nMkRHyBiCTfN-bchO19REakDOx2CPDQEIYhnrAK6f3XONT0xOAXEr_VSyxiKYp9FBs-mADHK3iX6yHYkA0-xNIANjpD0QSQyD3tXqoq8TzsccghcxU7EGqsibl1QJoCTLq1b7_ksKFlG84TDb7TiT_IgLjuPA0FPwCYMIQ26VIVQZcrSa22SFOPoWlQ2203Zklz95lG-HgO3APof5Nk2JaYmEYTyfdHGZ85fWeA3HeQ3RrzCxX5mnvem-WPyCY-xIZsVRLTvhVTvMpbmJp9t1VEkNBM5_zXaY9cL2S06Y_sfUk3gfoa1hLwRlEYzWyQMeib5xjY-gOjPXeMMtdQElY8nN_oKTFWz6CQIegFctjC6WBLD4UbNZM_VAn-hEZdNxpeEEUlaPh5FOntCe4uw8IJzk1DIvE9_KTzZCQD-uzHI5HgKS2BipNYqo"}'
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] POST
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] nonce='pwlyUh7gPBVV4O1AsQfruTwJeBQO6IeshtP_EApdWTg8J3sXyks'
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] Use _CACHED_NONCE='pwlyUh7gPBVV4O1AsQfruTwJeBQO6IeshtP_EApdWTg8J3sXyks'
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] Use cached jwk for file: /var/etc/acme-client/accounts/5faaa839612575.44326968_prod/account.key
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] payload
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] url='https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] =======Sending Signed Request=======
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] STEP 2, Get the authorizations of each domain
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _authorizations_seg='https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/_letsencrypt_NR_/368536016037';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/_letsencrypt_NR_/368536016037';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] response='{"status":"pending","expires":"2025-04-05T08:34:46Z","identifiers":[{"type":"dns","value":"OPNSENSE.XXX.ovh"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/_letsencrypt_NR_/368536016037"}'
        }'
        "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/_letsencrypt_NR_/368536016037"
        ],
        "https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957"
        "authorizations": [
        ],
        }
        "value": "OPNSENSE.XXX.ovh"
        "type": "dns",
        {
        "identifiers": [
        "expires": "2025-04-05T08:34:46Z",
        "status": "pending",
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] original='{
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] code='201'
        '
        strict-transport-security: max-age=604800
        x-frame-options: DENY
        replay-nonce: pwlyUh7gPBVV4O1AsQfruTwJeBQO6IeshtP_EApdWTg8J3sXyks
        location: https://acme-v02.api.letsencrypt.org/acme/order/_letsencrypt_NR_/368536016037
        link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
        cache-control: public, max-age=0, no-cache
        boulder-requester: _letsencrypt_NR_
        content-length: 351
        content-type: application/json
        date: Sat, 29 Mar 2025 08:34:46 GMT
        server: nginx
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] responseHeaders='HTTP/2 201
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _ret='0'
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g '
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] Http already initialized.
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _postContentType='application/jose+json'
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] body='{"protected": "XXXXFNR2JRNWFJS3NRUDNkREVheHhnT0t0M0tLbGJrbzY3eV8zZVN4TzF2aHJ0Z3ZjWlEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTAxODg2MjUwIn0", "payload": "eyJpZGVudGlmaWVycyI6IFt7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6Ik9QTlNFTlNFLm5lc3Njby5vdmgifV19", "signature": "Y9kfawJVzSuKYZpBfo28LZH_A5nLG3nX2s_sWS9uXU_twxKUY9K9tK9OSo2MYUQ5Nv0hEMHmWQkMy-Piy83J087mMBthzkcNa2BJynnEUo6EUcL34VDYrC5EA2gv1kYIaSlMcl6cJpj9TWxFb4xVniOLutqY3cBfqGUFQrmowlKfF6U2z5p9RUbnztm0XmsxsKpzsmEFOWQa_7AXacAJUZhwvO5ds0LASOh0fHLjdKD2txys-WY4BKsu69k2kJ0Wrxre6ymdVqU1YMspH-uRoRpwVBFB8xlWJITsRZLt3ZMDGuJJxm_FSTAlIj5aPqy-azTBfVBchlm5yV8pSPvCVSqGuIkKkdbWCygD8-mVgK0-0DP1mEXuF-df126ivJjS97_0twnQWQWC7G2OGdSLjlzsMwdbzhdqgnd2hnUge-RfJd995YZHi2ARpbdtTSRVtFEA2FmWfsQjbuALBgS1Q08OLQEK985MJUZZ_oqsHd26vDhQxArMuw3zYNbl0uCOZ4oWXWAwOiPfpUAoPtFfs9bt2YfB3f5_dSrNRY33Se0N4Ib5Mfag5ipFCCWQrIWeYQvMko9Rl627Yg7RhEkuW9PHCNdTxukHzwmXn6IPmjEOHpesB6bHdegq575vLTdl5eUdd76sqpett_hvKsEXQ29ZoWWX1y5rNSAfT_geZJw"}'
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order';
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] POST
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] nonce='KQqMGbQ5aIKsQP3dDEaxxgOKt3KKlbko67y_3eSxO1vhrtgvcZQ'
        '
        strict-transport-security: max-age=604800
        x-frame-options: DENY
        replay-nonce: KQqMGbQ5aIKsQP3dDEaxxgOKt3KKlbko67y_3eSxO1vhrtgvcZQ
        link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
        cache-control: public, max-age=0, no-cache
        date: Sat, 29 Mar 2025 08:34:45 GMT
        server: nginx
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _headers='HTTP/2 200
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _ret='0'
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g -I '
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _postContentType='application/jose+json'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] body
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce';
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] HEAD
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce';
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _URGLY_PRINTF='1'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _URGLY_PRINTF='1'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] RSA key
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] payload='{"identifiers": [{"type":"dns","value":"OPNSENSE.XXX.ovh"}]}'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] url='https://acme-v02.api.letsencrypt.org/acme/new-order';
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] =======Sending Signed Request=======
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] STEP 1, Ordering a Certificate
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _notAfter
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _notBefore
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _identifiers='{"type":"dns","value":"OPNSENSE.XXX.ovh"}'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] d
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _idn_temp
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _is_idn_d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] seg='OPNSENSE'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] Getting domain auth token for each domain
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] seg='OPNSENSE'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _csr_cn='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _idn_temp
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _is_idn_d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _idn_temp
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _is_idn_d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] seg='OPNSENSE'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] Single domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] csrconf='/var/etc/acme-client/cert-home/63e75569887183.36451555/OPNSENSE.XXX.ovh/OPNSENSE.XXX.ovh.csr.conf'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] csr='/var/etc/acme-client/cert-home/63e75569887183.36451555/OPNSENSE.XXX.ovh/OPNSENSE.XXX.ovh.csr'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] csrkey='/var/etc/acme-client/cert-home/63e75569887183.36451555/OPNSENSE.XXX.ovh/OPNSENSE.XXX.ovh.key'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] domainlist
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _createcsr
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] Read key length: 2048
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _saved_account_key_hash was not changed, skipping account registration.
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _saved_account_key_hash='HASH_KEY'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] 'dns_lua' does not contain 'apache'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] d
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _currentRoot='dns_lua'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Checking for domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Le_LocalAddress
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] 'dns_lua' does not contain 'no'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _chk_alt_domains
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _chk_main_domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _on_before_issue
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_NEW_AUTHZ
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change';
        }'
        "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
        "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
        "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
        "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
        "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
        },
        "website": "https://letsencrypt.org"
        "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
        },
        "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver (not yet generally available)"
        "shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)",
        "classic": "https://letsencrypt.org/docs/profiles#classic",
        "profiles": {
        ],
        "letsencrypt.org"
        "caaIdentities": [
        "meta": {
        "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
        "1KWa47XgJBE": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] response='{
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ret='0'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.rv8M2k8w6s -g '
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] timeout=
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] url='https://acme-v02.api.letsencrypt.org/directory';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] GET
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _init API for server: https://acme-v02.api.letsencrypt.org/directory
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Le_NextRenewTime='1736377207'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] 'dns_lua' does not contain 'dns'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] DOMAIN_PATH='/var/etc/acme-client/cert-home/63e75569887183.36451555/OPNSENSE.XXX.ovh'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _ACME_SERVER_PATH='directory'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Using config home: /var/etc/acme-client/home
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _alt_domains='no'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _main_domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Running cmd: issue
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Using server: https://acme-v02.api.letsencrypt.org/directory
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] LE_WORKING_DIR='/var/etc/acme-client/home'



system log

2025-03-29T09:34:50   opnsense   AcmeClient: validation for certificate failed: OPNSENSE.XXX.ovh
2025-03-29T09:34:50   opnsense   AcmeClient: domain validation failed (dns01)
2025-03-29T09:34:50   opnsense   AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 8 --debug 2 --server 'letsencrypt' --dns 'dns_lua' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/63e75569887183.36451555' --certpath '/var/etc/acme-client/certs/63e75569887183.36451555/cert.pem' --keypath '/var/etc/acme-client/keys/63e75569887183.36451555/private.key' --capath '/var/etc/acme-client/certs/63e75569887183.36451555/chain.pem' --fullchainpath '/var/etc/acme-client/certs/63e75569887183.36451555/fullchain.pem' --domain 'OPNSENSE.XXX.ovh' --days '1' --force --keylength '2048' --accountconf '/var/etc/acme-client/accounts/5faaa839612575.44326968_prod/account.conf''
2025-03-29T09:34:42   opnsense   AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 8 --debug 2 --server 'letsencrypt' --dns 'dns_lua' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/63e75569887183.36451555' --certpath '/var/etc/acme-client/certs/63e75569887183.36451555/cert.pem' --keypath '/var/etc/acme-client/keys/63e75569887183.36451555/private.key' --capath '/var/etc/acme-client/certs/63e75569887183.36451555/chain.pem' --fullchainpath '/var/etc/acme-client/certs/63e75569887183.36451555/fullchain.pem' --domain 'OPNSENSE.XXX.ovh' --days '1' --force --keylength '2048' --accountconf '/var/etc/acme-client/accounts/5faaa839612575.44326968_prod/account.conf'
2025-03-29T09:34:42   opnsense   AcmeClient: using challenge type: LuaDNS
2025-03-29T09:34:42   opnsense   AcmeClient: account is registered: Jakub SURNAME
2025-03-29T09:34:42   opnsense   AcmeClient: using CA: letsencrypt
2025-03-29T09:34:42   opnsense   AcmeClient: issue certificate: OPNSENSE.XXX.ovh

Other domain:
Interesting is that other two domains are fine, there is 5 minutes break and that works well. I start thinking if that not related to dns name of appliance itself as its only one failing, maybe it ask local dns (cache) instead of public dns that is asked, other two domains were completed correctly. example below:

Quote2025-03-28T00:15:31    acme.sh    [Fri Mar 28 00:15:31 CET 2025] And the full-chain cert is in: /var/etc/acme-client/cert-home/653e92d5467220.29286476/pi.XXX.ovh_ecc/fullchain.cer
2025-03-28T00:15:31    acme.sh    [Fri Mar 28 00:15:31 CET 2025] The intermediate CA cert is in: /var/etc/acme-client/cert-home/653e92d5467220.29286476/pi.XXX.ovh_ecc/ca.cer
2025-03-28T00:15:31    acme.sh    [Fri Mar 28 00:15:31 CET 2025] Your cert key is in: /var/etc/acme-client/cert-home/653e92d5467220.29286476/pi.nessco.ovh_ecc/pi.XXX.ovh.key
2025-03-28T00:15:31    acme.sh    [Fri Mar 28 00:15:31 CET 2025] Your cert is in: /var/etc/acme-client/cert-home/653e92d5467220.29286476/pi.XXX.ovh_ecc/pi.XXX.ovh.cer
2025-03-28T00:15:28    acme.sh    [Fri Mar 28 00:15:28 CET 2025] Removing txt: p6lf1xHKCdzWtL0W1-hC5QsPxZMmCLByxxbQ_KTPfKQ for domain: _acme-challenge.pi.XXX.ovh
2025-03-28T00:15:25    acme.sh    [Fri Mar 28 00:15:25 CET 2025] Verifying: pi.XXX.ovh
2025-03-28T00:10:24    acme.sh    [Fri Mar 28 00:10:24 CET 2025] Adding TXT value: p6lf1xHKCdzWtL0W1-hC5QsPxZMmCLByxxbQ_KTPfKQ for domain: _acme-challenge.pi.XXX.ovh
2025-03-28T00:10:24    acme.sh    [Fri Mar 28 00:10:24 CET 2025] Getting webroot for domain='pi.XXX.ovh'
2025-03-28T00:10:21    acme.sh    [Fri Mar 28 00:10:21 CET 2025] Single domain='pi.XXX.ovh'
2025-03-28T00:10:20    acme.sh    [Fri Mar 28 00:10:20 CET 2025] Renewing: 'pi.XXX.ovh'


Quote from: meyergru on March 28, 2025, 10:07:36 PMBTW: If you set the DNS sleep time on the challenge to a value > 0, you will force to use normal DNS requests. Otherwise, DOH is used, which sometimes fails.

If I try use "0" or value like "900" in the log I can see there is no difference, it's reporting error right away. Above error is when sleep was setup to "0"


Thank you
Jakub
March 29, 2025, 12:01:53 PM #8
The problem lies around here:

Code Select
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Please add '--debug' or '--log' to see more information.
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _on_issue_err
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Error adding TXT record to domain: _acme-challenge.OPNSENSE.XXX.ovh
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Add txt record error.
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] response='{"id":185022797,"name":"_acme-challenge.OPNSENSE.XXX.ovh.","type":"TXT","content":"XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ","ttl":300,"zone_id":_DOMAIN_ID_,"created_at":"2025-03-29T08:34:48.865874041Z","updated_at":"2025-03-29T08:34:48.865874142Z"}'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _ret='0'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g '
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Http already initialized.
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _postContentType
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] body='{"type":"TXT","name":"_acme-challenge.OPNSENSE.XXX.ovh.","content":"XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ","ttl":120}'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _post_url='https://api.luadns.com/v1/zones/_DOMAIN_ID_/records';
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] POST
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] data='{"type":"TXT","name":"_acme-challenge.OPNSENSE.XXX.ovh.","content":"XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ","ttl":120}'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] zones/_DOMAIN_ID_/records
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Adding record
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _domain='XXX.ovh'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _sub_domain='_acme-challenge.OPNSENSE'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _domain_id='_DOMAIN_ID_'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _domain_id='_DOMAIN_ID_'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] h='XXX.ovh'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] h='OPNSENSE.XXX.ovh'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025]

It seems like luadns accepts the request (response='{"id":185022797,"name":"_acme-challenge.OPNSENSE.XXX.ovh.","type":"TXT","content":"XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ","ttl":300,"zone_id":_DOMAIN_ID_,"created_at":"2025-03-29T08:34:48.865874041Z","updated_at":"2025-03-29T08:34:48.865874142Z"}'), yet acme.sh thinks it went wrong ("Add txt record error.").

I think that the zone_id=_DOMAIN_ID_ is the problem. This looks like the domain has never been set by the script. If other domains work, you should look at the log entries for those in the same area. I think you will find that instead of _DOMAIN_ID_, there will be a real domain.

IDK why this happens. What comes to mind is:

1. Subdomains instead of host names (i.e. "opnsense.xyz.XXX.ovh" instead of "opnsense.XXX.ovh").
2. Punctuation or white-space in any input, leading or following.
3. Typo in the domain itself.

On a side note: You should probably not do it like this anyway. DNS-01 verification can accommodate wildcard certificates, which you should absolutely use in order to hide specific names like opnsense.XXX.ovh, because any issued certificate is published by the CA.
That way, you also need less certificates (i.e. just one) and use that for any upcoming URL.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
March 29, 2025, 03:23:00 PM #9
Quote from: meyergru on March 29, 2025, 12:01:53 PM1. Subdomains instead of host names (i.e. "opnsense.xyz.XXX.ovh" instead of "opnsense.XXX.ovh").

I'm not using the sub sub domains

Quote from: meyergru on March 29, 2025, 12:01:53 PMPunctuation or white-space in any input, leading or following.

I'm not sure but i have capital letters in host name before and have changed to lower case

Quote from: meyergru on March 29, 2025, 12:01:53 PMTypo in the domain itself.

i have copy paste from the url once again

Quote from: meyergru on March 29, 2025, 12:01:53 PMOn a side note: You should probably not do it like this anyway. DNS-01 verification can accommodate wildcard certificates, which you should absolutely use in order to hide specific names like opnsense.XXX.ovh, because any issued certificate is published by the CA.
That way, you also need less certificates (i.e. just one) and use that for any upcoming URL.

I fully agree with you, it's not secure. access only from internal network but anyway not good setup.



additionally i did:
key length: "from 2048 to 4096"
DNS alias mode: "setup to Automatic mode."


for some reason certificate has been renewed, deleted from LuaDNS at the end.


Thank you for backing me during the process.

Have a good day

Jakub
Print
Go Up Pages1
User actions