LetsEncrypt troubleshooting advice..

[erktrek]

So am getting into the letsencrypt/acme.sh thing.. My provider is GoDaddy and I am using dns01 - "dns_gd". I am on OpnSense 18.1.8 and acme.sh v2.7.9

Seems straightforward but cannot add any certificates using staging (have not tried production) - from the logs I keep getting txt record errors but the txt records actually appear in GD.. and I can query them. Note there seems to be 2 challenge records - I do not know if this is normal or not.

Not sure how to go about troubleshooting this properly. Any advice would be appreciated.

Thx!

E.

Code: [Select]

...........
...........
[Sun May 20 10:38:45 EDT 2018] _post_url='https://api.godaddy.com/v1/domains/xxxxxxx.com/re
cords/TXT/_acme-challenge'
[Sun May 20 10:38:45 EDT 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/h
ome/http.header  -g '
[Sun May 20 10:38:46 EDT 2018] _ret='0'
[Sun May 20 10:38:46 EDT 2018] Add txt record error.
[Sun May 20 10:38:46 EDT 2018]
[Sun May 20 10:38:46 EDT 2018] Error add txt for domain:_acme-challenge.xxxxxxx.com
[Sun May 20 10:38:46 EDT 2018] pid
...........
...........


[erktrek]

Wanted to followup - I ended installing acme.sh on an internal server instead and was able to get everything running as expected. Even used a wildcard!

https://github.com/Neilpang/acme.sh/tree/master/dnsapi

[djones]

Same issue:

Code: [Select]

[Mon May 28 14:02:56 PDT 2018] pid
[Mon May 28 14:02:56 PDT 2018] Error add txt for domain:_acme-challenge.xxxxxxxx.com
[Mon May 28 14:02:56 PDT 2018] Add txt record error.
[Mon May 28 14:02:56 PDT 2018] _ret='0'
[Mon May 28 14:02:55 PDT 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Mon May 28 14:02:55 PDT 2018] _post_url='https://api.godaddy.com/v1/domains/xxxxxxxx.com/records/TXT/_acme-challenge'

Also using GoDaddy DNS.
18.1.8
acme.sh 2.7.8

Would like to get it working in opnsense if possible

[DonSYS]

is it possible that you open an issue in OPNsense Plugins repo https://github.com/opnsense/plugins, so we can investigate it later?

[djones]

I'm sorry I never got around to opening an issue but I did find the problem.

The acme script wasn't sleeping at all before checking the TXT record. It ignored the sleep time set in the validation methods.

After updating to 18.7.2 and acme.sh 2.7.9, it is now working as expecting and using the set sleep time.

[Alphakilo]

I have the strong feeling that dns-01, like tls-sni-01, might be disabled in the foreseeable future:
https://www.theregister.co.uk/2018/09/06/certificate_authority_dns_validation/

[tre4bax]

Rule number one, never believe anything you see in the register.