Acme.sh - Cannot renew using dns manual mode

Hi community,

I cannot renew using acme.sh and dns manual after doing:

  1. acme.sh --issue --dns example.com -d soporte.example.com -d mail.example.com
  2. update txt records by hand
  3. acme.sh --debug 2 --renew --dns -d example.com

Below is my debug log:

(replaced the true domain by example.com)

[lun jul 3 14:23:59 -03 2017] Using config home:/home/sergio/.acme.sh
[lun jul 3 14:23:59 -03 2017] DOMAIN_PATH=’/home/sergio/.acme.sh/example.com’
[lun jul 3 14:23:59 -03 2017] e[1;31;32mRenew: 'example.com’e[0m
[lun jul 3 14:23:59 -03 2017] Using config home:/home/sergio/.acme.sh
[lun jul 3 14:23:59 -03 2017] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[lun jul 3 14:23:59 -03 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[lun jul 3 14:23:59 -03 2017] GET
[lun jul 3 14:23:59 -03 2017] url=‘https://acme-staging.api.letsencrypt.org/directory
[lun jul 3 14:23:59 -03 2017] timeout
[lun jul 3 14:23:59 -03 2017] _CURL=‘curl -L --silent --dump-header /home/sergio/.acme.sh/http.header --trace-ascii /tmp/tmp.vsUYUDHaZ7 ‘
[lun jul 3 14:24:00 -03 2017] ret=‘0’
[lun jul 3 14:24:00 -03 2017] ACME_KEY_CHANGE=‘https://acme-staging.api.letsencrypt.org/acme/key-change
[lun jul 3 14:24:00 -03 2017] ACME_NEW_AUTHZ=‘https://acme-staging.api.letsencrypt.org/acme/new-authz
[lun jul 3 14:24:00 -03 2017] ACME_NEW_ORDER=‘https://acme-staging.api.letsencrypt.org/acme/new-cert
[lun jul 3 14:24:00 -03 2017] ACME_NEW_ACCOUNT=‘https://acme-staging.api.letsencrypt.org/acme/new-reg
[lun jul 3 14:24:00 -03 2017] ACME_REVOKE_CERT=‘https://acme-staging.api.letsencrypt.org/acme/revoke-cert
[lun jul 3 14:24:00 -03 2017] Le_NextRenewTime=‘1496420810’
[lun jul 3 14:24:00 -03 2017] _on_before_issue
[lun jul 3 14:24:00 -03 2017] Le_LocalAddress
[lun jul 3 14:24:00 -03 2017] Check for domain=‘example.com
[lun jul 3 14:24:00 -03 2017] _currentRoot=‘dns’
[lun jul 3 14:24:00 -03 2017] Check for domain=‘soporte.example.com
[lun jul 3 14:24:00 -03 2017] _currentRoot=‘dns’
[lun jul 3 14:24:00 -03 2017] Check for domain=‘mail.example.com
[lun jul 3 14:24:00 -03 2017] _currentRoot=‘dns’
[lun jul 3 14:24:00 -03 2017] _saved_account_key_hash is not changed, skip register account.
[lun jul 3 14:24:00 -03 2017] Read key length:
[lun jul 3 14:24:00 -03 2017] _createcsr
[lun jul 3 14:24:00 -03 2017] Multi domain=‘DNS:soporte.example.com,DNS:mail.example.com’
[lun jul 3 14:24:00 -03 2017] Getting domain auth token for each domain
[lun jul 3 14:24:00 -03 2017] ok, let’s start to verify
[lun jul 3 14:24:00 -03 2017] Verifying:example.com
[lun jul 3 14:24:00 -03 2017] d=‘example.com
[lun jul 3 14:24:00 -03 2017] keyauthorization=‘VULZBPkT4EMv-cirrlSkdex7J71HDpbq7z7duws4e_M.XnJxhJCU2AmmKo7_vJJjhoKrlk20yWn2JJ2AcUawz3A’
[lun jul 3 14:24:00 -03 2017] uri=‘https://acme-staging.api.letsencrypt.org/acme/challenge/XqZEUhi6zjuCXuB5ODTV_RU7uN8iz94yETs5OEDTfpg/46553868
[lun jul 3 14:24:00 -03 2017] _currentRoot=‘dns’
[lun jul 3 14:24:00 -03 2017] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/XqZEUhi6zjuCXuB5ODTV_RU7uN8iz94yETs5OEDTfpg/46553868
[lun jul 3 14:24:00 -03 2017] payload=’{“resource”: “challenge”, “keyAuthorization”: “VULZBPkT4EMv-cirrlSkdex7J71HDpbq7z7duws4e_M.XnJxhJCU2AmmKo7_vJJjhoKrlk20yWn2JJ2AcUawz3A”}’
[lun jul 3 14:24:00 -03 2017] RSA key
[lun jul 3 14:24:00 -03 2017] GET
[lun jul 3 14:24:00 -03 2017] url=‘https://acme-staging.api.letsencrypt.org/directory
[lun jul 3 14:24:00 -03 2017] timeout
[lun jul 3 14:24:00 -03 2017] _CURL='curl -L --silent --dump-header /home/sergio/.acme.sh/http.header --trace-ascii /tmp/tmp.lOcCRF90MC '
[lun jul 3 14:24:06 -03 2017] ret=‘0’
[lun jul 3 14:24:06 -03 2017] POST
[lun jul 3 14:24:06 -03 2017] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/XqZEUhi6zjuCXuB5ODTV_RU7uN8iz94yETs5OEDTfpg/46553868
[lun jul 3 14:24:06 -03 2017] _CURL=‘curl -L --silent --dump-header /home/sergio/.acme.sh/http.header --trace-ascii /tmp/tmp.CTagEe9gzU ‘
[lun jul 3 14:24:07 -03 2017] _ret=‘0’
[lun jul 3 14:24:08 -03 2017] code=‘400’
[lun jul 3 14:24:08 -03 2017] example.com:Challenge error: {“type”:“urn:acme:error:malformed”,“detail”:“Unable to update challenge :: The challenge is not pending.”,“status”: 400}
[lun jul 3 14:24:08 -03 2017] Skip for removelevel:
[lun jul 3 14:24:08 -03 2017] pid
[lun jul 3 14:24:08 -03 2017] No need to restore nginx, skip.
[lun jul 3 14:24:08 -03 2017] _clearupdns
[lun jul 3 14:24:08 -03 2017] skip dns.
[lun jul 3 14:24:08 -03 2017] _on_issue_err
[lun jul 3 14:24:08 -03 2017] Please check log file for more details: /home/sergio/.acme.sh/acme.sh.log
[lun jul 3 14:24:08 -03 2017] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/XqZEUhi6zjuCXuB5ODTV_RU7uN8iz94yETs5OEDTfpg/46553868
[lun jul 3 14:24:08 -03 2017] payload=’{“resource”: “challenge”, “keyAuthorization”: “VULZBPkT4EMv-cirrlSkdex7J71HDpbq7z7duws4e_M.XnJxhJCU2AmmKo7_vJJjhoKrlk20yWn2JJ2AcUawz3A”}’
[lun jul 3 14:24:08 -03 2017] POST
[lun jul 3 14:24:08 -03 2017] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/XqZEUhi6zjuCXuB5ODTV_RU7uN8iz94yETs5OEDTfpg/46553868
[lun jul 3 14:24:08 -03 2017] _CURL=‘curl -L --silent --dump-header /home/sergio/.acme.sh/http.header --trace-ascii /tmp/tmp.oaM3GvWiiP ‘
[lun jul 3 14:24:09 -03 2017] _ret=‘0’
[lun jul 3 14:24:09 -03 2017] code=‘400’
[lun jul 3 14:24:09 -03 2017] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/vENdCcU-mHPznDYBuImhPtvxdTFJT_rRc1i1Y6yeSlU/46553871
[lun jul 3 14:24:09 -03 2017] payload=’{“resource”: “challenge”, “keyAuthorization”: “tXIdMp_mZYwW7R39XNmLyz9WVSsMJLDGPDcD5CTtlwc.XnJxhJCU2AmmKo7_vJJjhoKrlk20yWn2JJ2AcUawz3A”}’
[lun jul 3 14:24:09 -03 2017] POST
[lun jul 3 14:24:09 -03 2017] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/vENdCcU-mHPznDYBuImhPtvxdTFJT_rRc1i1Y6yeSlU/46553871
[lun jul 3 14:24:09 -03 2017] _CURL=‘curl -L --silent --dump-header /home/sergio/.acme.sh/http.header --trace-ascii /tmp/tmp.VAQDB73D5v ‘
[lun jul 3 14:24:10 -03 2017] _ret=‘0’
[lun jul 3 14:24:10 -03 2017] code=‘400’
[lun jul 3 14:24:10 -03 2017] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/LPp9bccP1uOCdYhxLBHAsD7Up6Ohgb7YogFvy8k75tk/46553874
[lun jul 3 14:24:10 -03 2017] payload=’{“resource”: “challenge”, “keyAuthorization”: “J5FCFFmqoPyqIOHR_VYT7A-DlolLHyGS4H-_CHOqOHg.XnJxhJCU2AmmKo7_vJJjhoKrlk20yWn2JJ2AcUawz3A”}’
[lun jul 3 14:24:10 -03 2017] POST
[lun jul 3 14:24:10 -03 2017] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/LPp9bccP1uOCdYhxLBHAsD7Up6Ohgb7YogFvy8k75tk/46553874
[lun jul 3 14:24:10 -03 2017] _CURL='curl -L --silent --dump-header /home/sergio/.acme.sh/http.header --trace-ascii /tmp/tmp.2vuLVuYnqT '
[lun jul 3 14:24:11 -03 2017] _ret=‘0’
[lun jul 3 14:24:11 -03 2017] code=‘400’
[lun jul 3 14:24:11 -03 2017] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2k-fips 26 Jan 2017
apache:
apache doesn’t exists.
nginx:
nginx doesn’t exists.
nc:
Ncat 7.40 ( https://nmap.org/ncat )
Usage: ncat [options] [hostname] [port]

Options taking a time assume seconds. Append ‘ms’ for milliseconds,
‘s’ for seconds, ‘m’ for minutes, or ‘h’ for hours (e.g. 500ms).
-4 Use IPv4 only
-6 Use IPv6 only
-U, --unixsock Use Unix domain sockets only
-C, --crlf Use CRLF for EOL sequence
-c, --sh-exec Executes the given command via /bin/sh
-e, --exec Executes the given command
–lua-exec Executes the given Lua script
-g hop1[,hop2,…] Loose source routing hop points (8 max)
-G Loose source routing hop pointer (4, 8, 12, …)
-m, --max-conns Maximum simultaneous connections
-h, --help Display this help screen
-d, --delay Wait between read/writes
-o, --output Dump session data to a file
-x, --hex-dump Dump session data as hex to a file
-i, --idle-timeout Idle read/write timeout
-p, --source-port port Specify source port to use
-s, --source addr Specify source address to use (doesn’t affect -l)
-l, --listen Bind and listen for incoming connections
-k, --keep-open Accept multiple connections in listen mode
-n, --nodns Do not resolve hostnames via DNS
-t, --telnet Answer Telnet negotiations
-u, --udp Use UDP instead of default TCP
–sctp Use SCTP instead of default TCP
-v, --verbose Set verbosity level (can be used several times)
-w, --wait Connect timeout
-z Zero-I/O mode, report connection status only
–append-output Append rather than clobber specified output files
–send-only Only send data, ignoring received; quit on EOF
–recv-only Only receive data, never send anything
–allow Allow only given hosts to connect to Ncat
–allowfile A file of hosts allowed to connect to Ncat
–deny Deny given hosts from connecting to Ncat
–denyfile A file of hosts denied from connecting to Ncat
–broker Enable Ncat’s connection brokering mode
–chat Start a simple Ncat chat server
–proxy <addr[:port]> Specify address of host to proxy through
–proxy-type Specify proxy type (“http” or “socks4” or “socks5”)
–proxy-auth Authenticate with HTTP or SOCKS proxy server
–ssl Connect or listen with SSL
–ssl-cert Specify SSL certificate file (PEM) for listening
–ssl-key Specify SSL private key (PEM) for listening
–ssl-verify Verify trust and domain name of certificates
–ssl-trustfile PEM file containing trusted SSL certificates
–ssl-ciphers Cipherlist containing SSL ciphers to use
–version Display Ncat’s version information and exit

See the ncat(1) manpage for full options, descriptions and usage examples

Please could you help me?

Thanks in advance!

Looks like it’s trying and failing to use a standalone method of verification instead of the DNS method you specified.

@Neilpang can you help them? Thanks.

Hi Guys,

I’m sorry, but it’s just fixed.

please try again with the latest code.

acme.sh --upgrade
2 Likes

I’ve got the same problem happening with 2.7.3, installed and updated today.

I’m not sure what changed, but I tried it again today and it worked.

Same trouble. Any benefit answer? :face_with_thermometer:

@instasafari If you are using acme.sh with the --dns flag and are getting an error with a debug log ending with ncat usage, please file an issue so this problem can be looked into further. Be sure and include your complete debug log in case the root cause has changed.

If you are not using the --dns flag or get a different error, please start a new thread in the Help section and answer all the questions in the template so we can examine your issue further. You may be experiencing a different problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.