Acme.sh supports ACME v2 wildcard now

Yes. I edited the post.

You are not using staging v2.

I think perhaps you forgot to export BRANCH=2 when you installed.

export BRANCH=2
curl https://get.acme.sh | sh
$ acme.sh --test --issue -d "*.kngcit.ru" --dns
[Tue 16 Jan 17:52:49 AEDT 2018] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Tue 16 Jan 17:52:50 AEDT 2018] Registering account
[Tue 16 Jan 17:52:52 AEDT 2018] Registered
[Tue 16 Jan 17:52:52 AEDT 2018] ACCOUNT_THUMBPRINT='IwOdVg6z252UzF7WKcQ6HTge89KBX84YHCWJimdlUpA'
[Tue 16 Jan 17:52:52 AEDT 2018] Creating domain key
[Tue 16 Jan 17:52:52 AEDT 2018] The domain key is here: /home/alex/.acme.sh/*.kngcit.ru/*.kngcit.ru.key
[Tue 16 Jan 17:52:52 AEDT 2018] Single domain='*.kngcit.ru'
[Tue 16 Jan 17:52:52 AEDT 2018] Getting domain auth token for each domain
[Tue 16 Jan 17:52:54 AEDT 2018] Getting webroot for domain='*.kngcit.ru'
[Tue 16 Jan 17:52:54 AEDT 2018] Add the following TXT record:
[Tue 16 Jan 17:52:54 AEDT 2018] Domain: '_acme-challenge.kngcit.ru'
[Tue 16 Jan 17:52:54 AEDT 2018] TXT value: 'IezuZ-Wa92ALfQP9735Xca1G4bCmatbaFeqdHVmpIpo'
[Tue 16 Jan 17:52:54 AEDT 2018] Please be aware that you prepend _acme-challenge. before your domain
[Tue 16 Jan 17:52:54 AEDT 2018] so the resulting subdomain will be: _acme-challenge.kngcit.ru
[Tue 16 Jan 17:52:54 AEDT 2018] Please add the TXT records to the domains, and retry again.
[Tue 16 Jan 17:52:54 AEDT 2018] Please add '--debug' or '--log' to check more details.
[Tue 16 Jan 17:52:54 AEDT 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
2 Likes

Yes. Now everything works! Thank you.

Hi,

Thanks for this client! I’m quite new using ACME :slight_smile:

@Neilpang
Got an issue on my side when trying to create a wildcard cert using AWS (–dns dns_aws). It works when not using wildcard. However as soon as I insert the wildcard I got an “Le_OrderFinalize not found.” error:

[root@server .acme.sh]# acme.sh --issue --dns dns_aws -d "*.domain.com" -d "domain.com" -d "www.domain.com" -w /root/domain.com --standalone --force --test
[Tue Jan 23 18:48:36 UTC 2018] Standalone mode.
[Tue Jan 23 18:48:36 UTC 2018] Standalone mode.
....
[Tue Jan 23 18:33:47 UTC 2018] Multi domain='DNS:*.domain.com,DNS:domain.com,DNS:www.domain.com'
[Tue Jan 23 18:33:47 UTC 2018] Getting domain auth token for each domain
[Tue Jan 23 18:33:47 UTC 2018] url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Tue Jan 23 18:33:47 UTC 2018] payload='{"identifiers": [{"type":"dns","value":"*.domain.com"},{"type":"dns","value":"domain.com"},{"type":"dns","value":"www.domain.com"}]}'
[Tue Jan 23 18:33:47 UTC 2018] RSA key
[Tue Jan 23 18:33:47 UTC 2018] HEAD
[Tue Jan 23 18:33:47 UTC 2018] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Jan 23 18:33:47 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Jan 23 18:33:47 UTC 2018] _ret='0'
[Tue Jan 23 18:33:47 UTC 2018] POST
[Tue Jan 23 18:33:47 UTC 2018] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Tue Jan 23 18:33:47 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Jan 23 18:33:48 UTC 2018] _ret='0'
[Tue Jan 23 18:33:48 UTC 2018] code='400'
[Tue Jan 23 18:33:48 UTC 2018] Le_OrderFinalize
[Tue Jan 23 18:33:48 UTC 2018] Le_OrderFinalize not found.
[Tue Jan 23 18:48:36 UTC 2018] Please check log file for more details: /root/.acme.sh/acme.sh.log

If I remove the *.domain.com, it works but uses the acme v1 staging.

[root@server .acme.sh]# acme.sh --issue --dns dns_aws  -d "domain.com" -d "www.domain.com" -w /root/domain.com --standalone --force --test
[Tue Jan 23 18:52:39 UTC 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 23 18:52:40 UTC 2018] Multi domain='DNS:domain.com,DNS:www.domain.com'
[Tue Jan 23 18:52:40 UTC 2018] Getting domain auth token for each domain
[Tue Jan 23 18:52:40 UTC 2018] Getting webroot for domain='domain.com'
[Tue Jan 23 18:52:40 UTC 2018] Getting new-authz for domain='domain.com'
[Tue Jan 23 18:52:41 UTC 2018] The new-authz request is ok.
[Tue Jan 23 18:52:41 UTC 2018] Getting webroot for domain='www.domain.com'
[Tue Jan 23 18:52:41 UTC 2018] Getting new-authz for domain='www.domain.com'
[Tue Jan 23 18:52:42 UTC 2018] The new-authz request is ok.
[Tue Jan 23 18:52:42 UTC 2018] domain.com is already verified, skip dns-01.
[Tue Jan 23 18:52:42 UTC 2018] www.domain.com is already verified, skip http-01.
[Tue Jan 23 18:52:42 UTC 2018] Verify finished, start to sign.
[Tue Jan 23 18:52:43 UTC 2018] Cert success.

And fails if I force the v02 staging server.

[root@server .acme.sh]# acme.sh --issue --dns dns_aws  -d "domain.com" -d "www.domain.com" -w /root/domain.com --standalone --force --server https://acme-staging-v02.api.letsencrypt.org/directory
[Tue Jan 23 18:54:48 UTC 2018] Multi domain='DNS:domain.com,DNS:www.domain.com'
[Tue Jan 23 18:54:48 UTC 2018] Getting domain auth token for each domain
[Tue Jan 23 18:54:49 UTC 2018] Le_OrderFinalize not found.
[Tue Jan 23 18:54:49 UTC 2018] Please check log file for more details: /root/.acme.sh/acme.sh.log

Any pointer for what the cause could be (rate limit? because 400 Bad request does not tell me much)

Thanks for any help.

@tob it may be worthwhile to open a new thread in the Issuance Tech section of the forum to discuss with the Let’s Encrypt team whether this is intentional behavior or just an oversight.

Hello. I have same problem…
I try run cmd - ./acme.sh --debug --test --issue -d 34.mydomain.com -d *.34.mydomain.com --dns dns_aw

on debug view
Check for domain=‘34.mydomain.com
_currentRoot=‘dns_aws’
Check for domain=’*.34.mydomain.com’
_currentRoot=‘dns_aws’

d=‘34.mydomain.com
txtdomain=’_acme-challenge.34.mydomain.com’
txt=‘2Tf-9NigycRUDU4IaYqG75EOxFU67zow6kRIGoThPN4’
d_api=’./acme/dnsapi/dns_aws.sh’
Found domain api file: ./acme/dnsapi/dns_aws.sh

txt record updated success.
d=’*.34.mydomain.com’
txtdomain=’_acme-challenge.34.mydomain.com’
txt=‘GAkqBZhsAFH5c5M0Kjb-0PI4nrejXhzfYnIniIMH_4w’
d_api=’./acme/dnsapi/dns_aws.sh’
Found domain api file: ./acme/dnsapi/dns_aws.sh
First detect the root zone

34.mydomain.com:Verify error:Incorrect TXT record

in console aws I see only 1 row, last txt - GAkqBZhsAFH5c5M0Kjb-0PI4nrejXhzfYnIniIMH_4w
acme.sh version is 2.7.7

@wisdem

fixed, please upgrade to the latest dev code and try again.

export  BRANCH=dev
acme.sh --upgrade

Thanks a lot, one row naw, but I see new problem
Response error:<?xml version="1.0"?>
SenderInvalidChangeBatchTried to create resource record set [name=’_acme-challenge.35.mydomain.com.’, type=‘TXT’] but it already exists7ca4cbf6-10b5-11e8-872a-cf0ab9c87778

and acme exit (

I think it’s not fix my problem, because lets encrypt send 2 different entries, and acme sent 1st on aws, and 2st them, rewrite 1st
For example, comodo sends 2 entries, but the same

sorry, got it. I will fix it again

Thanks a lot, I’ll wait here…:grinning:

@wisdem fixed.

please upgrade and try again.


export  BRANCH=dev
acme.sh --upgrade

don’t work after upgrade((

_resource_record=’ all data my from my domain zone’

Adding records
 mtd='POST'
 ep='2013-04-01/hostedzone/id/rrset/'
 qsr
 data='<ChangeResourceRecordSetsRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><ChangeBatch><Changes><Change><Action>UPSERT</Action><ResourceRecordSet><Name>_acme-challenge.36.mydomain.com</Name><Type>TXT</Type><TTL>300</TTL><ResourceRecords><ResourceRecord><Value>&quot;oZeteJNyKoxq-6xnO1Zmi78bFWdSzt-Cc_bEPwiP5Ls&quot;</Value></ResourceRecord></ResourceRecordSet> and all row my zone

and them

Response error:<?xml version="1.0"?>
<ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>MalformedInput</Code><Message>Could not parse XML</Message></Error><RequestId>475f5484-10cd-11e8-8843-1956ce9b3480</RequestId></ErrorResponse>

Error add txt for domain:_acme-challenge.35.mydomain.com

Interesting. It works for me.
Please report bug on github. And paste full log with “—debug 2”

I will fix soon.

I did write on issues/1262

Hi @Neilpang, by any chance to you have any pointer regarding that issue?
Many thanks!

what issue ? The issue 1262 was already fixed.

The issue regarding “Le_OrderFinalize not found” mentioned in the follow posts:

I will try with the latest version and let you know.
Thanks!

“Orders” field of account object is not implemented yet (Boulder issue #333515), reported by @wulf4096 and @quabla

@dangtrungluong ACMEv2/Wildcard support is in beta and not issuing real certificates yet:

I’ll add a note about this to the original post.

1 Like