Attempting to swap on renewal from manual dns on api v.1 to http on api v.2


#1

Wondering if there’s a pending request on Let’s encrypt server side of type dns blocking to switch to http as I’m seeing responses like:

response='{"identifier":{"type":"dns","value":"gbmc.dk"},"status":"pending","expires":"2018-04-30T13:51:22Z","challenges":[{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/KqRq3Z71hV67nRAGDud8d3HB_IQgulMd5YRJ-d9n1VI/<account id>","token":"<token value>"}],"wildcard": true}'

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: aasf.dk, gbmc.dk

I ran this command:
# acme.sh --version
https://github.com/Neilpang/acme.sh
v2.7.8
# acme.sh --renew -d gbmc.dk -w /var/www/html/vhosts/gbmc3 -d ‘.gbmc.dk’ -w /var/www/html/vhosts/gbmc3 -d aasf.dk -w /var/www/html/vhosts/aasf -d '.aasf.dk’ -w /var/www/html/vhosts/aasf --apache --debug 2 --log acme-gbmc.log

It produced this output:
[Wed Apr 25 12:46:39 CEST 2018] Error, can not get domain token entry *.gbmc.dk
[Wed Apr 25 12:46:39 CEST 2018] The supported validation types are: dns-01 , but you specified: http-01

My web server is (include version):
Server version: Apache/2.2.22 (Unix)

The operating system my web server runs on is (include version):
Old :slight_smile:
# uname -a
Linux serv.siimnet.dk 3.6.11-4.fc16.i686.PAE #1 SMP Tue Jan 8 21:18:14 UTC 2013 i686 i686 i386 GNU/Linux
# cat /etc/redhat-release
Fedora release 16 (Verne)

My hosting provider, if applicable, is:
Self hosting

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#2

If you choose to issue a wildcard certificate, then you need to configure DNS validation via one of the providers in acme.sh.

This is because Let’s Encrypt requires DNS validation for wildcard certificates, HTTP/webroot validation is not sufficient.


#3

Ok, only I got no dns providers available here, could I enter this manually in my zones and if so where do I find the keys & values to enter?


#4

https://github.com/Neilpang/acme.sh/wiki/DNS-manual-mode will show you how to do that.


#5

Hm what I’m trying to avoid by switching to webroot…


#6

Indeed. Your trade-off is either to fix your DNS situation and have wildcards, or don’t use wildcard certificates and switch to webroot.


#7

Thanks, failed to make webroot work with + <www.domain> as web server is configured to redirect all http traffic to https, so for now I’ll stick w/manual dns…


#8

Depending on how and where you do the http to https redirection, you may be able to make an exception to allow http traffic through for the /.well-known/acme-challenge/ requests.


#9

Thanks, that’s true :slight_smile:


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.