Can not use new Yandex360 api to renew an ssl wildcard cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:vadim.com.ru

I ran this command:acme.sh --renew --dns dns_yandex360 -d '*.vadim.com.ru' -d vadim.com.ru --dnssleep 600

It produced this output:Renew: '.vadim.com.ru'
[Mon Jun 12 22:49:33 MSK 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Mon Jun 12 22:49:34 MSK 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Jun 12 22:49:34 MSK 2023] Multi domain='DNS:
.vadim.com.ru,DNS:vadim.com.ru'
[Mon Jun 12 22:49:34 MSK 2023] Getting domain auth token for each domain
[Mon Jun 12 22:49:34 MSK 2023] Verifying: *.vadim.com.ru
[Mon Jun 12 22:49:35 MSK 2023] Pending, The CA is processing your order, please just wait. (1/30)
[Mon Jun 12 22:49:39 MSK 2023] *.vadim.com.ru:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.vadim.com.ru - check that a DNS record exists for this domain
[Mon Jun 12 22:49:39 MSK 2023] Please add '--debug' or '--log' to check more details.
[Mon Jun 12 22:49:39 MSK 2023] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

My web server is (include version):nginx/1.18.0

The operating system my web server runs on is (include version):TrueNAS-SCALE-22.12.2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I have replaced dns_yandex.sh with dns_yandex360.sh as advised here,then I got stuck at getting a new token as described [here] and advised here (Доступ к API - 360 API. api360).
There is some relevant information in this original thread: click

Does it work with any other free CA?

3 Likes

Haven't tried yet - do you mean like Zero ssl and alike?

The old Yandex DNS would take 1 - 2 hours for their auth servers to sync. The wait time is only about 5 seconds in this log.

Maybe you need to wait a lot longer after updating the DNS?

3 Likes

Yes, exactly.

3 Likes

Perhaps that setting is being overlooked???
OR needs to be much bigger?

2 Likes

Tried that too - it is not about sleep time - it needs a new token with a new api(that what they say on a Github about it)

Sounds like you may need to switch to another DSP [until they get it all sorted out].

2 Likes

But that's not what you're showing here?

2 Likes

Well some people got it done somehow but the instructions are rather vague so I know it is one step left really - to add a new token and run the script. I would've switched a while ago to Cloudfare in a heart beat but I want to keep my mail with my domain name on Yandex servers - they offer 5 mailboxes for free. That's the only thing that makes me fight with this new api bullshit.

Show what here?

I don't see a 10min lag in that log so maybe overlooked?

3 Likes

Most likely yes - the sleep arg does not work and that is where it all started in my other thread here

Getting a new token.

2 Likes

https://oauth.yandex.ru/authorize?response_type=code%20&%20client_id=237a3490a7fd42c4a44163e7d851739a

They describe 4 different types here and it is rather confusing Шаг 2. Получение OAuth-токена - Подключение к API Яндекс ID | OAuth для Яндекс ID

I reran it without %20 and it worked! and then I received a "debug" token like so:
Авторизация Now I am wondering what's the next step should be

acme.sh --renew --dns dns_yandex360 -d '.vadim.com.ru' -d vadim.com.ru --dnssleep 600
[Tue Jun 13 12:47:05 MSK 2023] Renew: '
.vadim.com.ru'
[Tue Jun 13 12:47:05 MSK 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Tue Jun 13 12:47:06 MSK 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Jun 13 12:47:06 MSK 2023] Multi domain='DNS:.vadim.com.ru,DNS:vadim.com.ru'
[Tue Jun 13 12:47:06 MSK 2023] Getting domain auth token for each domain
[Tue Jun 13 12:47:09 MSK 2023] Getting webroot for domain='
.vadim.com.ru'
[Tue Jun 13 12:47:09 MSK 2023] Getting webroot for domain='vadim.com.ru'
[Tue Jun 13 12:47:09 MSK 2023] Adding txt value: LJlOYXERXfHm4GVUH01MKRV0rnZvaiMN0ES_3AZr81Q for domain: _acme-challenge.vadim.com.ru
[Tue Jun 13 12:47:10 MSK 2023] Error add txt for domain:_acme-challenge.vadim.com.ru
[Tue Jun 13 12:47:10 MSK 2023] Please add '--debug' or '--log' to check more details.
[Tue Jun 13 12:47:10 MSK 2023] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub
I ran with a debug click and obviosly it still reads the old file name dnsapi/dns_yandex.sh instead of dnsapi/dns_yandex360.sh even though I replaced it.

2 Likes

I don't see how I don't comply with that - I have one domain and one subdomain(office.vadim.com.ru) for Collabora and no www.domain and needed to be I can give up office easily and use Collabora online.

Yeah, I don't understand this. You clearly specify dns_yandex360 but it still loads dns_yandex.sh. Maybe @Neilpang understands what's going on? Does acme.sh perhaps use the previously used and saved --dns option even though it's now specified on the command line? Doesn't the command line override saved values?

3 Likes

I think so too - and what also does not make sense is that --dnssleep does not work either