Can't get acme.sh to use myapi.sh

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
godsbeacon.com

I ran this command:
acme.sh --log --force --staging --issue -d beacon.esva.net -d godsbeacon.com -d *.godsbeacon.com --dns myapi

It produced this output:
[Sun Oct 20 16:10:01 EDT 2019] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Sun Oct 20 16:10:01 EDT 2019] Multi domain=‘DNS:beacon.esva.net,DNS:godsbeacon.com,DNS:.godsbeacon.com’
[Sun Oct 20 16:10:01 EDT 2019] Getting domain auth token for each domain
[Sun Oct 20 16:10:02 EDT 2019] Getting webroot for domain=‘beacon.esva.net’
[Sun Oct 20 16:10:02 EDT 2019] Getting webroot for domain=‘godsbeacon.com’
[Sun Oct 20 16:10:02 EDT 2019] Getting webroot for domain=’.godsbeacon.com’
[Sun Oct 20 16:10:02 EDT 2019] Error, can not get domain token entry *.godsbeacon.com
[Sun Oct 20 16:10:02 EDT 2019] The supported validation types are: dns-01 , but you specified: http-01

My web server is (include version):
apache 2.4

The operating system my web server runs on is (include version):
FreeBSD 11.3-RELEASE-p3 i386

My hosting provider, if applicable, is:
I manage my own servers

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No, doing it the hard way

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

It seems you may have previously issued a wildcard via http.
You may need to remove that cert first or update the conf file.

You may have to change this entry to:
Le_Webroot=''

I noticed that, about the dns-01 versus http-01 thing. I’m just now playing around with wildcards, so I’m pretty sure I haven’t gotten a wildcard cert with http-01. Also, deleting the records in .acme.sh doesn’t help. I tried it with a different domain, but that didn’t work either. So I tried it with a new domain I’ve never gotten any certificate for and that didn’t work either.

I’m sure I must be doing something wrong, but I can’t figure out what.

I don’t know what you mean by that. Do you mean explicitly set webroot blank? I tried:

acme.sh --force --staging --issue -d beacon.esva.net -d godsbeacon.com -d *.godsbeacon.com --dns myapi --webroot ‘’

and got the same error.

Check in ~/.acme.sh/beacon.esva.net/beacon.esva.net.conf . It may be loading pre-existing settings from there.

Edit: Oops, just saw you already tried that. Another idea: acme.sh can be a bit weird about parameter ordering. Could you move --dns myapi to the start of the command?

acme.sh --issue --dns dns_myapi -d ...

acme.sh --issue --dns myapi --force --staging -d beacon.esva.net -d godsbeacon.com -d *.godsbeacon.com

Same result.

I also tried deleting the entire .acme.sh folder. No dice.

Is this the literal value that you are using? Or is myapi standing in for something else?

The instructions for using a custom DNS API say to use the dns_ prefix for both the --dns parameter and for the filename.

When I copy your command literally, I also get the error about the unsupported validation type.

When I change it to use --dns dns_myapi (and rename ~/.acme.sh/myapi.sh to ~/.acme.sh/dns_myapi.sh), it works fine.

That did it. Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.