Certificate Renewal and issuance using ISPConfig DNS API not working

Hi there,

during the normal use of ISPConfig and automated renewal of certificates using bash shell scripts, I saw, that suddenly the certificate renewal was not working anymore.
After some searching, I found out, that there seems to be an issue in the code of the dns_ispconfig.sh file which is used to automatically add TXT records to DNS zones hosted on ISPConfig instances.
When querying a dns zone for its details, a sys_userid is returned.
This sys_userid is then used when inserting the TXT record to the DNS zone.
To add a TXT record, not the sys_userid is needed but instead the client_id has to be used.
For some occasions, both ids are identical, but they mean different things.
In my setup, now both numbers are different and because of this, the renewal process does not work anymore.
There’s an additional step needed:
–> get the client_id for a specific sys_userid

When adding this to the dns_ispconfig.sh script, the certificate renewal is working again.
Could you please investigate this issue and fix the code if I’m correct.

Here’s what I changed:

113,115c113,115
<     client_id=$(echo "${curResult}" | _egrep_o "sys_userid.*" | cut -d ':' -f 2 | cut -d '"' -f 2)
<     _debug "Client ID: '${client_id}'"
<     case "${client_id}" in
---
>     sys_userid=$(echo "${curResult}" | _egrep_o "sys_userid.*" | cut -d ':' -f 2 | cut -d '"' -f 2)
>     _debug "SYS User ID: '${sys_userid}'"
>     case "${sys_userid}" in
117c117
<         _err "Client ID is not numeric."
---
>         _err "User ID is not numeric."
120c120
<       *) _info "Retrieved Client ID." ;;
---
>       *) _info "Retrieved SYS User ID." ;;
124a125,137
>   # Need to also get client_id as it is different from sys_userid
>     curData="{\"session_id\":\"${sessionID}\",\"sys_userid\":\"${sys_userid}\"}"
>     curResult="$(_post "${curData}" "${ISPC_Api}?client_get_id")"
>     client_id=$(echo "${curResult}" | _egrep_o "response.*" | cut -d ':' -f 2 | cut -d '"' -f 2 | tr -d '{}')
>     _debug "Client ID: '${client_id}'"
>     case "${client_id}" in
>       '' | *[!0-9]*)
>       _err "Client ID is not numeric."
>       return 1
>       ;;
>       *) _info "Retrieved Client ID." ;;
>     esac
>
1 Like

Hi @TomSc, welcome to the community forum :wave:

I think you might be confused. Let’s Encrypt doesn’t maintain the ISPConfig integration you’re having trouble with. You’ll need to contact the developers of ISPConfig to have this problem addressed.

3 Likes

Thanks for the answer.
I did not know this.
To be sure: the dns_ispconfig.sh file in the dnsapi folder of the acme.sh client list not developed by Letsencrypt, but by ISPConfig?

Best regards
Thomas

2 Likes

Hi @tomsc,

It sounds like ISPConfig might be packaging another ACME client called “acme.sh”. It looks like that’s where the “dns_ispconfig.sh” file comes from: https://github.com/Neilpang/acme.sh/blob/f60dde413888aca17a8163ec6e7d16edb43f46ec/dnsapi/dns_ispconfig.sh

In this case I think the best place to open an issue for support is here, on the acme.sh Github repository.

Let’s Encrypt doesn’t directly develop any ACME client software, we only operate the server side certificate authority that the clients communicate with.

Hope that helps!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.