Diverse network vantage points failures

This renewal of a wildcard cert started to fail recently, and my attempts to figure it out have failed so far. I first installed certbot using the dnsmadeeasy plugin in April 2019, and it has worked flawlessly until now. I have it setup to renew automatically via a systemctl timer.

My domain is: easycal.ch

I ran this command: /usr/bin/certbot renew --dry-run
(I get the same 403 Forbidden errors on the normal renew command

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/easycal.ch.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator dns-dnsmadeeasy, Installer None

Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org

Renewing an existing certificate

Performing the following challenges:

dns-01 challenge for easycal.ch

dns-01 challenge for easycal.ch

Starting new HTTPS connection (1): api.dnsmadeeasy.com

Cleaning up challenges

Starting new HTTPS connection (1): api.dnsmadeeasy.com

Starting new HTTPS connection (1): api.dnsmadeeasy.com

Attempting to renew cert (easycal.ch) from /etc/letsencrypt/renewal/easycal.ch.conf produced an unexpected error: Error determining zone identifier: 403 Client Error: Forbidden… Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/easycal.ch/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry

** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/easycal.ch/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry

** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx-1.16.1-1.el7.x86_64 (but I’m generating the certs only and linking to them in the conf)

The operating system my web server runs on is (include version): centos-release-7-7.1908.0.el7.centos.x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

Additional info: I’ve checked with dnsmadeeasy support. They say they will support multiple requests to the api without throwing a 403 Forbidden error.

I’ve checked the version of the dnsmadeeasy plugin:
python2-certbot-dns-dnsmadeeasy-1.0.0-1.el7.noarch

yum upgrade python2-certbot-dns-dnsmadeeasy returns

base | 3.6 kB 00:00:00
epel/x86_64/metalink | 26 kB 00:00:00
epel | 5.3 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/2): epel/x86_64/updateinfo | 1.0 MB 00:00:00
(2/2): epel/x86_64/primary_db | 6.7 MB 00:00:00
No packages marked for update

Perhaps the issue is that I’m still on certbot 1?
yum upgrade/update certbot both return No packages marked for update

I’ll try to figure out how to update certbot to V2 and report back if that fixes the issue.

I’ve also received the Action required for v2 validation email

1 Like

From what I can tell by viewing other posts here, I’m using V2. The dry run attempt indicated:

Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org

And the logs also have mention of V2 in them. This is somewhat confusing, but if my assumption is correct, then I assume I’ve eliminated this as a potential cause of the issue.

I am still not clear how to update the dnsmadeeasy plugin to the latest version (if that would help). The github repository has had a number of modifications since I installed the plugin, but yum indicates there are no updates available.

I’ve also visually verified that my dnsmadeeasy credentials are correct by logging into my dnsmadeeasy control panel and comparing them with the dme.ini file contents. I have no reason to suspect this may be the cause, because it was working before as set up and I didn’t change anything.

1 Like

Can we have a look at this file?:

And probably also the nginx vhost config section that covers that domain.

1 Like

Sure. As below, with the account obscured:

[renewalparams]
authenticator = dns-dnsmadeeasy
dns_dnsmadeeasy_propagation_seconds = 60
dns_dnsmadeeasy_credentials = /etc/certbot/dme.ini
account = 57 … da1
server = https://acme-v02.api.letsencrypt.org/directory

1 Like

Regarding the nginx config, I’m maintaining that manually and simply linking to the cert. I don’t have the nginx plugin installed. The current cert hasn’t expired yet but will do so in about a week, and the site is still being served correctly.

That error does not seem to be coming from the certbot itself, but from the plugin:

Attempting to renew cert (easycal.ch) from /etc/letsencrypt/renewal/easycal.ch.conf produced an unexpected error: Error determining zone identifier: 403 Client Error: Forbidden… Skipping.

Based on the message, DNS Made Easy might be blocking you for some reason (maybe credentials or just the client info sent).

1 Like

I suspect the same, although when I asked their support team, they said that they would not block requests. I’m going to try to test access to their api next to make sure my credentials actually work. If they do, then I have only the following to go on from their api docs, which are here: https://api-docs.dnsmadeeasy.com/?version=latest

Requests made with invalid credentials or an invalid x-dnsme-requestDate value will receive an HTTP 403 – Forbidden response.

Every request sent using the API includes a request date header (set by your computers current time). An example would be:

> x-dnsme-requestDate:Tue, 01 Jan 2013 01:10:17 GMT

DNS Made Easy responds with a header that includes a Date (set by our globally synchronized clocks).

An example would be:

< Date: Tue, 01 Jan 2013 01:10:17 GMT

If the date/time of the system issuing the API calls is 30 seconds or more off from the API servers date/time this will cause this error. The system time of the server issuing the API calls should be set correctly to prevent this.

1 Like

So, I’ve demonstrated that DNS Made Easy is not blocking api access for the credentials that are in /etc/certbot/dme.ini, at least from my local environment and the server that certbot is operating from for this domain.

I’m still getting the 403 Forbidden error when I attempt to renew the cert using

/usr/bin/certbot renew

I’m out of ideas for directly dealing with this issue. The docs for the DNS Made Easy api indicate:

Requests made with invalid credentials or an invalid x-dnsme-requestDate value will receive an HTTP 403 – Forbidden response .

I can’t do anything about an invalid request datetime, if that is the underlying issue. I’ve confirmed that the clock on my server is correct, and I don’t know where an invalid request datetime might be coming from if the new “diverse network vantage point” feature is hitting this api from multiple servers. The docs say they will allow a 30 second variance but it takes under 5 seconds to hit the error when I try to renew the cert.

To work around this issue, I could look at moving DNS hosting for this domain elsewhere (where a plugin exists). An opinion on this workaround option would be welcome.

Hi @dnando

perhaps check acme.sh. That supports DNS Made Easy.

1 Like

Could you elaborate a bit? Where can I find info or documentation on acme.sh?

Nevermind. I found the github repo. Reading the docs now …

@JuergenAuer Thanks very much for the suggestion to use acme.sh - It is well documented and seems to be well maintained and very simple to use.

3 Likes

If acme.sh works with the same credentials, then it looks like a Certbot- or plugin-bug.

1 Like

I haven’t gotten it to work with acme.sh :frowning_face: Here is the terminal output using --debug and below I will comment on what I’ve found:

acme.sh --issue --dns dns_me -d easycal.ch -d '*.easycal.ch' --debug
[Sun Feb 23 11:30:39 UTC 2020] Lets find script dir.
[Sun Feb 23 11:30:39 UTC 2020] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sun Feb 23 11:30:39 UTC 2020] _script='/root/.acme.sh/acme.sh'
[Sun Feb 23 11:30:39 UTC 2020] _script_home='/root/.acme.sh'
[Sun Feb 23 11:30:39 UTC 2020] Using config home:/root/.acme.sh
https://github.com/acmesh-official/acme.sh
v2.8.6
[Sun Feb 23 11:30:39 UTC 2020] Running cmd: issue
[Sun Feb 23 11:30:39 UTC 2020] _main_domain='easycal.ch'
[Sun Feb 23 11:30:39 UTC 2020] _alt_domains='*.easycal.ch'
[Sun Feb 23 11:30:39 UTC 2020] Using config home:/root/.acme.sh
[Sun Feb 23 11:30:39 UTC 2020] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sun Feb 23 11:30:39 UTC 2020] DOMAIN_PATH='/root/.acme.sh/easycal.ch'
[Sun Feb 23 11:30:39 UTC 2020] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Sun Feb 23 11:30:39 UTC 2020] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Sun Feb 23 11:30:39 UTC 2020] GET
[Sun Feb 23 11:30:39 UTC 2020] url='https://acme-v02.api.letsencrypt.org/directory'
[Sun Feb 23 11:30:39 UTC 2020] timeout=
[Sun Feb 23 11:30:39 UTC 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sun Feb 23 11:30:39 UTC 2020] ret='0'
[Sun Feb 23 11:30:40 UTC 2020] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Sun Feb 23 11:30:40 UTC 2020] ACME_NEW_AUTHZ
[Sun Feb 23 11:30:40 UTC 2020] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sun Feb 23 11:30:40 UTC 2020] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Sun Feb 23 11:30:40 UTC 2020] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Sun Feb 23 11:30:40 UTC 2020] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Sun Feb 23 11:30:40 UTC 2020] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sun Feb 23 11:30:40 UTC 2020] ACME_VERSION='2'
[Sun Feb 23 11:30:40 UTC 2020] Le_NextRenewTime
[Sun Feb 23 11:30:40 UTC 2020] _on_before_issue
[Sun Feb 23 11:30:40 UTC 2020] _chk_main_domain='easycal.ch'
[Sun Feb 23 11:30:40 UTC 2020] _chk_alt_domains='*.easycal.ch'
[Sun Feb 23 11:30:40 UTC 2020] Le_LocalAddress
[Sun Feb 23 11:30:40 UTC 2020] d='easycal.ch'
[Sun Feb 23 11:30:40 UTC 2020] Check for domain='easycal.ch'
[Sun Feb 23 11:30:40 UTC 2020] _currentRoot='dns_me'
[Sun Feb 23 11:30:40 UTC 2020] d='*.easycal.ch'
[Sun Feb 23 11:30:40 UTC 2020] Check for domain='*.easycal.ch'
[Sun Feb 23 11:30:40 UTC 2020] _currentRoot='dns_me'
[Sun Feb 23 11:30:40 UTC 2020] d
[Sun Feb 23 11:30:40 UTC 2020] _saved_account_key_hash is not changed, skip register account.
[Sun Feb 23 11:30:40 UTC 2020] Read key length:
[Sun Feb 23 11:30:40 UTC 2020] _createcsr
[Sun Feb 23 11:30:40 UTC 2020] Multi domain='DNS:easycal.ch,DNS:*.easycal.ch'
[Sun Feb 23 11:30:40 UTC 2020] Getting domain auth token for each domain
[Sun Feb 23 11:30:40 UTC 2020] d='*.easycal.ch'
[Sun Feb 23 11:30:40 UTC 2020] d
[Sun Feb 23 11:30:40 UTC 2020] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sun Feb 23 11:30:40 UTC 2020] payload='{"identifiers": [{"type":"dns","value":"easycal.ch"},{"type":"dns","value":"*.easycal.ch"}]}'
[Sun Feb 23 11:30:40 UTC 2020] RSA key
[Sun Feb 23 11:30:40 UTC 2020] HEAD
[Sun Feb 23 11:30:40 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sun Feb 23 11:30:40 UTC 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g  -I  '
[Sun Feb 23 11:30:40 UTC 2020] _ret='0'
[Sun Feb 23 11:30:40 UTC 2020] POST
[Sun Feb 23 11:30:40 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sun Feb 23 11:30:40 UTC 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sun Feb 23 11:30:41 UTC 2020] _ret='0'
[Sun Feb 23 11:30:41 UTC 2020] code='201'
[Sun Feb 23 11:30:41 UTC 2020] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/78826857/2420501704'
[Sun Feb 23 11:30:41 UTC 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/78826857/2420501704'
[Sun Feb 23 11:30:41 UTC 2020] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2968848107'
[Sun Feb 23 11:30:41 UTC 2020] payload
[Sun Feb 23 11:30:41 UTC 2020] POST
[Sun Feb 23 11:30:41 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2968848107'
[Sun Feb 23 11:30:41 UTC 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sun Feb 23 11:30:42 UTC 2020] _ret='0'
[Sun Feb 23 11:30:42 UTC 2020] code='200'
[Sun Feb 23 11:30:42 UTC 2020] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2968848109'
[Sun Feb 23 11:30:42 UTC 2020] payload
[Sun Feb 23 11:30:42 UTC 2020] POST
[Sun Feb 23 11:30:42 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2968848109'
[Sun Feb 23 11:30:42 UTC 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sun Feb 23 11:30:42 UTC 2020] _ret='0'
[Sun Feb 23 11:30:42 UTC 2020] code='200'
[Sun Feb 23 11:30:43 UTC 2020] d='easycal.ch'
[Sun Feb 23 11:30:43 UTC 2020] Getting webroot for domain='easycal.ch'
[Sun Feb 23 11:30:43 UTC 2020] _w='dns_me'
[Sun Feb 23 11:30:43 UTC 2020] _currentRoot='dns_me'
[Sun Feb 23 11:30:43 UTC 2020] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848109/2v-9sw","token":"LISg6OtUEtbQnjN-Kk-KXssm3BetFwr0ai6AMrVarW4"'
[Sun Feb 23 11:30:43 UTC 2020] token='LISg6OtUEtbQnjN-Kk-KXssm3BetFwr0ai6AMrVarW4'
[Sun Feb 23 11:30:43 UTC 2020] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848109/2v-9sw'
[Sun Feb 23 11:30:43 UTC 2020] keyauthorization='LISg6OtUEtbQnjN-Kk-KXssm3BetFwr0ai6AMrVarW4.CG1PTX3YNKHT-ZfdgWszvnmDPtWcAERSXrWH0PToRfI'
[Sun Feb 23 11:30:43 UTC 2020] dvlist='easycal.ch#LISg6OtUEtbQnjN-Kk-KXssm3BetFwr0ai6AMrVarW4.CG1PTX3YNKHT-ZfdgWszvnmDPtWcAERSXrWH0PToRfI#https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848109/2v-9sw#dns-01#dns_me'
[Sun Feb 23 11:30:43 UTC 2020] d='*.easycal.ch'
[Sun Feb 23 11:30:43 UTC 2020] Getting webroot for domain='*.easycal.ch'
[Sun Feb 23 11:30:43 UTC 2020] _w='dns_me'
[Sun Feb 23 11:30:43 UTC 2020] _currentRoot='dns_me'
[Sun Feb 23 11:30:43 UTC 2020] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848107/3MFwGQ","token":"h08xqAQyEKqNGPiGypr0Zn4Yw11niA4UjRjheA30cN8"'
[Sun Feb 23 11:30:43 UTC 2020] token='h08xqAQyEKqNGPiGypr0Zn4Yw11niA4UjRjheA30cN8'
[Sun Feb 23 11:30:43 UTC 2020] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848107/3MFwGQ'
[Sun Feb 23 11:30:43 UTC 2020] keyauthorization='h08xqAQyEKqNGPiGypr0Zn4Yw11niA4UjRjheA30cN8.CG1PTX3YNKHT-ZfdgWszvnmDPtWcAERSXrWH0PToRfI'
[Sun Feb 23 11:30:43 UTC 2020] dvlist='*.easycal.ch#h08xqAQyEKqNGPiGypr0Zn4Yw11niA4UjRjheA30cN8.CG1PTX3YNKHT-ZfdgWszvnmDPtWcAERSXrWH0PToRfI#https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848107/3MFwGQ#dns-01#dns_me'
[Sun Feb 23 11:30:43 UTC 2020] d
[Sun Feb 23 11:30:43 UTC 2020] vlist='easycal.ch#LISg6OtUEtbQnjN-Kk-KXssm3BetFwr0ai6AMrVarW4.CG1PTX3YNKHT-ZfdgWszvnmDPtWcAERSXrWH0PToRfI#https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848109/2v-9sw#dns-01#dns_me,*.easycal.ch#h08xqAQyEKqNGPiGypr0Zn4Yw11niA4UjRjheA30cN8.CG1PTX3YNKHT-ZfdgWszvnmDPtWcAERSXrWH0PToRfI#https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848107/3MFwGQ#dns-01#dns_me,'
[Sun Feb 23 11:30:43 UTC 2020] d='easycal.ch'
[Sun Feb 23 11:30:43 UTC 2020] _d_alias
[Sun Feb 23 11:30:43 UTC 2020] txtdomain='_acme-challenge.easycal.ch'
[Sun Feb 23 11:30:43 UTC 2020] txt='XT0AIvXBCjruV-ouAin8UhlHS3OlzchvQqUm5JxcCac'
[Sun Feb 23 11:30:43 UTC 2020] d_api='/root/.acme.sh/dnsapi/dns_me.sh'
[Sun Feb 23 11:30:43 UTC 2020] Found domain api file: /root/.acme.sh/dnsapi/dns_me.sh
[Sun Feb 23 11:30:43 UTC 2020] Adding txt value: XT0AIvXBCjruV-ouAin8UhlHS3OlzchvQqUm5JxcCac for domain:  _acme-challenge.easycal.ch
[Sun Feb 23 11:30:43 UTC 2020] First detect the root zone
[Sun Feb 23 11:30:43 UTC 2020] name?domainname=easycal.ch
[Sun Feb 23 11:30:43 UTC 2020] GET
[Sun Feb 23 11:30:43 UTC 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=easycal.ch'
[Sun Feb 23 11:30:43 UTC 2020] timeout=
[Sun Feb 23 11:30:43 UTC 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sun Feb 23 11:30:47 UTC 2020] ret='0'
[Sun Feb 23 11:30:47 UTC 2020] name?domainname=ch
[Sun Feb 23 11:30:47 UTC 2020] GET
[Sun Feb 23 11:30:47 UTC 2020] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=ch'
[Sun Feb 23 11:30:47 UTC 2020] timeout=
[Sun Feb 23 11:30:47 UTC 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sun Feb 23 11:30:48 UTC 2020] ret='0'
[Sun Feb 23 11:30:48 UTC 2020] invalid domain
[Sun Feb 23 11:30:48 UTC 2020] Error add txt for domain:_acme-challenge.easycal.ch
[Sun Feb 23 11:30:48 UTC 2020] _on_issue_err
[Sun Feb 23 11:30:48 UTC 2020] Please add '--debug' or '--log' to check more details.
[Sun Feb 23 11:30:48 UTC 2020] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Sun Feb 23 11:30:48 UTC 2020] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848109/2v-9sw'
[Sun Feb 23 11:30:48 UTC 2020] payload='{}'
[Sun Feb 23 11:30:48 UTC 2020] POST
[Sun Feb 23 11:30:48 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848109/2v-9sw'
[Sun Feb 23 11:30:48 UTC 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sun Feb 23 11:30:48 UTC 2020] _ret='0'
[Sun Feb 23 11:30:48 UTC 2020] code='200'
[Sun Feb 23 11:30:48 UTC 2020] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848107/3MFwGQ'
[Sun Feb 23 11:30:48 UTC 2020] payload='{}'
[Sun Feb 23 11:30:48 UTC 2020] POST
[Sun Feb 23 11:30:48 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/2968848107/3MFwGQ'
[Sun Feb 23 11:30:48 UTC 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sun Feb 23 11:30:49 UTC 2020] _ret='0'
[Sun Feb 23 11:30:49 UTC 2020] code='200'
[Sun Feb 23 11:30:49 UTC 2020] socat doesn't exists.
[Sun Feb 23 11:30:49 UTC 2020] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.2k-fips  26 Jan 2017
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
socat:
[Sun Feb 23 11:30:49 UTC 2020] pid
[Sun Feb 23 11:30:49 UTC 2020] No need to restore nginx, skip.
[Sun Feb 23 11:30:49 UTC 2020] _clearupdns
[Sun Feb 23 11:30:49 UTC 2020] dns_entries
[Sun Feb 23 11:30:49 UTC 2020] skip dns.

There are 2 calls to the DNS Made Easy api here. I’ve tried both of them independently. The first returns a 200 with an expected JSON packet. The second returns a 404, and it logically seems to be a mistake. After that 404, acme.sh throws an error.

First call is to https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=easycal.ch
It works for me independently and returns info about the domain.
The second call is to https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=ch
“ch” isn’t a domain, and when I try this api call independently it returns a 404, which one might expect. Right after this, acme.sh registers an invalid domain error and the process fails.

 [Sun Feb 23 11:30:48 UTC 2020] invalid domain
 [Sun Feb 23 11:30:48 UTC 2020] Error add txt for domain:_acme-challenge.easycal.ch

Not sure where to go from here. If it seems appropriate, I could submit a bug report to the acme.sh github.

In the context of validations and global DNS, ch is a “domain”:

nslookup -q=ns ch. 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
ch      nameserver = d.nic.ch
ch      nameserver = f.nic.ch
ch      nameserver = h.nic.ch
ch      nameserver = b.nic.ch
ch      nameserver = c.nic.ch
ch      nameserver = e.nic.ch
ch      nameserver = a.nic.ch
ch      nameserver = g.nic.ch
1 Like

“Domain” in the sense that a DNS provider would use the term with their clients. I would not be able to host “ch” with one, nor would I be able to use it as a domain for a website or obtain a Let’s Encrypt cert for “ch”. The practical point is, of course, that the DNS Made Easy api does not find “ch” on a search of the domain names in their system, and this seems to trip up the validation process, throwing an “invalid domain” error.

Running https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=google.com also returns a 404 from their api for me when I test it. So the 404 seems to mean “not hosted here”. It does not have a bearing on validity.

I was finally able to resolve this issue by using the –debug 2 flag on the acme.sh call, which pointed to an authorization issue because my server clock was enough out of sync to fail on the acme.ch call, but not on my direct calls to the api which I was testing with. After installing and enabling NTP synchronization on the server, everything now works.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.