My domain is: isin.ru
I ran this command: nslookup -q=txt _acme-challenge.isin.ru 8.8.8.8
It produced this output:
_acme-challenge.isin.ru canonical name = f26815ed-cf8c-4476-b6ac-2d9bcc7a54f8.auth.acme-dns.io
f26815ed-cf8c-4476-b6ac-2d9bcc7a54f8.auth.acme-dns.io text =
"k7AMGUIwGP69O9N10k7a2z5uHb9WHCItbKJ1uwpR3qY"
f26815ed-cf8c-4476-b6ac-2d9bcc7a54f8.auth.acme-dns.io text =
"PjNS1l4rgR7vc_zKAxYUkQGUKCWoWkbSTtssJki2M8U"
Request the page https://acme-v02.api.letsencrypt.org/acme/chall-v3/426866009017/bB1A9w
gives this result:
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record "k7AMGUIwGP69O9N10k7a2z5uHb9WHCItbKJ1uwpR3qY" (and 1 more) found at _acme-challenge.isin.ru", "status": 403
}
What can I do with it?
or
Can I clear all previous dns records, challenges, orders and start from zero?
I use Posh-acme
These two commands should delete all existing orders and any saved acme-dns registrations. But it will leave your existing ACME account in place so you don't need to re-create that.
Get-PAOrder -List | Remove-PAOrder -Force
Remove-Item (Join-Path (Get-PAAccount).Folder 'pluginvars.json') -EA Ignore
It's odd though because your nslookup
output makes it look like you setup the CNAME record properly for the acme-dns registration that was created. Can you describe more about what commands you ran prior to the nslookup?
4 Likes
You might just check your DNS config. Especially the warnings about wrong delegation and the wrong glue records.
I would get these resolved first
https://dnsviz.net/d/isin.ru/dnssec/
2 Likes
I started with new-pacertificate and it works for me for some months..
Then I moved to another computer and problems began..
your nslookup
output makes it look like you setup the CNAME record properly for the acme-dns registration that was created
Yes, at thirst I was asked to create dns cnames
When you register with an acme-dns type service the "registration" data is stored on your machine, and it consists of unique credentials to update the acme-dns service just for that entry, and a unique CNAME value.
To share acme-dns regisrations between machines you need to copy that registration data, not register again, otherwise you would need to change the dynamically generated CNAME value to the new registration.
4 Likes
Get-PAOrder -List | Remove-PAOrder -Force
Remove-Item (Join-Path (Get-PAAccount).Folder 'pluginvars.json') -EA Ignore
I've removed order and pluginvars.json.
Then I created new-paorder.
And now it is in pending status for some hours.
Should I do somthing else or just wait little more?
What command(s) did you run after the ones that removed the old order config? The module doesn't usually wait for more than 2 minutes for anything unless you've modified the -DnsSleep
parameter somewhere.
2 Likes
I did nothing. Maybe drank one coffee..
And then I tried to create ne order
And what command(s) did you use to create the new order?
3 Likes
new-paorder without arguments.
I was asked to enter dns names.
And... that's it
We there's your problem. New-PAOrder doesn't do anything but create the order object (no validation, no finalization, etc). You probably wanted New-PACertificate. Or more specifically if you're using acme-dns, something like this:
New-PACertificate 'example.com','www.example.com' -Plugin AcmeDns
3 Likes
Here is the lis of my actions^
Get-PAOrder "isin.ru" | Remove-PAOrder -Force
remove pluginvars.json
New-PACertificate $certsan -AcceptTOS -PfxPassSecure $pwd -Plugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'}
Error:
Submit-ChallengeValidation : Object reference not set to an instance of an object.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.25.0\Public\New-PACertificate.ps1:258 char:9
pluginargs.json contain nulls:
{
"ACMEReg": {
"_acme-challenge.isin.ru": [
null,
null,
null,
null
]
}
}
pluginargs.json
should be deleted entirely which is what Remove-Item (Join-Path (Get-PAAccount).Folder 'pluginvars.json') -EA Ignore
should have done. What you have there with the nulls in place is what is causing the null reference error you're now seeing. If you need to hand edit the file for whatever reason, remove the entire _acme-challenge.isin.ru
block.
2 Likes
pluginargs.json I delited entirely, using shift-del in explorer )
pluginargs.json with nulls is beeng created by new-paorder or new-pacertificate functioins.
Shoul I save pluginargs.json this way befor new-pacertificate?
{
"ACMEReg": {
}
}
Something is fishy with the acme-dns registration. I'm not sure why a fresh run would get you null values. It's probably worth testing just the registration by itself. Give this a try and post the output after redacting the username/password in the debug response:
$DebugPreference = 'Continue'
Remove-Item (Join-Path (Get-PAAccount).Folder 'pluginvars.json') -EA Ignore
Publish-Challenge isin.ru (Get-PAAccount) fake AcmeDns @{ACMEServer='auth.acme-dns.io'} -Verbose
Save-Challenge AcmeDns @{ACMEServer='auth.acme-dns.io'} -Verbose
3 Likes
PS C:\Cert> $DebugPreference = 'Continue' PS C:\Cert> Remove-Item (Join-Path (Get-PAAccount).Folder 'pluginvars.json') -EA Ignore PS C:\Cert> Publish-Challenge isin.ru (Get-PAAccount) fake AcmeDns @{ACMEServer='auth.acme-dns.io'} -Verbose VERBOSE: Publishing challenge for Domain isin.ru with Token fake using Plugin AcmeDns and DnsAlias ''. DEBUG: Loading PAAccount list from disk DEBUG: Calling AcmeDns plugin to add _acme-challenge.isin.ru TXT with value FpbQsfRpYCwgkhm0Luesn9ZARIePA3CLDq3_FOofQJo VERBOSE: No existing acme-dns registrations found VERBOSE: Registering new subdomain on auth.acme-dns.io DEBUG: POST https://auth.acme-dns.io/register {} DEBUG: Response: "\u003chtml\u003e\u003chead\u003e\u003cmeta http-equiv="refresh" content="0; url=/block/page?m=icap_block\u0026reason=b983ebb6-7f05-4a87-bb0c-ff42c8902de1\u0026link=https%3a%2f%2fauth.acme-dns.io%2fregister\u0026ctc=%5B0%5D\u0026ltc=%5B%5D\u0026lwd=\u0026template_id=-1\u0026st =GdwHKAwMBcFxm3oMzxYqOyMwG9uQAIRpe%2b9XjKnCmJSpjVAyfgzURC1eH7sdbDTK%2fAjFbafY527PR2zBTaK7XA%3d%3d"\u003e\u003c/head\u003e\u003c/html\u003e" DEBUG: Saving updated plugin vars VERBOSE: Updating with FpbQsfRpYCwgkhm0Luesn9ZARIePA3CLDq3_FOofQJo DEBUG: POST https://auth.acme-dns.io/update {"txt":"FpbQsfRpYCwgkhm0Luesn9ZARIePA3CLDq3_FOofQJo","subdomain":null} Invoke-RestMethod : Object reference not set to an instance of an object. At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.25.0\Plugins\AcmeDns.ps1:117 char:21 + $response = Invoke-RestMethod @updateParams @script:UseBasic + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: ( [Invoke-RestMethod], NullReferenceException + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
PS C:\Cert> Save-Challenge AcmeDns @{ACMEServer='auth.acme-dns.io'} -Verbose VERBOSE: Saving changes for AcmeDns plugin DEBUG: Calling AcmeDns plugin to save
Please create the following CNAME records: ------------------------------------------ _acme-challenge.isin.ru -> _acme-challenge.isin.ru -> _acme-challenge.isin.ru -> _acme-challenge.isin.ru -> ------------------------------------------
There we go. Your traffic to the acme-dns server is being intercepted and blocked by something. Searching "icap_block" makes it look like perhaps something Fortigate related. Do you have Fortigate security appliances monitoring your outbound traffic?
5 Likes
Wow, that's an amazing twist!
It's not a Fortigate but some other proxy inspects my traffic and maybe modifies it...
I'll try to move my posh-acme folder to "clear" mashine and repruduce the last scenario..
1 Like
rmbolger, you saved my life!
I was finally able to reissue this damn certificate!
How can I thank you for free? ;))))
3 Likes
Hah, just glad you got it sorted and glad I had enough debug logging in the plugin to find the problem.
5 Likes