How can I start acme-dns from scratch?

My domain is: isin.ru

I ran this command: nslookup -q=txt _acme-challenge.isin.ru 8.8.8.8

It produced this output:
_acme-challenge.isin.ru canonical name = f26815ed-cf8c-4476-b6ac-2d9bcc7a54f8.auth.acme-dns.io
f26815ed-cf8c-4476-b6ac-2d9bcc7a54f8.auth.acme-dns.io text =
"k7AMGUIwGP69O9N10k7a2z5uHb9WHCItbKJ1uwpR3qY"
f26815ed-cf8c-4476-b6ac-2d9bcc7a54f8.auth.acme-dns.io text =
"PjNS1l4rgR7vc_zKAxYUkQGUKCWoWkbSTtssJki2M8U"

Request the page https://acme-v02.api.letsencrypt.org/acme/chall-v3/426866009017/bB1A9w
gives this result:
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record "k7AMGUIwGP69O9N10k7a2z5uHb9WHCItbKJ1uwpR3qY" (and 1 more) found at _acme-challenge.isin.ru", "status": 403
}

What can I do with it?
or
Can I clear all previous dns records, challenges, orders and start from zero?

I use Posh-acme

These two commands should delete all existing orders and any saved acme-dns registrations. But it will leave your existing ACME account in place so you don't need to re-create that.

Get-PAOrder -List | Remove-PAOrder -Force
Remove-Item (Join-Path (Get-PAAccount).Folder 'pluginvars.json') -EA Ignore

It's odd though because your nslookup output makes it look like you setup the CNAME record properly for the acme-dns registration that was created. Can you describe more about what commands you ran prior to the nslookup?

4 Likes

You might just check your DNS config. Especially the warnings about wrong delegation and the wrong glue records.

I would get these resolved first

https://dnsviz.net/d/isin.ru/dnssec/

2 Likes

I started with new-pacertificate and it works for me for some months..
Then I moved to another computer and problems began..

your nslookup output makes it look like you setup the CNAME record properly for the acme-dns registration that was created
Yes, at thirst I was asked to create dns cnames

When you register with an acme-dns type service the "registration" data is stored on your machine, and it consists of unique credentials to update the acme-dns service just for that entry, and a unique CNAME value.

To share acme-dns regisrations between machines you need to copy that registration data, not register again, otherwise you would need to change the dynamically generated CNAME value to the new registration.

4 Likes

Get-PAOrder -List | Remove-PAOrder -Force
Remove-Item (Join-Path (Get-PAAccount).Folder 'pluginvars.json') -EA Ignore

I've removed order and pluginvars.json.
Then I created new-paorder.
And now it is in pending status for some hours.
Should I do somthing else or just wait little more?

What command(s) did you run after the ones that removed the old order config? The module doesn't usually wait for more than 2 minutes for anything unless you've modified the -DnsSleep parameter somewhere.

2 Likes

I did nothing. Maybe drank one coffee..
And then I tried to create ne order

And what command(s) did you use to create the new order?

3 Likes

new-paorder without arguments.
I was asked to enter dns names.
And... that's it

We there's your problem. New-PAOrder doesn't do anything but create the order object (no validation, no finalization, etc). You probably wanted New-PACertificate. Or more specifically if you're using acme-dns, something like this:

New-PACertificate 'example.com','www.example.com' -Plugin AcmeDns
3 Likes

Here is the lis of my actions^

Get-PAOrder "isin.ru" | Remove-PAOrder -Force
remove pluginvars.json
New-PACertificate $certsan -AcceptTOS -PfxPassSecure $pwd -Plugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'}
Error:
Submit-ChallengeValidation : Object reference not set to an instance of an object.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.25.0\Public\New-PACertificate.ps1:258 char:9

  •     Submit-ChallengeValidation
    

pluginargs.json contain nulls:
{
"ACMEReg": {
"_acme-challenge.isin.ru": [
null,
null,
null,
null
]
}
}

pluginargs.json should be deleted entirely which is what Remove-Item (Join-Path (Get-PAAccount).Folder 'pluginvars.json') -EA Ignore should have done. What you have there with the nulls in place is what is causing the null reference error you're now seeing. If you need to hand edit the file for whatever reason, remove the entire _acme-challenge.isin.ru block.

2 Likes

pluginargs.json I delited entirely, using shift-del in explorer )
pluginargs.json with nulls is beeng created by new-paorder or new-pacertificate functioins.
Shoul I save pluginargs.json this way befor new-pacertificate?
{
"ACMEReg": {
}
}

Something is fishy with the acme-dns registration. I'm not sure why a fresh run would get you null values. It's probably worth testing just the registration by itself. Give this a try and post the output after redacting the username/password in the debug response:

$DebugPreference = 'Continue'
Remove-Item (Join-Path (Get-PAAccount).Folder 'pluginvars.json') -EA Ignore
Publish-Challenge isin.ru (Get-PAAccount) fake AcmeDns @{ACMEServer='auth.acme-dns.io'} -Verbose
Save-Challenge AcmeDns @{ACMEServer='auth.acme-dns.io'} -Verbose
3 Likes

PS C:\Cert> $DebugPreference = 'Continue' PS C:\Cert> Remove-Item (Join-Path (Get-PAAccount).Folder 'pluginvars.json') -EA Ignore PS C:\Cert> Publish-Challenge isin.ru (Get-PAAccount) fake AcmeDns @{ACMEServer='auth.acme-dns.io'} -Verbose VERBOSE: Publishing challenge for Domain isin.ru with Token fake using Plugin AcmeDns and DnsAlias ''. DEBUG: Loading PAAccount list from disk DEBUG: Calling AcmeDns plugin to add _acme-challenge.isin.ru TXT with value FpbQsfRpYCwgkhm0Luesn9ZARIePA3CLDq3_FOofQJo VERBOSE: No existing acme-dns registrations found VERBOSE: Registering new subdomain on auth.acme-dns.io DEBUG: POST https://auth.acme-dns.io/register {} DEBUG: Response: "\u003chtml\u003e\u003chead\u003e\u003cmeta http-equiv="refresh" content="0; url=/block/page?m=icap_block\u0026reason=b983ebb6-7f05-4a87-bb0c-ff42c8902de1\u0026link=https%3a%2f%2fauth.acme-dns.io%2fregister\u0026ctc=%5B0%5D\u0026ltc=%5B%5D\u0026lwd=\u0026template_id=-1\u0026st =GdwHKAwMBcFxm3oMzxYqOyMwG9uQAIRpe%2b9XjKnCmJSpjVAyfgzURC1eH7sdbDTK%2fAjFbafY527PR2zBTaK7XA%3d%3d"\u003e\u003c/head\u003e\u003c/html\u003e" DEBUG: Saving updated plugin vars VERBOSE: Updating with FpbQsfRpYCwgkhm0Luesn9ZARIePA3CLDq3_FOofQJo DEBUG: POST https://auth.acme-dns.io/update {"txt":"FpbQsfRpYCwgkhm0Luesn9ZARIePA3CLDq3_FOofQJo","subdomain":null} Invoke-RestMethod : Object reference not set to an instance of an object. At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.25.0\Plugins\AcmeDns.ps1:117 char:21 + $response = Invoke-RestMethod @updateParams @script:UseBasic + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:slight_smile: [Invoke-RestMethod], NullReferenceException + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

PS C:\Cert> Save-Challenge AcmeDns @{ACMEServer='auth.acme-dns.io'} -Verbose VERBOSE: Saving changes for AcmeDns plugin DEBUG: Calling AcmeDns plugin to save

Please create the following CNAME records: ------------------------------------------ _acme-challenge.isin.ru -> _acme-challenge.isin.ru -> _acme-challenge.isin.ru -> _acme-challenge.isin.ru -> ------------------------------------------

There we go. Your traffic to the acme-dns server is being intercepted and blocked by something. Searching "icap_block" makes it look like perhaps something Fortigate related. Do you have Fortigate security appliances monitoring your outbound traffic?

5 Likes

Wow, that's an amazing twist!
It's not a Fortigate but some other proxy inspects my traffic and maybe modifies it...
I'll try to move my posh-acme folder to "clear" mashine and repruduce the last scenario..

1 Like

rmbolger, you saved my life!
I was finally able to reissue this damn certificate!
How can I thank you for free? ;))))

3 Likes

Hah, just glad you got it sorted and glad I had enough debug logging in the plugin to find the problem.

5 Likes