Is there a way to force domain verification in acme.sh?
I’ve looked at all the options and if there’s one to do this, I don’t see it or haven’t yet tried it. I’ve tried a lot of options already. I also don’t see anything obvious in the .conf files.
While I have successfully installed certs and renewals, I am having some intermittent or unobvious problem with dns_nsupdate-local on one domain, possibly related to file or bind permissions. So I need to repeatedly run acme.sh and have it make and delete the DNS entries to debug this. But right now it won’t do the domain verification - which I understand is cached somewhere? by LE?
and it reports
…
[Tue May 21 12:08:01 EDT 2019] domain.ca is already verified, skip dns-01.
[Tue May 21 12:08:02 EDT 2019] *.domain.ca is already verified, skip dns-01.
All tips appreciated. Also, is there a better place to ask about acme.sh or is this forum appropriate?
I think your best bet is to use the staging environment and a fresh ACME account each time you attempt issuance. Using the staging env is important to avoid using up your production rate limit debugging. Using a new ACME account each time will prevent any valid authorizations from being reused.
I think you can use ACME_DIRECTORY=https://acme-staging.api.letsencrypt.org/directory acme.sh to set the server to the staging API explicitly.
I'm not sure how you can make acme.sh use a new account each attempt. If I remember correctly it stores some local state in a hidden folder (Maybe ~/.acme.sh?).
Agreed! As shown in my acme.sh options above I am using --test (same as --staging)
I already rate-limited myself for a week when I accidentally invoked
the real server too many times
BUT even deleting this file completely seemed to not reenable domain (re)verification for the same domain, which suggests LE caching of the domain name.
Anyway: I requested an additional cert for a previously unused subdomain e.g. x.domain. That then showed me a clear acme.sh error message that there was no read permission for acme.sh user on the bind session.key needed for the dns_nsupdate-local authenticator which I am using.
So it seems this issue will arise by default for anyone running acme.sh as an ordinary, unprivileged user - which is why some people want to use acme.sh. It is easily enough worked around, but likely to be encountered.
Thank you for making all of these very clear. I did read about them before but there are many LE aspects to try to remember, as well as acme.sh, bind dynamic updates…