Invalid domain, error add txt for domain when issuing cert

My domain is: nas.harrydowe.uk, drive.harrydowe.uk

I ran this command:

 ./acme.sh --issue --home . -d "drive.harrydowe.uk" --dns "$CERT_DNS" --debug

It produced this output:

[Mon Mar 29 16:21:40 BST 2021] Lets find script dir.
[Mon Mar 29 16:21:40 BST 2021] _SCRIPT_='./acme.sh'
[Mon Mar 29 16:21:40 BST 2021] _script='/usr/local/share/acme.sh/acme.sh'
[Mon Mar 29 16:21:40 BST 2021] _script_home='/usr/local/share/acme.sh'
[Mon Mar 29 16:21:40 BST 2021] Using config home:.
https://github.com/acmesh-official/acme.sh
v2.8.9
[Mon Mar 29 16:21:40 BST 2021] Running cmd: issue
[Mon Mar 29 16:21:40 BST 2021] _main_domain='drive.harrydowe.uk'
[Mon Mar 29 16:21:40 BST 2021] _alt_domains='no'
[Mon Mar 29 16:21:40 BST 2021] Using config home:.
[Mon Mar 29 16:21:40 BST 2021] default_acme_server
[Mon Mar 29 16:21:40 BST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 29 16:21:40 BST 2021] DOMAIN_PATH='./drive.harrydowe.uk'
[Mon Mar 29 16:21:41 BST 2021] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Mon Mar 29 16:21:41 BST 2021] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Mon Mar 29 16:21:41 BST 2021] GET
[Mon Mar 29 16:21:41 BST 2021] url='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 29 16:21:41 BST 2021] timeout=
[Mon Mar 29 16:21:42 BST 2021] _CURL='curl --silent --dump-header ./http.header  -L  -g '
[Mon Mar 29 16:21:44 BST 2021] ret='0'
[Mon Mar 29 16:21:44 BST 2021] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Mon Mar 29 16:21:44 BST 2021] ACME_NEW_AUTHZ
[Mon Mar 29 16:21:44 BST 2021] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Mon Mar 29 16:21:44 BST 2021] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Mon Mar 29 16:21:44 BST 2021] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Mon Mar 29 16:21:44 BST 2021] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Mon Mar 29 16:21:44 BST 2021] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Mon Mar 29 16:21:44 BST 2021] ACME_VERSION='2'
[Mon Mar 29 16:21:44 BST 2021] Le_NextRenewTime
[Mon Mar 29 16:21:48 BST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Mar 29 16:21:48 BST 2021] _on_before_issue
[Mon Mar 29 16:21:48 BST 2021] _chk_main_domain='drive.harrydowe.uk'
[Mon Mar 29 16:21:48 BST 2021] _chk_alt_domains
[Mon Mar 29 16:21:48 BST 2021] Le_LocalAddress
[Mon Mar 29 16:21:48 BST 2021] d='drive.harrydowe.uk'
[Mon Mar 29 16:21:48 BST 2021] Check for domain='drive.harrydowe.uk'
[Mon Mar 29 16:21:48 BST 2021] _currentRoot='dns_cf'
[Mon Mar 29 16:21:48 BST 2021] d
[Mon Mar 29 16:21:48 BST 2021] _saved_account_key_hash is not changed, skip register account.
[Mon Mar 29 16:21:48 BST 2021] Read key length:
[Mon Mar 29 16:21:48 BST 2021] _createcsr
[Mon Mar 29 16:21:48 BST 2021] Single domain='drive.harrydowe.uk'
[Mon Mar 29 16:21:49 BST 2021] Getting domain auth token for each domain
[Mon Mar 29 16:21:49 BST 2021] d
[Mon Mar 29 16:21:49 BST 2021] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Mon Mar 29 16:21:49 BST 2021] payload='{"identifiers": [{"type":"dns","value":"drive.harrydowe.uk"}]}'
[Mon Mar 29 16:21:49 BST 2021] RSA key
[Mon Mar 29 16:21:49 BST 2021] HEAD
[Mon Mar 29 16:21:49 BST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Mon Mar 29 16:21:50 BST 2021] _CURL='curl --silent --dump-header ./http.header  -L  -g  -I  '
[Mon Mar 29 16:21:51 BST 2021] _ret='0'
[Mon Mar 29 16:21:51 BST 2021] POST
[Mon Mar 29 16:21:51 BST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Mon Mar 29 16:21:51 BST 2021] _CURL='curl --silent --dump-header ./http.header  -L  -g '
[Mon Mar 29 16:21:52 BST 2021] _ret='0'
[Mon Mar 29 16:21:52 BST 2021] code='201'
[Mon Mar 29 16:21:52 BST 2021] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/117250520/8742171458'
[Mon Mar 29 16:21:52 BST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/117250520/8742171458'
[Mon Mar 29 16:21:52 BST 2021] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/11931955317'
[Mon Mar 29 16:21:52 BST 2021] payload
[Mon Mar 29 16:21:52 BST 2021] POST
[Mon Mar 29 16:21:52 BST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/11931955317'
[Mon Mar 29 16:21:52 BST 2021] _CURL='curl --silent --dump-header ./http.header  -L  -g '
[Mon Mar 29 16:21:53 BST 2021] _ret='0'
[Mon Mar 29 16:21:53 BST 2021] code='200'
[Mon Mar 29 16:21:54 BST 2021] d='drive.harrydowe.uk'
[Mon Mar 29 16:21:54 BST 2021] Getting webroot for domain='drive.harrydowe.uk'
[Mon Mar 29 16:21:54 BST 2021] _w='dns_cf'
[Mon Mar 29 16:21:54 BST 2021] _currentRoot='dns_cf'
[Mon Mar 29 16:21:55 BST 2021] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/11931955317/vHSaPw","token":"qLhPJe7976cxaCM8lSrN2j08RUpbYWfiuaEeO_DpHQQ"'
[Mon Mar 29 16:21:55 BST 2021] token='qLhPJe7976cxaCM8lSrN2j08RUpbYWfiuaEeO_DpHQQ'
[Mon Mar 29 16:21:55 BST 2021] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/11931955317/vHSaPw'
[Mon Mar 29 16:21:55 BST 2021] keyauthorization='qLhPJe7976cxaCM8lSrN2j08RUpbYWfiuaEeO_DpHQQ.Ik0EZ1U0Hctqj-dQkM2npRp_nWIaSMbxAwSzFTBevso'
[Mon Mar 29 16:21:55 BST 2021] dvlist='drive.harrydowe.uk#qLhPJe7976cxaCM8lSrN2j08RUpbYWfiuaEeO_DpHQQ.Ik0EZ1U0Hctqj-dQkM2npRp_nWIaSMbxAwSzFTBevso#https://acme-v02.api.letsencrypt.org/acme/chall-v3/11931955317/vHSaPw#dns-01#dns_cf'
[Mon Mar 29 16:21:55 BST 2021] d
[Mon Mar 29 16:21:55 BST 2021] vlist='drive.harrydowe.uk#qLhPJe7976cxaCM8lSrN2j08RUpbYWfiuaEeO_DpHQQ.Ik0EZ1U0Hctqj-dQkM2npRp_nWIaSMbxAwSzFTBevso#https://acme-v02.api.letsencrypt.org/acme/chall-v3/11931955317/vHSaPw#dns-01#dns_cf,'
[Mon Mar 29 16:21:55 BST 2021] d='drive.harrydowe.uk'
[Mon Mar 29 16:21:55 BST 2021] _d_alias
[Mon Mar 29 16:21:55 BST 2021] txtdomain='_acme-challenge.drive.harrydowe.uk'
[Mon Mar 29 16:21:55 BST 2021] txt='7UhPDjsy6mjIfKRwqsvy9gh6eg5pjGsWL6v4c0W4JG0'
[Mon Mar 29 16:21:55 BST 2021] d_api='/usr/local/share/acme.sh/dnsapi/dns_cf.sh'
[Mon Mar 29 16:21:55 BST 2021] Found domain api file: /usr/local/share/acme.sh/dnsapi/dns_cf.sh
[Mon Mar 29 16:21:55 BST 2021] Adding txt value: 7UhPDjsy6mjIfKRwqsvy9gh6eg5pjGsWL6v4c0W4JG0 for domain:  _acme-challenge.drive.harrydowe.uk
[Mon Mar 29 16:21:57 BST 2021] First detect the root zone
[Mon Mar 29 16:21:57 BST 2021] h='_acme-challenge.drive.harrydowe.uk'
[Mon Mar 29 16:21:57 BST 2021] zones?name=_acme-challenge.drive.harrydowe.uk
[Mon Mar 29 16:21:57 BST 2021] GET
[Mon Mar 29 16:21:57 BST 2021] url='https://api.cloudflare.com/client/v4/zones?name=_acme-challenge.drive.harrydowe.uk'
[Mon Mar 29 16:21:57 BST 2021] timeout=
[Mon Mar 29 16:21:57 BST 2021] _CURL='curl --silent --dump-header ./http.header  -L  -g '
[Mon Mar 29 16:21:59 BST 2021] ret='0'
[Mon Mar 29 16:21:59 BST 2021] h='drive.harrydowe.uk'
[Mon Mar 29 16:21:59 BST 2021] zones?name=drive.harrydowe.uk
[Mon Mar 29 16:21:59 BST 2021] GET
[Mon Mar 29 16:21:59 BST 2021] url='https://api.cloudflare.com/client/v4/zones?name=drive.harrydowe.uk'
[Mon Mar 29 16:21:59 BST 2021] timeout=
[Mon Mar 29 16:21:59 BST 2021] _CURL='curl --silent --dump-header ./http.header  -L  -g '
[Mon Mar 29 16:22:00 BST 2021] ret='0'
[Mon Mar 29 16:22:00 BST 2021] h='harrydowe.uk'
[Mon Mar 29 16:22:00 BST 2021] zones?name=harrydowe.uk
[Mon Mar 29 16:22:00 BST 2021] GET
[Mon Mar 29 16:22:00 BST 2021] url='https://api.cloudflare.com/client/v4/zones?name=harrydowe.uk'
[Mon Mar 29 16:22:00 BST 2021] timeout=
[Mon Mar 29 16:22:00 BST 2021] _CURL='curl --silent --dump-header ./http.header  -L  -g '
[Mon Mar 29 16:22:03 BST 2021] ret='0'
[Mon Mar 29 16:22:03 BST 2021] h='uk'
[Mon Mar 29 16:22:03 BST 2021] zones?name=uk
[Mon Mar 29 16:22:03 BST 2021] GET
[Mon Mar 29 16:22:03 BST 2021] url='https://api.cloudflare.com/client/v4/zones?name=uk'
[Mon Mar 29 16:22:03 BST 2021] timeout=
[Mon Mar 29 16:22:03 BST 2021] _CURL='curl --silent --dump-header ./http.header  -L  -g '
[Mon Mar 29 16:22:04 BST 2021] ret='0'
[Mon Mar 29 16:22:04 BST 2021] h
[Mon Mar 29 16:22:04 BST 2021] invalid domain
[Mon Mar 29 16:22:04 BST 2021] Error add txt for domain:_acme-challenge.drive.harrydowe.uk
[Mon Mar 29 16:22:04 BST 2021] _on_issue_err
[Mon Mar 29 16:22:04 BST 2021] Please add '--debug' or '--log' to check more details.
[Mon Mar 29 16:22:04 BST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Mon Mar 29 16:22:04 BST 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/11931955317/vHSaPw'
[Mon Mar 29 16:22:04 BST 2021] payload='{}'
[Mon Mar 29 16:22:05 BST 2021] POST
[Mon Mar 29 16:22:05 BST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/11931955317/vHSaPw'
[Mon Mar 29 16:22:05 BST 2021] _CURL='curl --silent --dump-header ./http.header  -L  -g '
[Mon Mar 29 16:22:06 BST 2021] _ret='0'
[Mon Mar 29 16:22:06 BST 2021] code='200'
[Mon Mar 29 16:22:06 BST 2021] socat doesn't exist.
[Mon Mar 29 16:22:06 BST 2021] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.2u-fips  20 Dec 2019
apache:
apache doesn't exist.
nginx:
nginx version: nginx/1.16.1
TLS SNI support enabled
socat:
[Mon Mar 29 16:22:06 BST 2021] pid
[Mon Mar 29 16:22:06 BST 2021] No need to restore nginx, skip.
[Mon Mar 29 16:22:06 BST 2021] _clearupdns
[Mon Mar 29 16:22:06 BST 2021] dns_entries
[Mon Mar 29 16:22:06 BST 2021] skip dns

My web server is (include version): nginx version: nginx/1.16.1 (I think, it's Synology DSM)

The operating system my web server runs on is (include version): Synology DSM

My hosting provider, if applicable, is: Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

./acme.sh --version
https://github.com/acmesh-official/acme.sh
v2.8.9

I've been following the synology NAS guide to create a certificate. I had success creating nas.harrydowe.uk, then later I learn it's possible to configure a different DNS for each app on my NAS, so I tried to create drive.harrydowe.uk however it errors with:

invalid domain
Error add txt for domain:_acme-challenge.drive.harrydowe.uk

I also tried to create a single certificate with multiple domains with -d nas.harrydowe.uk -d drive.harrydowe.uk, which appeared to complete successfully but didn't appear to deploy properly in the subsequent deploy step in the guide. I still got an invalid certificate error from Cloudflare when accessing drive.harrydowe.uk, and I can inspect the certificate by accessing it via 192.168.1.25:5001, of course I get an invalid cert but I don't see any mention of drive.harrydowe.uk in the cert

./acme.sh --insecure --deploy --home . -d "$CERT_DOMAIN" --deploy-hook synology_dsm

I'm using Cloudflare for the DNS.
In the logs it tried to create the TXT record and then gets the zones. I'm not sure it's successfully completing that. I've also tried creating a wildcard domain but the same error happens.

Any input on this greatly appreciated

1 Like

Welcome to the Let's Encrypt Community, Harry :slightly_smiling_face:

Let me take a look...

Please run this command and show the output:

./acme.sh --issue --home . -d 'drive.harrydowe.uk' --dns dns_cf --debug 2

Hi @griffin , the --debug 2 revealed the error

[Mon Mar 29 20:20:53 BST 2021] response='{"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6111,"message":"Invalid format for Authorization header"}]}],"messages":[],"result":null}'

This is the request it makes to create the TXT record. I don't know how but looks like the API token is bad, using a new one fixed it for me. Thanks for the --debug 2 trick!

After figuring out some reverse proxy stuff and some other config, I got it working in the end. Cheers!

1 Like

Excellent! :partying_face:

Glad it all worked out! :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.