Renewal using DNS-01


#1

My certificate expires 2017-01-10.

So I asked a renewal, but it fails. My certificate was issued using DNS-01.

I wonder if I had to ask a “re-issue” and replace the txt record everytime that I renew the cert.

Thanks in advance!


#2

A renew is essentially the same as a re-issue, yes. You would get a new token to place in your DNS to prove ownership. If you did it the first time with a script / client that automates the process though - it should do the same on a renew.


#3

If you need a method to use, you can review:

You don’t really have to use a separate DNS server - you can use the same one that hosts your DNS if you wish - I just prefer to separate these things :slight_smile:


#4

Do I need a new token because of DNS-01 method? Or do I need in TLS-01 too?


#5

Hi @serverco,

I understood something different since you very answer :slight_smile:

Please could you help to understand?

Thanks in advance!


#6

I’m not sure I understand what your specific question is.


#7

Ok:

I have a certificate that expires in 20 days.

Certificates were generated by DNS-01. So according to your answer in:

since you will typically renew after about 60 days then you won’t (currently) need to perform a challenge on your first renewal.

I thought that I was able to renew the certificate with no need of a new challenge, I mean: change txt record in dns configuration.

But I’ve tried using acme.sh and failed, and now if I’ve understood well, you say that yes, I must to generate a new challenge, if my certificate has not expired, I don’t understand why txt record is expired too.

Am I missing something?

Thanks in advance


#8

The existing txt record expires relatively quickly (in terms of it’s validity for proof of ownership), typically within a few days.

If you use the same account key though, it should keep the authorization of your domain for a period of (currently) 60 days. i.e. if you have already validated your domain with that account key within the last 60 days you do not need to revalidate to obtain a new certificate.

If the cert expires in 20 days, then it is 70 days old, i.e. 70 days since you last validated your domain, hence over 60 days, and the authorisation period will have expired.

If you change the account key, you would need to revalidate again (even if the cert is still valid).

Does that explain things a little better ?


#9

:slight_smile:I think I’ve got it

I had a cronjob of acme.sh that chech on daily basis to make the renewal, but I don’t know why it doesn’t it on 60 days… :confused:

So “authorization of a domain” expires before the certificate, isn’t it?

I haven’t found that in the official documentation…


#10

Without any information from your logs, I don’t either.

correct

There is a post at Upcoming API changes where it discusses the time period dropping from 10 months down to 90 days … I can’t see the post at the moment where it is announced it changed to 60 days.


#11

[quote=“serverco, post:10, topic:24202, full:true”]

Without any information from your logs, I don’t either. [/quote]

Below my logs:

acme.sh  --debug 2 --renew  --dns -d example.com
[mié dic 14 19:50:12 ART 2016] _is_idn_d='example.com'
[mié dic 14 19:50:12 ART 2016] _idn_temp
[mié dic 14 19:50:12 ART 2016] Lets find script dir.
[mié dic 14 19:50:12 ART 2016] _SCRIPT_='/root/.acme.sh/acme.sh'
[mié dic 14 19:50:12 ART 2016] _script='/root/.acme.sh/acme.sh'
[mié dic 14 19:50:12 ART 2016] _script_home='/root/.acme.sh'
[mié dic 14 19:50:12 ART 2016] 6:ACCOUNT_EMAIL='jdoe@example.com'
[mié dic 14 19:50:12 ART 2016] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.6.5
[mié dic 14 19:50:12 ART 2016] DOMAIN_PATH='/root/.acme.sh/example.com'
[mié dic 14 19:50:12 ART 2016] Renew: 'example.com'
[mié dic 14 19:50:12 ART 2016] Using api: https://acme-v01.api.letsencrypt.org
[mié dic 14 19:50:12 ART 2016] Le_NextRenewTime='1481389849'
[mié dic 14 19:50:12 ART 2016] 1:Le_Domain='example.com'
[mié dic 14 19:50:13 ART 2016] 2:Le_Alt='soporte.example.com,mail.example.com'
[mié dic 14 19:50:13 ART 2016] 3:Le_Webroot='dns'
[mié dic 14 19:50:13 ART 2016] 4:Le_PreHook=''
[mié dic 14 19:50:13 ART 2016] 5:Le_PostHook=''
[mié dic 14 19:50:13 ART 2016] 6:Le_RenewHook=''
[mié dic 14 19:50:13 ART 2016] 8:Le_API='https://acme-v01.api.letsencrypt.org'
[mié dic 14 19:50:13 ART 2016] _on_before_issue
[mié dic 14 19:50:13 ART 2016] 'dns' does not contain 'no'
[mié dic 14 19:50:13 ART 2016] Le_LocalAddress
[mié dic 14 19:50:13 ART 2016] Check for domain='example.com'
[mié dic 14 19:50:13 ART 2016] _currentRoot='dns'
[mié dic 14 19:50:13 ART 2016] Check for domain='soporte.example.com'
[mié dic 14 19:50:13 ART 2016] _currentRoot='dns'
[mié dic 14 19:50:13 ART 2016] Check for domain='mail.example.com'
[mié dic 14 19:50:13 ART 2016] _currentRoot='dns'
[mié dic 14 19:50:13 ART 2016] 'dns' does not contain 'apache'
[mié dic 14 19:50:13 ART 2016] _saved_account_key_hash='DzEOJIg8ZoYcxkpV/6rGsvu9UeL3Jgy1GbhzgObc/Ys='
[mié dic 14 19:50:13 ART 2016] _saved_account_key_hash is not changed, skip register account.
[mié dic 14 19:50:13 ART 2016] Read key length:
[mié dic 14 19:50:13 ART 2016] _createcsr
[mié dic 14 19:50:13 ART 2016] domain='example.com'
[mié dic 14 19:50:13 ART 2016] domainlist='soporte.example.com,mail.example.com'
[mié dic 14 19:50:13 ART 2016] csrkey='/root/.acme.sh/example.com/example.com.key'
[mié dic 14 19:50:13 ART 2016] csr='/root/.acme.sh/example.com/example.com.csr'
[mié dic 14 19:50:13 ART 2016] csrconf='/root/.acme.sh/example.com/example.com.csr.conf'
[mié dic 14 19:50:13 ART 2016] _is_idn_d='soporte.example.com,mail.example.com'
[mié dic 14 19:50:13 ART 2016] _idn_temp
[mié dic 14 19:50:13 ART 2016] domainlist='soporte.example.com,mail.example.com'
[mié dic 14 19:50:13 ART 2016] Multi domain='DNS:soporte.example.com,DNS:mail.example.com'
[mié dic 14 19:50:14 ART 2016] _is_idn_d='example.com'
[mié dic 14 19:50:14 ART 2016] _idn_temp
[mié dic 14 19:50:14 ART 2016] _csr_cn='example.com'
[mié dic 14 19:50:14 ART 2016] 9:Le_Keylength=''
[mié dic 14 19:50:14 ART 2016] Getting domain auth token for each domain
[mié dic 14 19:50:14 ART 2016] ok, let's start to verify
[mié dic 14 19:50:14 ART 2016] Verifying:example.com
[mié dic 14 19:50:14 ART 2016] d='example.com'
[mié dic 14 19:50:14 ART 2016] keyauthorization='cS-HBtSsXrU9tS7cMpkRBlWNmWDGtGAM7Q8WYC2n-54.68gtoz4zHdSiMd2o_wh_smFmRIJS5pAkBDJcyNJqaOc'
[mié dic 14 19:50:14 ART 2016] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/hSiLzgMimkIhD1kDhcqezzQV99TcioGjqgExN7_9eQQ/419030464'
[mié dic 14 19:50:14 ART 2016] _currentRoot='dns'
[mié dic 14 19:50:14 ART 2016] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hSiLzgMimkIhD1kDhcqezzQV99TcioGjqgExN7_9eQQ/419030464'
[mié dic 14 19:50:14 ART 2016] payload='{"resource": "challenge", "keyAuthorization": "cS-HBtSsXrU9tS7cMpkRBlWNmWDGtGAM7Q8WYC2n-54.68gtoz4zHdSiMd2o_wh_smFmRIJS5pAkBDJcyNJqaOc"}'
[mié dic 14 19:50:14 ART 2016] RSA key
[mié dic 14 19:50:20 ART 2016] Get nonce.
[mié dic 14 19:50:20 ART 2016] GET
[mié dic 14 19:50:20 ART 2016] url='https://acme-v01.api.letsencrypt.org/directory'
[mié dic 14 19:50:20 ART 2016] timeout
[mié dic 14 19:50:20 ART 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.3qtKYMXTKz '
[mié dic 14 19:50:20 ART 2016] ret='0'
[mié dic 14 19:50:20 ART 2016] _headers='HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: 6yRssJC2S0cpxkWEEF386jzSVu-b_mex19-o6RSn3AQ
Replay-Nonce: ZiACRFwwBf6FLPPawgeWYV7tDo08r1xoCsiINdbCE2w
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 14 Dec 2016 22:50:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 14 Dec 2016 22:50:20 GMT
Connection: keep-alive

'
[mié dic 14 19:50:20 ART 2016] _CACHED_NONCE='ZiACRFwwBf6FLPPawgeWYV7tDo08r1xoCsiINdbCE2w'
[mié dic 14 19:50:20 ART 2016] nonce='ZiACRFwwBf6FLPPawgeWYV7tDo08r1xoCsiINdbCE2w'
[mié dic 14 19:50:21 ART 2016] POST
[mié dic 14 19:50:21 ART 2016] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hSiLzgMimkIhD1kDhcqezzQV99TcioGjqgExN7_9eQQ/419030464'
[mié dic 14 19:50:21 ART 2016] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "xkh7YEJbsqSdkROLx8wX0G7aO_yLJv7F967VipV201xfGvkBDaTWvybhsGSbioF3Bf-DqPGPYd0xDfPd4TyDf5LpSE5za1dyXOLAOFCDzb_fJehUiwhtDsqN7hWiiNaVHBBtvz7NAQo-Urc_kVa_1WttQMhc4wmcsdht4dG4JctNnyCXTHnyetbZC9fRWeCxvdvVlXW1qabGwQnF9sU6ggPy7Al8g-rQSNk8GdSnUXtL3lRjENVG-Zt4ifGUWffFHhZr0-PvHnTYp4zyVpzjin25-jAYaTVjgKbQRDBllb4GS6X85eLkgvrPoBbiWN2lrJJtkkOr7Hcxduh-waZ1Hw"}}, "protected": "eyJub25jZSI6ICJaaUFDUkZ3d0JmNkZMUFBhd2dlV1lWN3REbzA4cjF4b0NzaUlOZGJDRTJ3IiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAieGtoN1lFSmJzcVNka1JPTHg4d1gwRzdhT195TEp2N0Y5NjdWaXBWMjAxeGZHdmtCRGFUV3Z5YmhzR1NiaW9GM0JmLURxUEdQWWQweERmUGQ0VHlEZjVMcFNFNXphMWR5WE9MQU9GQ0R6Yl9mSmVoVWl3aHREc3FON2hXaWlOYVZIQkJ0dno3TkFRby1VcmNfa1ZhXzFXdHRRTWhjNHdtY3NkaHQ0ZEc0SmN0Tm55Q1hUSG55ZXRiWkM5ZlJXZUN4dmR2VmxYVzFxYWJHd1FuRjlzVTZnZ1B5N0FsOGctclFTTms4R2RTblVYdEwzbFJqRU5WRy1adDRpZkdVV2ZmRkhoWnIwLVB2SG5UWXA0enlWcHpqaW4yNS1qQVlhVFZqZ0tiUVJEQmxsYjRHUzZYODVlTGtndnJQb0JiaVdOMmxySkp0a2tPcjdIY3hkdWgtd2FaMUh3In19", "payload": "eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJjUy1IQnRTc1hyVTl0UzdjTXBrUkJsV05tV0RHdEdBTTdROFdZQzJuLTU0LjY4Z3RvejR6SGRTaU1kMm9fd2hfc21GbVJJSlM1cEFrQkRKY3lOSnFhT2MifQ", "signature": "GlFJGrShSP1bc2HWRaO0bnBEki-tcejXIOwEcw4AAMpbWPUhxKcsssT9CiUN1756OLsaHzVzjliMZz7LXiBqdKm_EsuL5c5udzno3vxcnQ7SBAKPjD7yUkwt24DjLcw8XJW9T0ouD9_vJskUkr4NxMIuKiB_8pZ4OJhOQEe1k30b1o7nbThALwGOvhG9bJ7M3fGiryc48y9k-HW1XoVctoq8ETrSJBzoQY8fpCvlTMRzmS3pHiapWB7rCAi_GuFrzrDiKMg-gTI6VTMeqx17jTZwtcW6LjXebUQT4A55vntvLenonlnf4y_rS_ESmc6uENTF53RLrslyDdaUdc4aDA"}'
[mié dic 14 19:50:21 ART 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.SZXInbowvc '
[mié dic 14 19:50:22 ART 2016] _ret='0'
[mié dic 14 19:50:22 ART 2016] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Unable to update challenge :: Response does not complete challenge",
  "status": 400
}'
[mié dic 14 19:50:22 ART 2016] responseHeaders='HTTP/1.1 100 Continue
Expires: Wed, 14 Dec 2016 22:50:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 139
Boulder-Request-Id: aQT7-JMpw5lNwc_LmYuy-bbxBAMPzRlu2iIzz6TyXIc
Boulder-Requester: 4942834
Replay-Nonce: VSTqdPYkaeZidpNv-Je0f7YhQ019ZRUPHtRwbshQiF8
Expires: Wed, 14 Dec 2016 22:50:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 14 Dec 2016 22:50:22 GMT
Connection: close

'
[mié dic 14 19:50:22 ART 2016] response='{"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: Response does not complete challenge","status": 400}'
[mié dic 14 19:50:22 ART 2016] code='400'
[mié dic 14 19:50:22 ART 2016] example.com:Challenge error: {"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: Response does not complete challenge","status": 400}
[mié dic 14 19:50:22 ART 2016] Skip for removelevel:
[mié dic 14 19:50:22 ART 2016] pid
[mié dic 14 19:50:22 ART 2016] _clearupdns
[mié dic 14 19:50:22 ART 2016] Dns not added, skip.
[mié dic 14 19:50:22 ART 2016] _on_issue_err
[mié dic 14 19:50:22 ART 2016] Please check log file for more details: /root/.acme.sh/acme.sh.log
[mié dic 14 19:50:22 ART 2016] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.1t  3 May 2016
apache:
apache doesn't exists.
nc:
OpenBSD netcat (Debian patchlevel 1.105-7)
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
	  [-P proxy_username] [-p source_port] [-q seconds] [-s source]
	  [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
	  [-x proxy_address[:port]] [destination] [port]
	Command Summary:
		-4		Use IPv4
		-6		Use IPv6
		-b		Allow broadcast
		-C		Send CRLF as line-ending
		-D		Enable the debug socket option
		-d		Detach from stdin
		-h		This help text
		-I length	TCP receive buffer length
		-i secs		Delay interval for lines sent, ports scanned
		-j		Use jumbo frame
		-k		Keep inbound sockets open for multiple connects
		-l		Listen mode, for inbound connects
		-n		Suppress name/port resolutions
		-O length	TCP send buffer length
		-P proxyuser	Username for proxy authentication
		-p port		Specify local port for remote connects
        	-q secs		quit after EOF on stdin and delay of secs
		-r		Randomize remote ports
		-S		Enable the TCP MD5 signature option
		-s addr		Local source address
		-T toskeyword	Set IP Type of Service
		-t		Answer TELNET negotiation
		-U		Use UNIX domain socket
		-u		UDP mode
		-V rtable	Specify alternate routing table
		-v		Verbose
		-w secs		Timeout for connects and final net reads
		-X proto	Proxy protocol: "4", "5" (SOCKS) or "connect"
		-x addr[:port]	Specify proxy address and port
		-Z		DCCP mode
		-z		Zero-I/O mode [used for scanning]
	Port numbers can be individual or ranges: lo-hi [inclusive]

Thanks in advance!


#12

I assume you have changed the logs to show “example.com” rather than your real domain name …

I’d suggest opening an issue on the acme client site - https://github.com/Neilpang/acme.sh or @Neilpang (the author ) may be able to help


#13

According to an already closed issue, acme.sh does make use of the autzh reuse feature… According to the issue, when it does, it shows something like:

[Tue Sep 20 19:09:38 CST 2016] Getting token for domain=‘test.mydomain.com
[Tue Sep 20 19:09:41 CST 2016] test.mydomain.com is already verified, skip.

But @sebelk’s log shows:

[mié dic 14 19:50:14 ART 2016] Getting domain auth token for each domain
[mié dic 14 19:50:14 ART 2016] ok, let’s start to verify
[mié dic 14 19:50:14 ART 2016] Verifying:example.com

To me this suggests:

a) @sebelk’s acme.sh is outdated, or
b) The authz is already invalid.

Edit: 2.6.5 is the newest version :stuck_out_tongue:


#14

v2.6.5 … you beat me to it :slight_smile:


#15

@serverco Thanks for AT me here, but I was too busy recently.

@Osiris

Hi @sebelk
Is this your post: https://github.com/Neilpang/acme.sh/issues/468

You are using dns manually mode.

It’s required by acme protocol to add a different txt record to your domain each time to renew the cert.

Please use dns api mode instead.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.