SSL Cert renewal suddenly fails for a domain, where it worked perfectly for 3+ years

Help
1

Hello Friends:

For 3+ years, I've successfully been using the below script to issue and renew my LetsEncrypt SSL Certificates atop NameCheap for the domain and sub-domains shown (nyceyes.com). However, during my latest renewal attempt, the script suddenly fails for the sub-domains: cpanel, webdisk, and webmail:

acme.sh --force --issue --webroot ~/public_html \
    -d nyceyes.com \
    -d www.nyceyes.com \
    -d autodiscover.nyceyes.com \
    -d cpcalendars.nyceyes.com \
    -d cpcontacts.nyceyes.com \
    -d mail.nyceyes.com \
    -d cpanel.nyceyes.com \   <--- Suddenly fails.
    -d webdisk.nyceyes.com \  <--- Suddenly fails.
    -d webmail.nyceyes.com    <--- Suddenly fails.

sleep 5
acme.sh --deploy --deploy-hook cpanel_uapi --domain nyceyes.com

Using cpanel.nyceyes.com to illustrate to problem (but it's the same result for all three subdomains), here's the console error output:

[Fri Dec 20 09:41:39 EST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Dec 20 09:41:40 EST 2024] Creating domain key
[Fri Dec 20 09:41:41 EST 2024] The domain key is here: /home/nycemyqd/.acme.sh/nyceyes.com_ecc/nyceyes.com.key
[Fri Dec 20 09:41:42 EST 2024] Multi domain='DNS:nyceyes.com,DNS:www.nyceyes.com,DNS:autodiscover.nyceyes.com,DNS:cpcalendars.nyceyes.com,DNS:cpcontacts.nyceyes.com,DNS:mail.nyceyes.com,DNS:cpanel.nyceyes.com,DNS:webdisk.nyceyes.com,DNS:webmail.nyceyes.com'
[Fri Dec 20 09:41:56 EST 2024] Getting webroot for domain='nyceyes.com'
[Fri Dec 20 09:41:56 EST 2024] Getting webroot for domain='www.nyceyes.com'
[Fri Dec 20 09:41:56 EST 2024] Getting webroot for domain='autodiscover.nyceyes.com'
[Fri Dec 20 09:41:57 EST 2024] Getting webroot for domain='cpcalendars.nyceyes.com'
[Fri Dec 20 09:41:57 EST 2024] Getting webroot for domain='cpcontacts.nyceyes.com'
[Fri Dec 20 09:41:57 EST 2024] Getting webroot for domain='mail.nyceyes.com'
[Fri Dec 20 09:41:57 EST 2024] Getting webroot for domain='cpanel.nyceyes.com'
[Fri Dec 20 09:41:58 EST 2024] Getting webroot for domain='webdisk.nyceyes.com'
[Fri Dec 20 09:41:58 EST 2024] Getting webroot for domain='webmail.nyceyes.com'
[Fri Dec 20 09:42:00 EST 2024] nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 09:42:00 EST 2024] www.nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 09:42:00 EST 2024] autodiscover.nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 09:42:00 EST 2024] cpcalendars.nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 09:42:00 EST 2024] cpcontacts.nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 09:42:00 EST 2024] mail.nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 09:42:00 EST 2024] Verifying: cpanel.nyceyes.com
[Fri Dec 20 09:42:03 EST 2024] Pending. The CA is processing your order, please wait. (1/30)
[Fri Dec 20 09:42:07 EST 2024] cpanel.nyceyes.com: Invalid status. Verification error details: 162.0.229.138: Invalid response from https://cpanel.nyceyes.com/.well-known/acme-challenge/s1028aGVuESjYGk6ZoA334mV17FXoEThmTuV9h-conw:
[Fri Dec 20 09:42:08 EST 2024] Please check log file for more details: /home/nycemyqd/.acme.sh/acme.sh.log
[Fri Dec 20 09:42:08 EST 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3

And from the acme.sh.log file, corresponding error output are these (for cpanel.nyceyes.com):

[ ... snip ... ]
[Fri Dec 20 17:58:05 EST 2024] OK, let's start verification
[Fri Dec 20 17:58:05 EST 2024] nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 17:58:05 EST 2024] www.nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 17:58:05 EST 2024] autodiscover.nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 17:58:06 EST 2024] cpcalendars.nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 17:58:06 EST 2024] cpcontacts.nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 17:58:06 EST 2024] mail.nyceyes.com is already verified, skipping http-01.
[Fri Dec 20 17:58:06 EST 2024] Verifying: cpanel.nyceyes.com
[Fri Dec 20 17:58:06 EST 2024] d='cpanel.nyceyes.com'
[Fri Dec 20 17:58:06 EST 2024] keyauthorization='MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c.iEYEwuULpSOke_xzyB4v3hkYeDxd7aMAO-jY6Nyr1MY'
[Fri Dec 20 17:58:06 EST 2024] uri='https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g'
[Fri Dec 20 17:58:06 EST 2024] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447975330875'
[Fri Dec 20 17:58:06 EST 2024] _currentRoot='/home/nycemyqd/public_html'
[Fri Dec 20 17:58:06 EST 2024] wellknown_path='/home/nycemyqd/public_html/.well-known/acme-challenge'
[Fri Dec 20 17:58:06 EST 2024] Writing token: MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c to /home/nycemyqd/public_html/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c
[Fri Dec 20 17:58:06 EST 2024] Trigger domain validation.
[Fri Dec 20 17:58:06 EST 2024] _t_url='https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g'
[Fri Dec 20 17:58:06 EST 2024] _t_key_authz='MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c.iEYEwuULpSOke_xzyB4v3hkYeDxd7aMAO-jY6Nyr1MY'
[Fri Dec 20 17:58:06 EST 2024] _t_vtype='http-01'
[Fri Dec 20 17:58:06 EST 2024] =======Sending Signed Request=======
[Fri Dec 20 17:58:06 EST 2024] url='https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g'
[Fri Dec 20 17:58:06 EST 2024] payload='{}'
[Fri Dec 20 17:58:06 EST 2024] Use cached jwk for file: /home/nycemyqd/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key
[Fri Dec 20 17:58:06 EST 2024] Use _CACHED_NONCE='LPSR-4-s9aUG3vqaO4pxv6NE2UmLoUqag9rNyDC232J2lqxqtnQ'
[Fri Dec 20 17:58:06 EST 2024] nonce='LPSR-4-s9aUG3vqaO4pxv6NE2UmLoUqag9rNyDC232J2lqxqtnQ'
[Fri Dec 20 17:58:06 EST 2024] POST
[Fri Dec 20 17:58:06 EST 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g'
[Fri Dec 20 17:58:06 EST 2024] body='{"protected": "eyJub25jZSI6ICJMUFNSLTQtczlhVUczdnFhTzRweHY2TkUyVW1Mb1VxYWc5ck55REMyMzJKMmxxeHF0blEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzEyMzgxNjY4MzYvNDQ3OTc1MzMwODc1L0lWc0QwZyIsICJhbGciOiAiRVMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzODE2NjgzNiJ9", "payload": "e30", "signature": "jaUj6juFtqZTKZfArrU_XD905TlBM3FMSkEEKHk7fvBOv-MThoXNTChCxl1XLssaWpCy6ordrZ0uZorD7zZmJw"}'
[Fri Dec 20 17:58:06 EST 2024] _postContentType='application/jose+json'
[Fri Dec 20 17:58:06 EST 2024] Http already initialized.
[Fri Dec 20 17:58:06 EST 2024] _CURL='curl --silent --dump-header /home/nycemyqd/.acme.sh/http.header  -L  -g '
[Fri Dec 20 17:58:07 EST 2024] _ret='0'
[Fri Dec 20 17:58:07 EST 2024] responseHeaders='HTTP/2 200 
server: nginx
date: Fri, 20 Dec 2024 22:58:07 GMT
content-type: application/json
content-length: 195
boulder-requester: 1238166836
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
link: <https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447975330875>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g
replay-nonce: LPSR-4-s-c6PgzlFFyYRHznnD8ipBv78JD2aFsvCQSgXnenJYbM
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Fri Dec 20 17:58:07 EST 2024] code='200'
[Fri Dec 20 17:58:07 EST 2024] original='{
  "type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g",
  "status": "pending",
  "token": "MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c"
}'
[Fri Dec 20 17:58:07 EST 2024] response='{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g","status":"pending","token":"MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c"}'
[Fri Dec 20 17:58:07 EST 2024] Trigger validation code: 200
[Fri Dec 20 17:58:07 EST 2024] Let's check the authz status
[Fri Dec 20 17:58:07 EST 2024] original='{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g","status":"pending","token":"MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c"}'
[Fri Dec 20 17:58:07 EST 2024] response='{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g","status":"pending","token":"MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c"}'
[Fri Dec 20 17:58:07 EST 2024] status='pending'
[Fri Dec 20 17:58:07 EST 2024] Pending. The CA is processing your order, please wait. (1/30)
[Fri Dec 20 17:58:07 EST 2024] Sleep 2 seconds before verifying again
[Fri Dec 20 17:58:10 EST 2024] Checking
[Fri Dec 20 17:58:10 EST 2024] =======Sending Signed Request=======
[Fri Dec 20 17:58:10 EST 2024] url='https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447975330875'
[Fri Dec 20 17:58:10 EST 2024] payload
[Fri Dec 20 17:58:10 EST 2024] Use cached jwk for file: /home/nycemyqd/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key
[Fri Dec 20 17:58:10 EST 2024] Use _CACHED_NONCE='LPSR-4-s-c6PgzlFFyYRHznnD8ipBv78JD2aFsvCQSgXnenJYbM'
[Fri Dec 20 17:58:10 EST 2024] nonce='LPSR-4-s-c6PgzlFFyYRHznnD8ipBv78JD2aFsvCQSgXnenJYbM'
[Fri Dec 20 17:58:10 EST 2024] POST
[Fri Dec 20 17:58:10 EST 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447975330875'
[Fri Dec 20 17:58:10 EST 2024] body='{"protected": "eyJub25jZSI6ICJMUFNSLTQtcy1jNlBnemxGRnlZUkh6bm5EOGlwQnY3OEpEMmFGc3ZDUVNnWG5lbkpZYk0iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzEyMzgxNjY4MzYvNDQ3OTc1MzMwODc1IiwgImFsZyI6ICJFUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjM4MTY2ODM2In0", "payload": "", "signature": "SV199HQsKDQNFDP8iQAtEmpvygj1vU4IsTF4B29X2Ss645rz7poNF_A6hHwF905IM9kanMltXLv8mMVQ5tEKyw"}'
[Fri Dec 20 17:58:10 EST 2024] _postContentType='application/jose+json'
[Fri Dec 20 17:58:10 EST 2024] Http already initialized.
[Fri Dec 20 17:58:10 EST 2024] _CURL='curl --silent --dump-header /home/nycemyqd/.acme.sh/http.header  -L  -g '
[Fri Dec 20 17:58:11 EST 2024] _ret='0'
[Fri Dec 20 17:58:11 EST 2024] responseHeaders='HTTP/2 200 
server: nginx
date: Fri, 20 Dec 2024 22:58:11 GMT
content-type: application/json
content-length: 1575
boulder-requester: 1238166836
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: LPSR-4-s0jBwWYNaPHPs1whBVbg7bZwaNX1s4ewZkP_DCv-Ekas
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Fri Dec 20 17:58:11 EST 2024] code='200'
[Fri Dec 20 17:58:11 EST 2024] original='{
  "identifier": {
    "type": "dns",
    "value": "cpanel.nyceyes.com"
  },
  "status": "invalid",
  "expires": "2024-12-27T22:57:52Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g",
      "status": "invalid",
      "validated": "2024-12-20T22:58:07Z",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "162.0.229.138: Invalid response from https://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c: \"\\n\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\" dir=\\\"ltr\\\"\u003e\\n\u003chead\u003e\\n    \u003cmeta http-equiv=\\\"Content-Type\\\" content=\\\"text/html; charset=utf-8\\\" /\u003e\\n   \"",
        "status": 403
      },
      "token": "MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c",
      "validationRecord": [
        {
          "url": "http://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c",
          "hostname": "cpanel.nyceyes.com",
          "port": "80",
          "addressesResolved": [
            "162.0.229.138"
          ],
          "addressUsed": "162.0.229.138"
        },
        {
          "url": "https://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c",
          "hostname": "cpanel.nyceyes.com",
          "port": "443",
          "addressesResolved": [
            "162.0.229.138"
          ],
          "addressUsed": "162.0.229.138"
        }
      ]
    }
  ]
}'
[Fri Dec 20 17:58:11 EST 2024] response='{"identifier":{"type":"dns","value":"cpanel.nyceyes.com"},"status":"invalid","expires":"2024-12-27T22:57:52Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g","status":"invalid","validated":"2024-12-20T22:58:07Z","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"162.0.229.138: Invalid response from https://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c: \"\\n\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\" dir=\\\"ltr\\\"\u003e\\n\u003chead\u003e\\n    \u003cmeta http-equiv=\\\"Content-Type\\\" content=\\\"text/html; charset=utf-8\\\" /\u003e\\n   \"","status": 403},"token":"MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c","validationRecord":[{"url":"http://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c","hostname":"cpanel.nyceyes.com","port":"80","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"},{"url":"https://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c","hostname":"cpanel.nyceyes.com","port":"443","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"}]}]}'
[Fri Dec 20 17:58:11 EST 2024] original='{"identifier":{"type":"dns","value":"cpanel.nyceyes.com"},"status":"invalid","expires":"2024-12-27T22:57:52Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g","status":"invalid","validated":"2024-12-20T22:58:07Z","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"162.0.229.138: Invalid response from https://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c: \"\\n\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\" dir=\\\"ltr\\\"\u003e\\n\u003chead\u003e\\n    \u003cmeta http-equiv=\\\"Content-Type\\\" content=\\\"text/html; charset=utf-8\\\" /\u003e\\n   \"","status": 403},"token":"MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c","validationRecord":[{"url":"http://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c","hostname":"cpanel.nyceyes.com","port":"80","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"},{"url":"https://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c","hostname":"cpanel.nyceyes.com","port":"443","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"}]}]}'
[Fri Dec 20 17:58:11 EST 2024] response='{"identifier":{"type":"dns","value":"cpanel.nyceyes.com"},"status":"invalid","expires":"2024-12-27T22:57:52Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g","status":"invalid","validated":"2024-12-20T22:58:07Z","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"162.0.229.138: Invalid response from https://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c: \"\\n\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\" dir=\\\"ltr\\\"\u003e\\n\u003chead\u003e\\n    \u003cmeta http-equiv=\\\"Content-Type\\\" content=\\\"text/html; charset=utf-8\\\" /\u003e\\n   \"","status": 403},"token":"MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c","validationRecord":[{"url":"http://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c","hostname":"cpanel.nyceyes.com","port":"80","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"},{"url":"https://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c","hostname":"cpanel.nyceyes.com","port":"443","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"}]}]}'
[Fri Dec 20 17:58:11 EST 2024] status='invalid
invalid'
[Fri Dec 20 17:58:11 EST 2024] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"162.0.229.138: Invalid response from https://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c: '
[Fri Dec 20 17:58:11 EST 2024] errordetail='162.0.229.138: Invalid response from https://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c: '
[Fri Dec 20 17:58:11 EST 2024] cpanel.nyceyes.com: Invalid status. Verification error details: 162.0.229.138: Invalid response from https://cpanel.nyceyes.com/.well-known/acme-challenge/MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c: 
[Fri Dec 20 17:58:11 EST 2024] pid
[Fri Dec 20 17:58:11 EST 2024] No need to restore nginx config, skipping.
[Fri Dec 20 17:58:11 EST 2024] _clearupdns
[Fri Dec 20 17:58:11 EST 2024] dns_entries
[Fri Dec 20 17:58:11 EST 2024] Skipping dns.
[Fri Dec 20 17:58:11 EST 2024] _on_issue_err
[Fri Dec 20 17:58:11 EST 2024] Please check log file for more details: /home/nycemyqd/.acme.sh/acme.sh.log
[Fri Dec 20 17:58:11 EST 2024] _chk_vlist='nyceyes.com#verified_ok##http-01#/home/nycemyqd/public_html#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447330750415,www.nyceyes.com#verified_ok##http-01#/home/nycemyqd/public_html#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447330750445,autodiscover.nyceyes.com#verified_ok##http-01#/home/nycemyqd/public_html#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447330750365,cpcalendars.nyceyes.com#verified_ok##http-01#/home/nycemyqd/public_html#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447330750385,cpcontacts.nyceyes.com#verified_ok##http-01#/home/nycemyqd/public_html#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447338449845,mail.nyceyes.com#verified_ok##http-01#/home/nycemyqd/public_html#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447338449855,cpanel.nyceyes.com#MPG7H6mE-1PmV_uwEh_58lBWngl7xhDtsXyDzWl891c.iEYEwuULpSOke_xzyB4v3hkYeDxd7aMAO-jY6Nyr1MY#https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330875/IVsD0g#http-01#/home/nycemyqd/public_html#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447975330875,webdisk.nyceyes.com#mNtdO2Re1FIBqIs3nfKv1HJopkh2xaHdFpeYDoIUpoM.iEYEwuULpSOke_xzyB4v3hkYeDxd7aMAO-jY6Nyr1MY#https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330885/AuskYQ#http-01#/home/nycemyqd/public_html#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447975330885,webmail.nyceyes.com#djgqcEqujWotSAEwm70T6UYcYrJkhkYBpOpMGz3_qLY.iEYEwuULpSOke_xzyB4v3hkYeDxd7aMAO-jY6Nyr1MY#https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447975330895/R-rkuA#http-01#/home/nycemyqd/public_html#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447975330895,'
[ ... snip ... ]

For good measure, I tried creating sub-directories (beneath ~/public_html/) for each subdomain, then tried this script variant, but it fails also:

acme.sh --force --issue \
    -d nyceyes.com \
    -d www.nyceyes.com \
    -d autodiscover.nyceyes.com \
    -d cpcalendars.nyceyes.com \
    -d cpcontacts.nyceyes.com \
    -d mail.nyceyes.com \
    -d cpanel.nyceyes.com \
    -d webdisk.nyceyes.com \
    -d webmail.nyceyes.com \
    -w ~/public_html \
    -w ~/public_html \
    -w ~/public_html \
    -w ~/public_html \
    -w ~/public_html \
    -w ~/public_html \
    -w ~/public_html/cpanel \
    -w ~/public_html/webdisk \
    -w ~/public_html/webmail

sleep 5
acme.sh --deploy --deploy-hook cpanel_uapi --domain nyceyes.com

Although not shown in the acme.sh.log snippet above, I've seen a combination of 403 errors alone, as well as 401 & 403 in pairs. Just FYI.

I feel like something changed on NameCheap's backend, like the webroot directories for those sub-domains or something, but I don't know. And except for upgrading the acme.sh script, I didn't change anything on the NameCheap platform. I simply went in to renew my SSL Certs as usual.

Finally, nyceyes.com is the main NameCheap account domain; and SSL Cert renewals for other domains and their sub-domains succeeded without issue.

Any ideas? Thank you in advance.

1 Like
2

Something is intercepting the incoming HTTP(s) requests for those 3 names and redirecting to a cPanel login screen. Your working names are handled directly by your LiteSpeed server. I don't know what is doing that. But, it is the reason the renewal fails as Let's Encrypt is not getting the proper response for the HTTP Challenge.

You should consult with your hosting or cPanel support group.

See:

# Sample HTTP Challenge format gets redirected by LiteSpeed
curl -I http://nyceyes.com/.well-known/acme-challenge/TEst404
HTTP/1.1 301 Moved Permanently
server: LiteSpeed
location: https://nyceyes.com/.well-known/acme-challenge/TEst404
x-turbo-charged-by: LiteSpeed

# Following that gets expected 404 (for this test)
curl -I https://nyceyes.com/.well-known/acme-challenge/TEst404
HTTP/2 404
server: LiteSpeed
x-turbo-charged-by: LiteSpeed

Compare that to:

# Also redirected but no Server or x-turbo-charged-by header
curl -I http://cpanel.nyceyes.com/.well-known/acme-challenge/TEst404
HTTP/1.1 301 Moved
location: https://cpanel.nyceyes.com/.well-known/acme-challenge/TEst404

# Following the redirect gets a cPanel login screen
curl -I https://cpanel.nyceyes.com/.well-known/acme-challenge/TEst404
HTTP/2 200
set-cookie: cprelogin=no; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=444; secure
(and many other cookies)
content-length: 43896
3 Likes
3

Hi @MikeMcQ Thank you for pouring though the output and replying. I just forwarded the link to your reply to a ticket I have open with NameCheap. Let's see what they say. Again, thank you.

2 Likes
4

Hi @MikeMcQ In anticipation of NameCheap's response, is there an alternative mode for authenticating domains like these three, which don't have an accessible document root? For instance, running a variation of the acme.sh syntax to get a code that you manually add as, say, a TXT DNS record; and then you continue to authenticate that entry? Or something similar. If yes, can you point me to that procedure? I don't want to bother you with having to explain that. Thank you.

5

Yes, there is a manual way to get a cert using a DNS Challenge. But, the manual process is then repeated every 60 days (or so). We don't recommend that for a number of reasons. Getting automated cert renewal working is far better.

You could try using the DNS Challenge with the NameCheap DNS plugin. I don't remember exactly which kind of NameCheap accounts allow use of their API for this. But, maybe yours will work: acme.sh/dnsapi/dns_namecheap.sh at master · acmesh-official/acme.sh · GitHub

You have almost a month before your prior cert expires so you have time to sort a permanent solution. If the NameCheap DNS API is not available to you consider switching to a different DNS provider. I think you just update your NameCheap DNS servers you don't have to move your registrar services.

3 Likes
6

Thank you again.

Yes, you're right about the every 60-day hassle; and, correct, I do have until 01/19/25.

Along those lines, the NameCheap API is available for domains using their BasicDNS and PremiumDNS platform; but not their (cPanel) Web Hosting DNS platform. The latter is a separate farm that isn't exposed to their API. And when you sign up for their web hosting service, as I had, your main domain (nyceyes.com in my case) is automatically placed onto their Web Hosting DNS platform (sigh - so no API access).

Now, to your point, I can have them migrate me to BasicDNS (free) or PremiumDNS (not free); or I can point the NS servers for that domain to another provider that provides API access.

Do you recommend any? Cloudflare?

Thank you! :smiling_face:

1 Like
7

Cloudflare is a good choice.

3 Likes
8

Hello Friends:

I finally got around to migrating nyceyes.com (still hosted atop NameCheap) to use CloudFlare's DNS service.

When attempting to issue an SSL Certificate with the command below, I receive the companion error shown (i.e., invalid domain)

I can't be sure why, but one possibility is my lack of understanding about:

  • Whether use an API Token or API Key

  • Whether to use them from the Account, User, or Domain Level (I suspect Domain level).

  • Not knowing the exact names for the Environment Variable to export them under. (The ones below may be incorrect - I tried several combinations).

Additional Notes:

  • Both the Account API Token as well as the User API Token for nyceyes.com have these permissions: Zone:Read, DNS:Edit.

  • The User API Token for nyceyes.com also whitelists two IP-Addresses: My NameCheap host IP (where acme.sh is run), and My ISP IP-Address.

  • Finally, way below is /home/jdoe/.acme.sh/acme.sh.log

If someone can narrow me down to the correct acme.sh syntax, the environment variable names, the specific API Token/Keys to use, and the permissions to grant API Tokens, I'd greatly appreciate it. Thank you! :hugs:

Script and Error below it:

##############################################################################################
. "/home/jdoe/.acme.sh/acme.sh.env"
export PATH=/home/jdoe/.acme.sh/:${PATH}
##############################################################################################


##############################################################################################
# DNS CHALLENGE for CLOUDFLARE (i.e, '--dns dnf_cf') hosted domain & sub-domains: nyceyes.com
##############################################################################################
export CF_API_TOKEN="vvvvvvv"               # USER API TOKEN: SSL@nyceyes.com
export CF_API_TOKEN="wwwwwww"               # GLOBAL API KEY
export CF_ACCOUNT_EMAIL="jdoe@example.com"  # Optional, if using email authentication.
export CF_ZONE_ID="xxxxxxx"                 # API Zone ID for: nyceyes.com
export CF_Token="yyyyyyy"                   # ACCOUNT API TOKEN: SSL@nyceyes.com
export CF_Account_ID="zzzzzzz"              # Optional but recommended for specific scenarios.
##############################################################################################
acme.sh --issue --dns dns_cf -d nyceyes.com -d *.nyceyes.com

[Sun Dec 29 02:23:23 EST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Dec 29 02:23:23 EST 2024] Multi domain='DNS:nyceyes.com,DNS:*.nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] Getting webroot for domain='nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] Getting webroot for domain='*.nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] Adding TXT value: ryo-R7JoQfz_S8nVDGE0A-DUavNu_siRVlBsmlgzRnc for domain: _acme-challenge.nyceyes.com
[Sun Dec 29 02:23:30 EST 2024] invalid domain
[Sun Dec 29 02:23:30 EST 2024] Error adding TXT record to domain: _acme-challenge.nyceyes.com
[Sun Dec 29 02:23:30 EST 2024] Please check log file for more details: /home/jdoe/.acme.sh/acme.sh.log
[Sun Dec 29 02:23:30 EST 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
##############################################################################################

/home/jdoe/.acme.sh/acme.sh.log contents:

[ ... snip ... ]
[Sun Dec 29 02:23:25 EST 2024] code='200'
[Sun Dec 29 02:23:25 EST 2024] original='{
  "identifier": {
    "type": "dns",
    "value": "nyceyes.com"
  },
  "status": "valid",
  "expires": "2025-01-18T16:01:43Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447330750415/I6C6WQ",
      "status": "valid",
      "validated": "2024-12-19T16:01:42Z",
      "token": "v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js",
      "validationRecord": [
        {
          "url": "http://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js",
          "hostname": "nyceyes.com",
          "port": "80",
          "addressesResolved": [
            "162.0.229.138"
          ],
          "addressUsed": "162.0.229.138"
        },
        {
          "url": "https://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js",
          "hostname": "nyceyes.com",
          "port": "443",
          "addressesResolved": [
            "162.0.229.138"
          ],
          "addressUsed": "162.0.229.138"
        }
      ]
    }
  ]
}'
[Sun Dec 29 02:23:25 EST 2024] response='{"identifier":{"type":"dns","value":"nyceyes.com"},"status":"valid","expires":"2025-01-18T16:01:43Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447330750415/I6C6WQ","status":"valid","validated":"2024-12-19T16:01:42Z","token":"v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","validationRecord":[{"url":"http://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","hostname":"nyceyes.com","port":"80","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"},{"url":"https://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","hostname":"nyceyes.com","port":"443","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"}]}]}'
[Sun Dec 29 02:23:25 EST 2024] response='{"identifier":{"type":"dns","value":"nyceyes.com"},"status":"valid","expires":"2025-01-18T16:01:43Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447330750415/I6C6WQ","status":"valid","validated":"2024-12-19T16:01:42Z","token":"v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","validationRecord":[{"url":"http://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","hostname":"nyceyes.com","port":"80","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"},{"url":"https://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","hostname":"nyceyes.com","port":"443","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"}]}]}'
[Sun Dec 29 02:23:25 EST 2024] _d='nyceyes.com'
[Sun Dec 29 02:23:25 EST 2024] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/452224460945'
[Sun Dec 29 02:23:25 EST 2024] =======Sending Signed Request=======
[Sun Dec 29 02:23:25 EST 2024] url='https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/452224460945'
[Sun Dec 29 02:23:25 EST 2024] payload
[Sun Dec 29 02:23:25 EST 2024] Use cached jwk for file: /home/jdoe/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key
[Sun Dec 29 02:23:25 EST 2024] Use _CACHED_NONCE='LPSR-4-sNDNx-CMxNiaJ5eoj2uC4LXsBvCDbalbkez41lmdHWE8'
[Sun Dec 29 02:23:25 EST 2024] nonce='LPSR-4-sNDNx-CMxNiaJ5eoj2uC4LXsBvCDbalbkez41lmdHWE8'
[Sun Dec 29 02:23:25 EST 2024] POST
[Sun Dec 29 02:23:25 EST 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/452224460945'
[Sun Dec 29 02:23:25 EST 2024] body='{"protected": "eyJub25jZSI6ICJMUFNSLTQtc05ETngtQ014TmlhSjVlb2oydUM0TFhzQnZDRGJhbGJrZXo0MWxtZEhXRTgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzEyMzgxNjY4MzYvNDUyMjI0NDYwOTQ1IiwgImFsZyI6ICJFUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjM4MTY2ODM2In0", "payload": "", "signature": "4qEypE10tmQXyAoDJTsk_8YoYxUwzYESpnPB6nM8W3DTX5zGanDeNwkJk8yCnNwIT2qKkFu5pBSSkslz_RifwQ"}'
[Sun Dec 29 02:23:25 EST 2024] _postContentType='application/jose+json'
[Sun Dec 29 02:23:25 EST 2024] Http already initialized.
[Sun Dec 29 02:23:25 EST 2024] _CURL='curl --silent --dump-header /home/jdoe/.acme.sh/http.header  -L  -g '
[Sun Dec 29 02:23:25 EST 2024] _ret='0'
[Sun Dec 29 02:23:25 EST 2024] responseHeaders='HTTP/2 200 
server: nginx
date: Sun, 29 Dec 2024 07:23:25 GMT
content-type: application/json
content-length: 393
boulder-requester: 1238166836
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 1QDIi77bQUikNEGVBjD5eOq2buiUZSIWPxzI6uuKj3n3Oa4JhFg
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Sun Dec 29 02:23:25 EST 2024] code='200'
[Sun Dec 29 02:23:25 EST 2024] original='{
  "identifier": {
    "type": "dns",
    "value": "nyceyes.com"
  },
  "status": "pending",
  "expires": "2025-01-05T07:23:24Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA",
      "status": "pending",
      "token": "W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs"
    }
  ],
  "wildcard": true
}'
[Sun Dec 29 02:23:25 EST 2024] response='{"identifier":{"type":"dns","value":"nyceyes.com"},"status":"pending","expires":"2025-01-05T07:23:24Z","challenges":[{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA","status":"pending","token":"W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs"}],"wildcard": true}'
[Sun Dec 29 02:23:25 EST 2024] response='{"identifier":{"type":"dns","value":"nyceyes.com"},"status":"pending","expires":"2025-01-05T07:23:24Z","challenges":[{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA","status":"pending","token":"W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs"}],"wildcard": true}'
[Sun Dec 29 02:23:26 EST 2024] _d='*.nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] _authorizations_map='*.nyceyes.com,{"identifier":{"type":"dns","value":"nyceyes.com"},"status":"pending","expires":"2025-01-05T07:23:24Z","challenges":[{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA","status":"pending","token":"W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs"}],"wildcard": true}#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/452224460945
nyceyes.com,{"identifier":{"type":"dns","value":"nyceyes.com"},"status":"valid","expires":"2025-01-18T16:01:43Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447330750415/I6C6WQ","status":"valid","validated":"2024-12-19T16:01:42Z","token":"v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","validationRecord":[{"url":"http://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","hostname":"nyceyes.com","port":"80","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"},{"url":"https://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","hostname":"nyceyes.com","port":"443","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"}]}]}#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447330750415
'
[Sun Dec 29 02:23:26 EST 2024] d='nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] Getting webroot for domain='nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] _w='dns_cf'
[Sun Dec 29 02:23:26 EST 2024] _currentRoot='dns_cf'
[Sun Dec 29 02:23:26 EST 2024] _is_idn_d='nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] _idn_temp
[Sun Dec 29 02:23:26 EST 2024] _candidates='nyceyes.com,{"identifier":{"type":"dns","value":"nyceyes.com"},"status":"valid","expires":"2025-01-18T16:01:43Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447330750415/I6C6WQ","status":"valid","validated":"2024-12-19T16:01:42Z","token":"v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","validationRecord":[{"url":"http://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","hostname":"nyceyes.com","port":"80","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"},{"url":"https://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","hostname":"nyceyes.com","port":"443","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"}]}]}#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447330750415'
[Sun Dec 29 02:23:26 EST 2024] response='{"identifier":{"type":"dns","value":"nyceyes.com"},"status":"valid","expires":"2025-01-18T16:01:43Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/447330750415/I6C6WQ","status":"valid","validated":"2024-12-19T16:01:42Z","token":"v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","validationRecord":[{"url":"http://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","hostname":"nyceyes.com","port":"80","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"},{"url":"https://nyceyes.com/.well-known/acme-challenge/v5DyzlutI3r3ic41ZSDYzwnqUA5r_bBuTVwCJLxn7js","hostname":"nyceyes.com","port":"443","addressesResolved":["162.0.229.138"],"addressUsed":"162.0.229.138"}]}]}#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447330750415'
[Sun Dec 29 02:23:26 EST 2024] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447330750415'
[Sun Dec 29 02:23:26 EST 2024] nyceyes.com is already valid.
[Sun Dec 29 02:23:26 EST 2024] keyauthorization='verified_ok'
[Sun Dec 29 02:23:26 EST 2024] entry
[Sun Dec 29 02:23:26 EST 2024] dvlist='nyceyes.com#verified_ok##dns-01#dns_cf#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447330750415'
[Sun Dec 29 02:23:26 EST 2024] d='*.nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] Getting webroot for domain='*.nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] _w='dns_cf'
[Sun Dec 29 02:23:26 EST 2024] _currentRoot='dns_cf'
[Sun Dec 29 02:23:26 EST 2024] _is_idn_d='*.nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] _idn_temp
[Sun Dec 29 02:23:26 EST 2024] _candidates='*.nyceyes.com,{"identifier":{"type":"dns","value":"nyceyes.com"},"status":"pending","expires":"2025-01-05T07:23:24Z","challenges":[{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA","status":"pending","token":"W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs"}],"wildcard": true}#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/452224460945'
[Sun Dec 29 02:23:26 EST 2024] response='{"identifier":{"type":"dns","value":"nyceyes.com"},"status":"pending","expires":"2025-01-05T07:23:24Z","challenges":[{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA","status":"pending","token":"W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs"}],"wildcard": true}#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/452224460945'
[Sun Dec 29 02:23:26 EST 2024] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/452224460945'
[Sun Dec 29 02:23:26 EST 2024] entry='"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA","status":"pending","token":"W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs"'
[Sun Dec 29 02:23:26 EST 2024] token='W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs'
[Sun Dec 29 02:23:26 EST 2024] uri='https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA'
[Sun Dec 29 02:23:26 EST 2024] keyauthorization='W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs.iEYEwuULpSOke_xzyB4v3hkYeDxd7aMAO-jY6Nyr1MY'
[Sun Dec 29 02:23:26 EST 2024] dvlist='*.nyceyes.com#W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs.iEYEwuULpSOke_xzyB4v3hkYeDxd7aMAO-jY6Nyr1MY#https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA#dns-01#dns_cf#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/452224460945'
[Sun Dec 29 02:23:26 EST 2024] d
[Sun Dec 29 02:23:26 EST 2024] vlist='nyceyes.com#verified_ok##dns-01#dns_cf#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447330750415,*.nyceyes.com#W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs.iEYEwuULpSOke_xzyB4v3hkYeDxd7aMAO-jY6Nyr1MY#https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA#dns-01#dns_cf#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/452224460945,'
[Sun Dec 29 02:23:26 EST 2024] d='nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] nyceyes.com has already been verified, skipping dns-01.
[Sun Dec 29 02:23:26 EST 2024] d='*.nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] _d_alias
[Sun Dec 29 02:23:26 EST 2024] txtdomain='_acme-challenge.nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] txt='ryo-R7JoQfz_S8nVDGE0A-DUavNu_siRVlBsmlgzRnc'
[Sun Dec 29 02:23:26 EST 2024] d_api='/home/jdoe/.acme.sh/dnsapi/dns_cf.sh'
[Sun Dec 29 02:23:26 EST 2024] dns_entry='nyceyes.com,_acme-challenge.nyceyes.com,,dns_cf,ryo-R7JoQfz_S8nVDGE0A-DUavNu_siRVlBsmlgzRnc,/home/jdoe/.acme.sh/dnsapi/dns_cf.sh'
[Sun Dec 29 02:23:26 EST 2024] Found domain API file: /home/jdoe/.acme.sh/dnsapi/dns_cf.sh
[Sun Dec 29 02:23:26 EST 2024] Adding TXT value: ryo-R7JoQfz_S8nVDGE0A-DUavNu_siRVlBsmlgzRnc for domain: _acme-challenge.nyceyes.com
[Sun Dec 29 02:23:26 EST 2024] First detect the root zone
[Sun Dec 29 02:23:26 EST 2024] h='_acme-challenge.nyceyes.com'
[Sun Dec 29 02:23:26 EST 2024] zones?name=_acme-challenge.nyceyes.com&account.id=0bc871b0bb2706fb50a2a64217a53d81
[Sun Dec 29 02:23:26 EST 2024] GET
[Sun Dec 29 02:23:26 EST 2024] url='https://api.cloudflare.com/client/v4/zones?name=_acme-challenge.nyceyes.com&account.id=0bc871b0bb2706fb50a2a64217a53d81'
[Sun Dec 29 02:23:26 EST 2024] timeout=
[Sun Dec 29 02:23:26 EST 2024] Http already initialized.
[Sun Dec 29 02:23:26 EST 2024] _CURL='curl --silent --dump-header /home/jdoe/.acme.sh/http.header  -L  -g '
[Sun Dec 29 02:23:27 EST 2024] ret='0'
[Sun Dec 29 02:23:27 EST 2024] response='{"success":false,"errors":[{"code":9109,"message":"Cannot use the access token from location: 162.0.229.136"}],"messages":[],"result":null}'
[Sun Dec 29 02:23:27 EST 2024] h='nyceyes.com'
[Sun Dec 29 02:23:27 EST 2024] zones?name=nyceyes.com&account.id=0bc871b0bb2706fb50a2a64217a53d81
[Sun Dec 29 02:23:27 EST 2024] GET
[Sun Dec 29 02:23:27 EST 2024] url='https://api.cloudflare.com/client/v4/zones?name=nyceyes.com&account.id=0bc871b0bb2706fb50a2a64217a53d81'
[Sun Dec 29 02:23:27 EST 2024] timeout=
[Sun Dec 29 02:23:27 EST 2024] Http already initialized.
[Sun Dec 29 02:23:27 EST 2024] _CURL='curl --silent --dump-header /home/jdoe/.acme.sh/http.header  -L  -g '
[Sun Dec 29 02:23:28 EST 2024] ret='0'
[Sun Dec 29 02:23:28 EST 2024] response='{"success":false,"errors":[{"code":9109,"message":"Cannot use the access token from location: 162.0.229.136"}],"messages":[],"result":null}'
[Sun Dec 29 02:23:28 EST 2024] h='com'
[Sun Dec 29 02:23:28 EST 2024] zones?name=com&account.id=0bc871b0bb2706fb50a2a64217a53d81
[Sun Dec 29 02:23:28 EST 2024] GET
[Sun Dec 29 02:23:28 EST 2024] url='https://api.cloudflare.com/client/v4/zones?name=com&account.id=0bc871b0bb2706fb50a2a64217a53d81'
[Sun Dec 29 02:23:28 EST 2024] timeout=
[Sun Dec 29 02:23:28 EST 2024] Http already initialized.
[Sun Dec 29 02:23:28 EST 2024] _CURL='curl --silent --dump-header /home/jdoe/.acme.sh/http.header  -L  -g '
[Sun Dec 29 02:23:30 EST 2024] ret='0'
[Sun Dec 29 02:23:30 EST 2024] response='{"success":false,"errors":[{"code":9109,"message":"Cannot use the access token from location: 162.0.229.136"}],"messages":[],"result":null}'
[Sun Dec 29 02:23:30 EST 2024] h
[Sun Dec 29 02:23:30 EST 2024] invalid domain
[Sun Dec 29 02:23:30 EST 2024] Error adding TXT record to domain: _acme-challenge.nyceyes.com
[Sun Dec 29 02:23:30 EST 2024] _on_issue_err
[Sun Dec 29 02:23:30 EST 2024] Please check log file for more details: /home/jdoe/.acme.sh/acme.sh.log
[Sun Dec 29 02:23:30 EST 2024] _chk_vlist='nyceyes.com#verified_ok##dns-01#dns_cf#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/447330750415,*.nyceyes.com#W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs.iEYEwuULpSOke_xzyB4v3hkYeDxd7aMAO-jY6Nyr1MY#https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA#dns-01#dns_cf#https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/452224460945,'
[Sun Dec 29 02:23:30 EST 2024] start to deactivate authz
[Sun Dec 29 02:23:30 EST 2024] Trigger domain validation.
[Sun Dec 29 02:23:30 EST 2024] _t_url
[Sun Dec 29 02:23:30 EST 2024] _t_key_authz='verified_ok'
[Sun Dec 29 02:23:30 EST 2024] _t_vtype
[Sun Dec 29 02:23:30 EST 2024] =======Sending Signed Request=======
[Sun Dec 29 02:23:30 EST 2024] url
[Sun Dec 29 02:23:30 EST 2024] payload='{}'
[Sun Dec 29 02:23:30 EST 2024] Use cached jwk for file: /home/jdoe/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key
[Sun Dec 29 02:23:30 EST 2024] Use _CACHED_NONCE='1QDIi77bQUikNEGVBjD5eOq2buiUZSIWPxzI6uuKj3n3Oa4JhFg'
[Sun Dec 29 02:23:30 EST 2024] nonce='1QDIi77bQUikNEGVBjD5eOq2buiUZSIWPxzI6uuKj3n3Oa4JhFg'
[Sun Dec 29 02:23:30 EST 2024] POST
[Sun Dec 29 02:23:30 EST 2024] _post_url
[Sun Dec 29 02:23:30 EST 2024] body='{"protected": "eyJub25jZSI6ICIxUURJaTc3YlFVaWtORUdWQmpENWVPcTJidWlVWlNJV1B4ekk2dXVLajNuM09hNEpoRmciLCAidXJsIjogIiIsICJhbGciOiAiRVMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzODE2NjgzNiJ9", "payload": "e30", "signature": "jbKiICtNrwfZNuEmzq-9wwzF_SpZ99ed5kOr2JXyWEkYYNYdyyGZ4icYmxmgdV-ZIzatWBsLXcnvpnXgge9lcA"}'
[Sun Dec 29 02:23:30 EST 2024] _postContentType='application/jose+json'
[Sun Dec 29 02:23:30 EST 2024] Http already initialized.
[Sun Dec 29 02:23:30 EST 2024] _CURL='curl --silent --dump-header /home/jdoe/.acme.sh/http.header  -L  -g '
[Sun Dec 29 02:23:30 EST 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Sun Dec 29 02:23:30 EST 2024] _ret='3'
[Sun Dec 29 02:23:30 EST 2024] responseHeaders
[Sun Dec 29 02:23:30 EST 2024] code
[Sun Dec 29 02:23:30 EST 2024] original
[Sun Dec 29 02:23:30 EST 2024] response
[Sun Dec 29 02:23:30 EST 2024] Trigger domain validation.
[Sun Dec 29 02:23:30 EST 2024] _t_url='https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA'
[Sun Dec 29 02:23:30 EST 2024] _t_key_authz='W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs.iEYEwuULpSOke_xzyB4v3hkYeDxd7aMAO-jY6Nyr1MY'
[Sun Dec 29 02:23:30 EST 2024] _t_vtype
[Sun Dec 29 02:23:30 EST 2024] =======Sending Signed Request=======
[Sun Dec 29 02:23:30 EST 2024] url='https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA'
[Sun Dec 29 02:23:30 EST 2024] payload='{}'
[Sun Dec 29 02:23:30 EST 2024] Use cached jwk for file: /home/jdoe/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key
[Sun Dec 29 02:23:30 EST 2024] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sun Dec 29 02:23:30 EST 2024] HEAD
[Sun Dec 29 02:23:30 EST 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sun Dec 29 02:23:30 EST 2024] body
[Sun Dec 29 02:23:30 EST 2024] _postContentType='application/jose+json'
[Sun Dec 29 02:23:30 EST 2024] Http already initialized.
[Sun Dec 29 02:23:30 EST 2024] _CURL='curl --silent --dump-header /home/jdoe/.acme.sh/http.header  -L  -g  -I  '
[Sun Dec 29 02:23:30 EST 2024] _ret='0'
[Sun Dec 29 02:23:30 EST 2024] _headers='HTTP/2 200 
server: nginx
date: Sun, 29 Dec 2024 07:23:30 GMT
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: WVWTDxmJrDskp8QkAFrtWgnx_QPIeW_tU_87-Lg7Fb0uX4vX3QQ
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Sun Dec 29 02:23:30 EST 2024] nonce='WVWTDxmJrDskp8QkAFrtWgnx_QPIeW_tU_87-Lg7Fb0uX4vX3QQ'
[Sun Dec 29 02:23:30 EST 2024] POST
[Sun Dec 29 02:23:30 EST 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA'
[Sun Dec 29 02:23:30 EST 2024] body='{"protected": "eyJub25jZSI6ICJXVldURHhtSnJEc2twOFFrQUZydFdnbnhfUVBJZVdfdFVfODctTGc3RmIwdVg0dlgzUVEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzEyMzgxNjY4MzYvNDUyMjI0NDYwOTQ1L2V2SFV6QSIsICJhbGciOiAiRVMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzODE2NjgzNiJ9", "payload": "e30", "signature": "U5WVx_0f5TOgP1ig8bf0fxFZDwoXLvpvy3ErkBezycrN5E8n_g46bdYsX_hMXM3StRnaS0dQ6YjOcA1zwd0dtQ"}'
[Sun Dec 29 02:23:30 EST 2024] _postContentType='application/jose+json'
[Sun Dec 29 02:23:30 EST 2024] Http already initialized.
[Sun Dec 29 02:23:30 EST 2024] _CURL='curl --silent --dump-header /home/jdoe/.acme.sh/http.header  -L  -g '
[Sun Dec 29 02:23:31 EST 2024] _ret='0'
[Sun Dec 29 02:23:31 EST 2024] responseHeaders='HTTP/2 200 
server: nginx
date: Sun, 29 Dec 2024 07:23:31 GMT
content-type: application/json
content-length: 194
boulder-requester: 1238166836
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
link: <https://acme-v02.api.letsencrypt.org/acme/authz/1238166836/452224460945>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA
replay-nonce: WVWTDxmJqmWrk9YRJAwyWEu4dmYHze-zJc-Hjo7xaV6i3KXakME
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Sun Dec 29 02:23:31 EST 2024] code='200'
[Sun Dec 29 02:23:31 EST 2024] original='{
  "type": "dns-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA",
  "status": "pending",
  "token": "W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs"
}'
[Sun Dec 29 02:23:31 EST 2024] response='{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1238166836/452224460945/evHUzA","status":"pending","token":"W8Z5MiA9v_KadhALM7-Ka-wKouVi9owN9eknFt9vIDs"}'
[Sun Dec 29 02:23:31 EST 2024] pid
[Sun Dec 29 02:23:31 EST 2024] No need to restore nginx config, skipping.
[Sun Dec 29 02:23:31 EST 2024] _clearupdns
[Sun Dec 29 02:23:31 EST 2024] dns_entries
[Sun Dec 29 02:23:31 EST 2024] Skipping dns.
10

I'll have to look more also. The problem is that I tried all combinations above and failed. I got the syntax and environment variables via ChatGPT (LoL) so I'll have to research more.

11

While it doesn't make much sense to set two variables with the same name after each other (the second will overwrite the first), the CF_API_TOKEN variable is not even being used in the acme.sh Cloudflare DNS script (acme.sh/dnsapi/dns_cf.sh at f981c782bb38015f4778913e9c3db26b57dde4e8 · acmesh-official/acme.sh · GitHub). Neither is CF_ACCOUNT_EMAIL. So I'm not sure where you got those variables from?

Also, please note that the variables are CaSe SeNsItIvE! Thus, the CF_ZONE_ID you're using is NOT the same as the CF_Zone_ID used by acme.sh!

1 Like
12

I deleted my earlier post with that 3rd party blog. Here is the official acme.sh doc for the Cloudflare DNS Challenge

The link to this is found in the source for dns_cf.sh linked by Osiris

4 Likes
13

Good morning. :smiling_face: I'll revisit this with fresh eyes and mind this morning. It was late.

@Osiris Thank you. Yeah, the duplicates were for quick testing of multiple values on my end, but only one was uncommented. I forgot to remove one copy while focused on proper wording and formatting of the OP. I'll remove one dup soon (replying from a phone now). Indeed, variables are case sensitive (... among various internet sources I consulted, uppercase and multicased variables were output by ChatGPT :smiling_face: in their examples. That's why I included asking about environment variables in the OP, as I noticed discrepancies across sources. I should have just searched the script).

@MikeMcQ Thank you finding and sharing that. :smiling_face: I'll read through it this morning.

3 Likes
14

Hi again! :smiling_face:

I was very close yet so very far.

My OP only needed to use the new environment variable: CF_Zone_ID. Thank you @MikeMcQ for the reference document, which provided that.

The final script is below for future visitors.

Now, the reason why no environment variable and key/token combination could ever work at all — each returning an invalid domain error — was due to my CloudFlare IP address whitelist. You see, the NameCheap Host IPwhere I run the acme.sh script — was included in the list, but it seems that acme.sh verifies that nyceyes.com resolves to said Host IP address as part of its checks. However, it no longer can because nyceyes.comnow under Cloudflare DNS control — responds with Cloudflare’s IP address for it, which differs from said Host IP. This mismatch, then, is what the vague invalid domain error was referring to. Once I set the IP address whitelist to any, it finally succeeded.

acme.sh hopefully has an option to handle this scenario, such as --challenge-alias or --domain-alias (though I’m unsure about those necessarily). I’ll need to research further, as I prefer maintaining a locked-down whitelist (and I'm open to suggestions).

So, "Our national nightmare is finally over". :smile: (LoL - You had to be there once upon a time).

Thank you everyone for your ongoing help.

Corrected script:

#! /usr/bin/env bash
#
##############################################################################################
. "/path/to/.acme.sh/acme.sh.env"
export PATH=/path/to/.acme.sh/:${PATH}
##############################################################################################

##############################################################################################
# DNS CHALLENGE for CLOUDFLARE (i.e, '--dns dnf_cf') hosted domain & sub-domains: example.com
# SEE: https://github.com/acmesh-official/acme.sh/wiki/dnsapi#1-cloudflare-option
##############################################################################################
export CF_Token="XXXX"   # USER API TOKEN (to access the API in general)
export CF_Zone_ID="YYYY" # API ZONE ID (for domain: example.com)
# ============================================================================================
acme.sh --issue --dns dns_cf -d example.com -d '*.example.com' && \
acme.sh --deploy --deploy-hook cpanel_uapi --domain example.com
# ============================================================================================
1 Like
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.