SSL with Wordops

Hi. I'm trying to get certificate for my website using Cloudflare API with no success.

My domain is: casanovarj.com.br

I ran this command:

export cf_Key=" ** my key ** "
export cf_Mail="my @ email"
sudo -E wo site update casanovarj.com.br -le --dns=dns_CF

It produced this output:

Issuing SSL cert with acme.sh [KO]
Please make sure your properly set your DNS API credentials for acme.sh
If you are using sudo, use "sudo -E wo"

My web server is (include version):

Linux server 4.9.0-15-amd64 #1 SMP Debian 4.9.258-1 (2021-03-08) x86_64

The operating system my web server runs on is (include version): Debian

Linux server 4.9.0-15-amd64 #1 SMP Debian 4.9.258-1 (2021-03-08) x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): -bash: certbot: command not found

Checking de file /var/log/wo/wordops.log:

^[[0m
^[[36m2021-06-09 10:41:50,507 (DEBUG) wo.core.logging : ^[[95mWriting content in /var/lib/wo/cert.csv^[[0m
^[[36m2021-06-09 10:41:50,507 (DEBUG) wo.core.logging : ^[[95mChanging permission of /var/lib/wo/cert.csv>
^[[32m2021-06-09 10:41:50,507 (INFO) wo : ^[[94mValidation mode : DNS mode with dns_CF^[[0m
^[[32m2021-06-09 10:41:50,508 (INFO) wo : ^[[94mIssuing SSL cert with acme.sh^[[0m
^[[36m2021-06-09 10:41:50,508 (DEBUG) wo.core.logging : ^[[95mRunning command: /etc/letsencrypt/acme.sh ->
^[[36m2021-06-09 10:41:52,599 (DEBUG) wo.core.logging : ^[[95mCommand Output: [Wed Jun 9 10:41:50 -03 20>
[Wed Jun 9 10:41:51 -03 2021] Multi domain='DNS:casanovarj.com.br,DNS:www.casanovarj.com.br'
[Wed Jun 9 10:41:51 -03 2021] Getting domain auth token for each domain
[Wed Jun 9 10:41:52 -03 2021] Getting webroot for domain='casanovarj.com.br'
[Wed Jun 9 10:41:52 -03 2021] Getting webroot for domain='www.casanovarj.com.br'
[Wed Jun 9 10:41:52 -03 2021] You need to add the txt record manually.
[Wed Jun 9 10:41:52 -03 2021] Add the following TXT record:
[Wed Jun 9 10:41:52 -03 2021] Domain: '_acme-challenge.casanovarj.com.br'
[Wed Jun 9 10:41:52 -03 2021] TXT value: 'KXuAH2PDor3ix1ag6UxoLiV-d1t1pv61EU0rGLZPTF4'
[Wed Jun 9 10:41:52 -03 2021] Please be aware that you prepend _acme-challenge. before your domain
[Wed Jun 9 10:41:52 -03 2021] so the resulting subdomain will be: _acme-challenge.casanovarj.com.br
[Wed Jun 9 10:41:52 -03 2021] You need to add the txt record manually.
[Wed Jun 9 10:41:52 -03 2021] Add the following TXT record:
[Wed Jun 9 10:41:52 -03 2021] Domain: '_acme-challenge.www.casanovarj.com.br'
[Wed Jun 9 10:41:52 -03 2021] TXT value: 'QsCw8wJnMTUoS8-aJWb8qLYMZMpdw05A_4dc-M4evtA'
[Wed Jun 9 10:41:52 -03 2021] Please be aware that you prepend _acme-challenge. before your domain
[Wed Jun 9 10:41:52 -03 2021] so the resulting subdomain will be: _acme-challenge.www.casanovarj.com.br
,
Command Error: [Wed Jun 9 10:41:52 -03 2021] Can not find dns api hook for: dns_CF
[Wed Jun 9 10:41:52 -03 2021] Can not find dns api hook for: dns_CF
[Wed Jun 9 10:41:52 -03 2021] Please add the TXT records to the domains, and re-run with --renew.

Checking the file /etc/letsencrypt/config/acme.sh.log

[Wed Jun 9 10:42:11 -03 2021] ok, let's start to verify
[Wed Jun 9 10:42:11 -03 2021] Verifying: casanovarj.com.br
[Wed Jun 9 10:42:11 -03 2021] d='casanovarj.com.br'
[Wed Jun 9 10:42:11 -03 2021] keyauthorization='GcaVKGlrgx_8QGgj2G5YFCA-tM10T2Jf7Iaj4zu8ERs.aeuUXq80ryno>
[Wed Jun 9 10:42:11 -03 2021] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/13837640598/1zh4Pg'
[Wed Jun 9 10:42:11 -03 2021] _currentRoot='/var/www/html'
[Wed Jun 9 10:42:11 -03 2021] wellknown_path='/var/www/html/.well-known/acme-challenge'
[Wed Jun 9 10:42:11 -03 2021] writing token:GcaVKGlrgx_8QGgj2G5YFCA-tM10T2Jf7Iaj4zu8ERs to /var/www/html>
[Wed Jun 9 10:42:11 -03 2021] Changing owner/group of .well-known to www-data:www-data
[Wed Jun 9 10:42:11 -03 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/13837640598/1zh4Pg'
[Wed Jun 9 10:42:11 -03 2021] payload='{}'
[Wed Jun 9 10:42:11 -03 2021] POST
[Wed Jun 9 10:42:11 -03 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/13837640598/>
[Wed Jun 9 10:42:11 -03 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header -L>
[Wed Jun 9 10:42:11 -03 2021] _ret='0'
[Wed Jun 9 10:42:11 -03 2021] code='200'
[Wed Jun 9 10:42:11 -03 2021] trigger validation code: 200
[Wed Jun 9 10:42:11 -03 2021] sleep 2 secs to verify
[Wed Jun 9 10:42:13 -03 2021] checking
[Wed Jun 9 10:42:13 -03 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/13837640598/1zh4Pg'
[Wed Jun 9 10:42:13 -03 2021] payload
[Wed Jun 9 10:42:13 -03 2021] POST
[Wed Jun 9 10:42:13 -03 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/13837640598/>
[Wed Jun 9 10:42:13 -03 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/config/http.header -L>
[Wed Jun 9 10:42:13 -03 2021] _ret='0'
[Wed Jun 9 10:42:13 -03 2021] code='200'
[Wed Jun 9 10:42:13 -03 2021] casanovarj.com.br:Verify error:Invalid response from http://casanovarj.com>
[Wed Jun 9 10:42:13 -03 2021] pid
[Wed Jun 9 10:42:13 -03 2021] No need to restore nginx, skip.

1 Like

Hi @rafaeldaviddelcastil, and welcome to the LE community forum :slight_smile:

The error seems pretty clear:

Did this command/process previously work?
If so, what has changed?

1 Like

Hi Thanks for replying.
Sorry for my ignorance but where should I enter this data?
Can you give me a step by step or a link explaining how to do it?
I am so grateful!

IF is in cloudflare, i include two register :slight_smile:

But the error persits

> [Mon Jun 14 16:57:20 -03 2021] Multi domain='DNS:casanovarj.com.br,DNS:www.casanovarj.com.br'
> [Mon Jun 14 16:57:20 -03 2021] Getting domain auth token for each domain
> [Mon Jun 14 16:57:22 -03 2021] Getting webroot for domain='casanovarj.com.br'
> [Mon Jun 14 16:57:22 -03 2021] Getting webroot for domain='www.casanovarj.com.br'
> [Mon Jun 14 16:57:22 -03 2021] You need to add the txt record manually.
> [Mon Jun 14 16:57:22 -03 2021] Add the following TXT record:
> [Mon Jun 14 16:57:22 -03 2021] Domain: '_acme-challenge.casanovarj.com.br'
> [Mon Jun 14 16:57:22 -03 2021] TXT value: '3LEu29xsvVesB0RpnSqOjrgvOmGQwrsNU8Xv9WyTKaw'
> [Mon Jun 14 16:57:22 -03 2021] Please be aware that you prepend _acme-challenge. before your domain
> [Mon Jun 14 16:57:22 -03 2021] so the resulting subdomain will be: _acme-challenge.casanovarj.com.br
> [Mon Jun 14 16:57:22 -03 2021] **You need to add the txt record manually.**
> [Mon Jun 14 16:57:22 -03 2021] Add the following TXT record:
> [Mon Jun 14 16:57:22 -03 2021] Domain: '_acme-challenge.www.casanovarj.com.br'
> [Mon Jun 14 16:57:22 -03 2021] TXT value: 'nz-Wam54CbiAN6J_-7GRgbCZfyj9W8RG5a0LVpv7bm0'
> [Mon Jun 14 16:57:22 -03 2021] Please be aware that you prepend _acme-challenge. before your domain
> [Mon Jun 14 16:57:22 -03 2021] so the resulting subdomain will be: _acme-challenge.www.casanovarj.com.br
> ,
> Command Error: [Mon Jun 14 16:57:22 -03 2021] **Can not find dns api hook for: dns_CF**
> [Mon Jun 14 16:57:22 -03 2021] Can not find dns api hook for: dns_CF
> [Mon Jun 14 16:57:22 -03 2021] Please add the TXT records to the domains, and re-run with --renew.
2 Likes

At your zones' authoritative DNS:

nslookup -q=ns casanovarj.com.br
casanovarj.com.br       nameserver = chris.ns.cloudflare.com
casanovarj.com.br       nameserver = nadia.ns.cloudflare.com

[CloudFlare DNS]

1 Like

But I did it, as shown above. Error persists.

The picture shows entries:
vd7...
UgE...
and the logs show:
3LE...
nz-...

They don't match.

Try this simple test:

  1. add a test TXT record
  2. query that TXT record against your authoritative DNS servers (chris.ns.cloudflare.com, nadia.ns.cloudflare.com) until entry exists or is updated as expected.

Did it sync? How long did it take to sync?
[try the test a few times to get worst case syncing scenario]

1 Like

Helo! I entered the TXT text record and it appeared within seconds. I have several TXT records but with nslookup only those with NAME = casanovarj.com.br appear.

set q=txt
casanovarj.com.br
Server: 209.126.15.52
Address: 209.126.15.52#53

Non-authoritative answer:
casanovarj.com.br text = "v=spf1 a mx include:websitewelcome.com ~all"

Authoritative answers can be found from:

casanovarj.com.br
Server: 209.126.15.52
Address: 209.126.15.52#53

Non-authoritative answer:
casanovarj.com.br text = "teste"
casanovarj.com.br text = "v=spf1 a mx include:websitewelcome.com ~all"

To show the wordops.log codes I needed to put NAME as casanovarj.com.br (and not _acme-challenge.casanovarj.com.br). I did it for testing:

casanovarj.com.br
Server: 209.126.15.52
Address: 209.126.15.52#53

Non-authoritative answer:
casanovarj.com.br text = "vd71agaw6plxYcuDLjvFuy8MV7T5Xp8PXVdsWqnF8Ms"
casanovarj.com.br text = "teste"
casanovarj.com.br text = "v=spf1 a mx include:websitewelcome.com ~all"
casanovarj.com.br text = "UgEIe1Iz_wKamK1ck3fB-JbCi9Rv8YfS-zE2mELlmRk"

Authoritative answers can be found from:

As a last information, the values ​​do not match because when I used the command wo update site.tld -le the wordops.log returned with these new values. What I mean is that with each new error the log gives me new data to add manually.

That is not a CloudFlare DNS server and should not be used to validate your entries.

1 Like

Sorry, unfortunately, I'm unfamiliar with the ACME client you are using.

1 Like

The website casanovarj.com.br is working even with a certificate, but on a shared server.
I want to create and transfer the website to a VPS (in this case, to server 209.126.15.52).
I need the certificate for it to work and do the migration.

1 Like

If you can be down (for HTTPS) for a small amount of time, you can change the IP in DNS and just get a new certificate on the new server.
[if that fails, you can quickly change the IP back]

1 Like

IS there another alternative? This site belongs to a client, I would not like to take it offline.
If the answer is no, do I still need to put the TXT records manually? As I said, when I enter '_acme-challenge.casanovarj.com.br' only '_acme-challenge' is left. It seems I don't know how to do it.
Thank you in advance for your patience.

1 Like

Yes, you could also copy the existing cert files from the old server to the new cert.
I would just copy the few required cert files and use them within a temp folder.
Then add in the ACME client after that (and before the cert expires).

2 Likes