I doing DNS renew on my wildcard domain this for couple of retries going to generate 2 different keys for _acme-challenge.mycompany.com
From this 2 keys it generetes it seems to accept none. However if I keep rerunning the tool with the exact same parameters finally it will generate 1 single key and that will be accepted for the domain renewal.
I want to automate this from cron so inconsistency like this is unacceptable. Any ideas what to do with this?
[Wed Jun 16 09:49:06 CEST 2021] Renew: 'mycompany.com'
[Wed Jun 16 09:49:10 CEST 2021] Multi domain='DNS:mycompany.com,DNS:*.mycompany.com'
[Wed Jun 16 09:49:10 CEST 2021] Getting domain auth token for each domain
[Wed Jun 16 09:49:16 CEST 2021] Getting webroot for domain='mycompany.com'
[Wed Jun 16 09:49:17 CEST 2021] Getting webroot for domain='*.mycompany.com'
[Wed Jun 16 09:49:18 CEST 2021] Add the following TXT record:
[Wed Jun 16 09:49:18 CEST 2021] Domain: '_acme-challenge.mycompany.com'
[Wed Jun 16 09:49:18 CEST 2021] TXT value: 'CHG1'
[Wed Jun 16 09:49:18 CEST 2021] Please be aware that you prepend _acme-challenge. before your domain
[Wed Jun 16 09:49:18 CEST 2021] so the resulting subdomain will be: _acme-challenge.mycompany.com
[Wed Jun 16 09:49:18 CEST 2021] Add the following TXT record:
[Wed Jun 16 09:49:18 CEST 2021] Domain: '_acme-challenge.mycompany.com'
[Wed Jun 16 09:49:18 CEST 2021] TXT value: 'CHG2'
[Wed Jun 16 09:49:19 CEST 2021] Please be aware that you prepend _acme-challenge. before your domain
[Wed Jun 16 09:49:19 CEST 2021] so the resulting subdomain will be: _acme-challenge.mycompany.com
[Wed Jun 16 09:49:19 CEST 2021] Please add the TXT records to the domains, and re-run with --renew.
[Wed Jun 16 09:49:19 CEST 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Wed Jun 16 09:49:19 CEST 2021] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
Couple of reruns later...
[Wed Jun 16 10:30:28 CEST 2021] Renew: 'mycompany.com'
[Wed Jun 16 10:30:32 CEST 2021] Multi domain='DNS:mycompany.com,DNS:*.mycompany.com'
[Wed Jun 16 10:30:32 CEST 2021] Getting domain auth token for each domain
[Wed Jun 16 10:30:38 CEST 2021] Getting webroot for domain='mycompany.com'
[Wed Jun 16 10:30:39 CEST 2021] Getting webroot for domain='*.mycompany.com'
[Wed Jun 16 10:30:40 CEST 2021] Add the following TXT record:
[Wed Jun 16 10:30:40 CEST 2021] Domain: '_acme-challenge.mycompany.com'
[Wed Jun 16 10:30:40 CEST 2021] TXT value: 'CHG3'
[Wed Jun 16 10:30:40 CEST 2021] Please be aware that you prepend _acme-challenge. before your domain
[Wed Jun 16 10:30:40 CEST 2021] so the resulting subdomain will be: _acme-challenge.mycompany.com
[Wed Jun 16 10:30:40 CEST 2021] Please add the TXT records to the domains, and re-run with --renew.
[Wed Jun 16 10:30:40 CEST 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Wed Jun 16 10:30:40 CEST 2021] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
How do you intend to automate manual mode? If your DNS host has a suitable API, why not automate it with certbot?
But to answer the question, the command you gave (seeking a cert for both the apex domain and the wildcard subdomain) requires two authorizations, one for each. Both will require DNS TXT records for _acme-challenge.mycompany.com--so that ordinarily means you'll need to set up two TXT records for the issuance/renewal to succeed. Once complete, an authorization is valid for some time (I believe 30 days). So if you successfully authorize one but not the other, the next run will only require one authorization to be completed (whichever one wasn't completed the last time).
Trust me you don't. I just renewed it successfully the point is I had to run it couple of times to throw out a single key and then it worked I want to understand why.
How do I want to automate the manual mode?
1, First I redirect the stdout of this command to a tempfile and grep out the authkey
2, I have written another shell script which is when its called with this key: first deletes the old TXT key for _acme-challange.$DOMAIN then adds the new one with the new key using nsupdate
3, It reruns the acme.sh with the exact same parameters (THIS IS WHERE THE PROBLEM IS)
4, After successful renewal it concatenates the created key and cer into a pem used by postfix,dovecot,nginx
5, reloads all the services
and as I said it would work perfectly if this command would return a single authkey for the first run
Trust me you do. The reason you're able to make it succeed with just one is exactly what I wrote in my earlier message--you've already created one successful authorization, so you only need to authorize the other. To do it "right", you'd create two correct TXT records the first time, and there wouldn't need to be a second or subsequent time.
acme.sh supports nsupdate directly:
It would work even more perfectly if you were using your tools in the way they were intended to be used.
The correct way to do this is:
Configure the correct credentials in named
Set environment variables for the key file and server for acme.sh
Just to expand on this for @feraldruid22. Let's Encrypt currently caches successful authorizations on your account for 30 days. So even though the first order as a whole failed, one of the two authorizations succeeded. On the second order, Let's Encrypt only asked to validate the second authorization which then succeeded causing the whole order to succeed.
@danb35 is wise. Let your client do its job and handle the DNS record publishing for you.