Wildcard cert will not renew --dnssleep arg won't work

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vadim.com.ru

I ran this command:acme.sh --issue --dns dns_yandex -d '*.vadim.com.ru' --dnssleep 3600

It produced this output:Using CA: https://acme-v02.api.letsencrypt.org/directory
Single domain='.vadim.com.ru'
Getting domain auth token for each domain
Getting webroot for domain='
.vadim.com.ru'
Adding txt value: rNzHfj_1vd7BX1OEH0ZQivu1zoqAH2ax6PlJiG7Psb4 for domain: _acme-challenge.vadim.com.ru
Error add txt for domain:_acme-challenge.vadim.com.ru
Please add '--debug' or '--log' to check more details.
See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

My web server is (include version): nginx version: nginx/1.18.0

The operating system my web server runs on is (include version):TrueNAS-SCALE-22.12.2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

It worked last time fine - no clue why the --dnssleep 3600 won't start the countdown

First, you should add -d vadim.com.ru to command so you have both your root and the wildcard name in your cert. Your current cert is setup this way.

Also, try adding --debug 2 to get more info.

What do you mean by this? Are you saying the script doesn't pause for one hour to wait for yandex auth servers to sync ? Yandex can be very slow. Does this problem repeat? Have you tried 5400 (1h30m)?

3 Likes

Correct! script doesn't pause for one hour to wait for yandex auth servers to sync. As a matter of fact it doesn't pause even for a second. And yes the problem repeats.I tried different numbers - immediate error. acme.sh --issue --dns dns_yandex -d '*.vadim.com.ru' -d vadim.com.ru --dnssleep 5400 same error. Debug output is here

Seeing that API call to https://pddimp.yandex.ru/api2/admin/dns/list?domain=vadim.com.ru returns an html page instead of (presumably?) json, it seems like there's something wrong with the API or the acme.sh Yandex plugin.

3 Likes

I agree with @Nekit; the fact that Yandex returns a <title>404</title> suggests their API has changed.

4 Likes

So what's the solution might be in this case?

Interestingly their API page still suggests the hostname and path used by the plugin: Add a DNS record - API. Yandex.Mail for Domain API

Ask Yandex why their API isn't working any longer. Might be just temporary. Or not and they've changed their API. Or have shut down their API entirely. Might be any of those.

5 Likes

Apparently it got shut down API Почты для домена — Технологии Яндекса

Внимание. Почта для домена больше не поддерживается. API сервиса прекратит работу с 1 апреля 2023 года. С 24 марта доступность сервиса будет ограничена.

1 Like

@Osiris I will - since API page is still there my guess would be some temporary glitch as usual with these folks. I will submit the request and keep you posted! Thanks for your help.

2 Likes

Hm, interesting, so they haven't updated their .com domain with that information...

3 Likes

It says that they discontinued the API support for mail only because they used to provide up to 5 mail accounts at that domain free.

Domain control API was part of this whole Mail For Domain product, which got discontinued. Also they put this big scary note on every page of their docs :person_shrugging:

1 Like

Except for the .com domain :wink:

3 Likes

But the mail still works though


I've sent them a request anyway - see what happens but quite obviously I should change the DNS provider and most likely it is Cloudfare and it is also recommended by TrueNAS.

I completely get why they might have forgotten about it, I presume English speaking crowd was among a fraction of a fraction of a percent of users of this service :smile:

1 Like

Most likely yes

Meant to reply to @Osiris but must have fat-fingered my post somehow :sweat_smile:

@Volkodav, Yea I got slightly wrong impression from that note, the service is not discontinued, but rather “unsupported”. Checked one of my domains, and the sending does seem to work still.

But the API part seems accurate, as evident by the error you're experiencing.

1 Like

It does - so I will wait and see what they'll come back with in the meanwhile I am registering with Cloudfare

1 Like

Well I'd love to keep my e-mail accounts with them but since they are discontinued officially but still working that tells me it can stop at any point of time really. I just logged in in Yandex 360 and they are all there.

I believe the warning said everything was transfered to Yandex 360 ("for businesses"?), so that might explain that, right?

3 Likes