Report bugs to DNS.Services dns api #4152
Comments
|
evidently, my renewal has not been working (domain my.domain.com is a sanitized placeholder). it started trying to renew 4 weeks ago - here's what is recorded via my logging - the dns txt record looks to be written successfully (and the certificate was originally created successfully at end of march), but then it fails - the order status request returns [Mon 27 Jun 2022 08:20:57 AM MDT] ===Starting cron=== I will add --debug and see if anything else is added that could provide more detail |
|
here's result with --debug & --dnssleep added: log full command line: domain sanitized to EDIT - note that i fixed the --dnssleep option to specifiy a time, but it didn't make any difference - renew still fails. |
|
ok, this is apparently not a dns api issue - i changed the --server option to letsencrypt and issued a new cert - and it works fine... something must be up with zerossl |
|
Hi @yajrendrag I would suggest to run the |
|
I see, apologies for my misunderstanding of the purpose of this thread, and thanks for your reply/suggestions. |
|
No problem at all @yajrendrag - the from Hope you get it fixed or that the --dnssleep fixes the problem as it seems (from the above logs) that it is a DNS propagation issue and not a ZeroSSL issue as such as |
Neilpang
added
the
3rd party api
|
I'm trying to create a certificate for two domains, that both have their primary DNS at dns.services. I'm getting the following entries on dns.services for Domain A and no entries for Domain B, and as such validation for Domain B fails. |
|
Hi @frenzeldk I've not come across multiple TLD's in one cert via I'll get back to you (I need to buy another domain to test it out). If you are in a rush and happen to be running your own Linux box to host your service (and SSL offloading) then you can install and use HAProxy - it is capable of handling multiple TLDs in individual .pem files (with the full chain in them). PM me for info/help on that if you are in dire need now. Other wise the dns_dnsservices only support one domain. |
|
@bbruun thanks for looking into it! I have taken care of my immediate needs by using manual DNS validation. And thanks for your offer of help - luckily I'm pretty well versed in the workings of nginx (which is my reverse proxy provider of choice) :) |
|
@frenzeldk I've had some issues with the pull commit actions that need to pass on Solaris (#4287 but it seems to have been fixed now. The update will handle multiple zones in the API correctly, so it will be merged to the Dev branch tonight and have to re-pass the pull commit actions again and then have Nielpang merge Dev into Master before you can get it the correct way. But it is comming. Pull request #4293 |
|
@frenzeldk - the fix has been merged into master so you can update acme.sh now and use --dns dns_dnsservices with multiple TLD's without problems. |
|
@bbruun I didn't have the need to try it out before now, but it worked like a charm! Thank you very much :) |
|
@bbruun it seems like the _acme-challenge.domainX.com TXT records are not removed on some of my domains although the acme.sh scripts says the records are removed they still exist on some of my domains (2 out of 3 tested). [Thu Feb 16 18:32:03 CET 2023] Removing txt: [challenge_was_here]for domain: _acme-challenge.domainY.com [Thu Feb 16 18:33:43 CET 2023] Removing txt: [challenge_was_here] for domain: _acme-challenge.domainX.com calling script like: I've just tried on 3 of my domains - on two of them the TXT records are not removed, and I have to do this manually. |
|
@hehoe20 I'm sorry for the long wait - I've been moved to another section in at work so my workload had increased for a period, but I'm back. I've been using the script extensively since I made it and I do not have any leftover _acme-challenge domains lingering - both for acme.sh or my cert-manager-webhook-dns-services operator for k8s. There is a API limit to the DNS Services API so if you have been running a few tests or tried to create a few domains too fast after each other then the DNS Services API will not work as it has a max number of API requests pr 5min (IIRC) and the error isn't caught by the acme.sh script, but the curl if you run the acme.sh script with |
|
@hehoe20, please submit a support ticket with domain and approx timestamps for when you ran the script, if possible, and we can try check the logs. |
|
@bbruun - I've just ran an renew of all my certs (7 domains). The renewCerts.sh contains: #!/bin/sh
/mnt/drive/acme.sh/acme.sh --cron --home "/mnt/drive/acme.sh" --config-home "/mnt/drive/acme.sh/data"
/opt/etc/init.d/S80nginx reloaduser@gateway:/tmp/mnt/drive/acme.sh# ./renewCerts.sh
[Thu Apr 27 20:32:36 CEST 2023] ===Starting cron===
[Thu Apr 27 20:32:36 CEST 2023] Renew: 'dhcgurus.com'
[Thu Apr 27 20:32:36 CEST 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Thu Apr 27 20:32:39 CEST 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Apr 27 20:32:39 CEST 2023] Multi domain='DNS:dhcgurus.com,DNS:*.dhcgurus.com'
[Thu Apr 27 20:32:39 CEST 2023] Getting domain auth token for each domain
[Thu Apr 27 20:32:45 CEST 2023] Getting webroot for domain='dhcgurus.com'
[Thu Apr 27 20:32:45 CEST 2023] Getting webroot for domain='*.dhcgurus.com'
[Thu Apr 27 20:32:46 CEST 2023] Adding txt value: Jw-QZRghKgo9MISNzCd0eSCxgMy-b8rjNt19sqe2T2A for domain: _acme-challenge.dhcgurus.com
[Thu Apr 27 20:32:46 CEST 2023] Using dns.services to create ACME DNS challenge
[Thu Apr 27 20:32:47 CEST 2023] Record "_acme-challenge.dhcgurus.com TXT Jw-QZRghKgo9MISNzCd0eSCxgMy-b8rjNt19sqe2T2A" has been created
[Thu Apr 27 20:32:47 CEST 2023] The txt record is added: Success.
[Thu Apr 27 20:32:48 CEST 2023] Adding txt value: dms1bLD94fu3b2bUBT7hhSXsvwvmQIROX21tfoezi9s for domain: _acme-challenge.dhcgurus.com
[Thu Apr 27 20:32:48 CEST 2023] Using dns.services to create ACME DNS challenge
[Thu Apr 27 20:32:50 CEST 2023] Record "_acme-challenge.dhcgurus.com TXT dms1bLD94fu3b2bUBT7hhSXsvwvmQIROX21tfoezi9s" has been created
[Thu Apr 27 20:32:50 CEST 2023] The txt record is added: Success.
[Thu Apr 27 20:32:50 CEST 2023] Sleep 60 seconds for the txt records to take effect
[Thu Apr 27 20:33:52 CEST 2023] Verifying: dhcgurus.com
[Thu Apr 27 20:33:54 CEST 2023] Pending, The CA is processing your order, please just wait. (1/30)
[Thu Apr 27 20:33:58 CEST 2023] Pending, The CA is processing your order, please just wait. (2/30)
[Thu Apr 27 20:34:02 CEST 2023] Pending, The CA is processing your order, please just wait. (3/30)
[Thu Apr 27 20:34:07 CEST 2023] Success
[Thu Apr 27 20:34:07 CEST 2023] Verifying: *.dhcgurus.com
[Thu Apr 27 20:34:08 CEST 2023] Pending, The CA is processing your order, please just wait. (1/30)
[Thu Apr 27 20:34:12 CEST 2023] Success
[Thu Apr 27 20:34:13 CEST 2023] Removing DNS records.
[Thu Apr 27 20:34:13 CEST 2023] Removing txt: Jw-QZRghKgo9MISNzCd0eSCxgMy-b8rjNt19sqe2T2A for domain: _acme-challenge.dhcgurus.com
[Thu Apr 27 20:34:13 CEST 2023] Using dns.services to remove DNS record _acme-challenge.dhcgurus.com TXT Jw-QZRghKgo9MISNzCd0eSCxgMy-b8rjNt19sqe2T2A
[Thu Apr 27 20:34:16 CEST 2023] Removed: Success
[Thu Apr 27 20:34:16 CEST 2023] Removing txt: dms1bLD94fu3b2bUBT7hhSXsvwvmQIROX21tfoezi9s for domain: _acme-challenge.dhcgurus.com
[Thu Apr 27 20:34:16 CEST 2023] Using dns.services to remove DNS record _acme-challenge.dhcgurus.com TXT dms1bLD94fu3b2bUBT7hhSXsvwvmQIROX21tfoezi9s
[Thu Apr 27 20:34:20 CEST 2023] Removed: Success
[Thu Apr 27 20:34:20 CEST 2023] Verify finished, start to sign.
[Thu Apr 27 20:34:21 CEST 2023] Lets finalize the order.
[Thu Apr 27 20:34:21 CEST 2023] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/966756326/178755585807'
[Thu Apr 27 20:34:22 CEST 2023] Downloading cert.
[Thu Apr 27 20:34:22 CEST 2023] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03b8ef0b6f6f719d561cd3e9a539bc9d31e1'
[Thu Apr 27 20:34:24 CEST 2023] Cert success. |
|
Hi @hehoe20 There is an API limit on the dns.services API that the script cannot accommodate as each certificate you renew is a new run. For next renewal I would recommend you add It is unfortunately not something I can do anything about except to take your time to renew the certificates or spread out the renewal of multiple certificates by ~5-10min per certificate eg by a cronjob. |
|
Hi @bbruun - I'm aware of that but I still think it's weird, because this was the first run, and dhcgurus.com domain is the first request. And @sorenjacobjensen mention that the limitations is 25 LOGIN requests per 5 minutes and all other requests are 1000 per 5 minutes. |
|
Hi @hehoe20 When I renew 2 certs I hit the API limit, you state you've renewed 7, so that is the most likely cause. |
|
@bbruun you're right, and thank you! - And yes, I renewed 7 domains - but the first domain that is renewed is dhcgurus.com (the other 6 is renewed aftwerwards) - and no other request have been made. So I think the TXT records should at least have been removed for that domain. |
This is a bug report issue DNS.Services dns api implemetation
If you experience problems with the plugin then report your bugs here
The text was updated successfully, but these errors were encountered: