Token doesn't seem to be sent?!

[dmiljk]

Hi,

I would appreciate if someone could help me figure out what is wrong in my case as certbot is unable to create the appropriate TXT records.

When I try creating a new certificate with certbot and certbot-dns-ispconfig-ddns plugin I get an error:

Encountered exception during recovery: certbot.errors.PluginError: 401 Client Error: Unauthorized for url: https://web1.domain.com:8080/ddns/update.php?action=delete&type=TXT&record=_acme-challenge.mail.domain.com&data=hCc66w9ka7qaAFo1k51t-z85TBOWEuI2mmZCvzkeR9A
401 Client Error: Unauthorized for url: https://web1.domain.com:8080/ddns/update.php?action=add&type=TXT&record=_acme-challenge.mail.domain.com&data=hCc66w9ka7qaAFo1k51t-z85TBOWEuI2mmZCvzkeR9A

Looking in apache log I see that the following was logged:

POST /ddns/update.php?action=add&type=TXT&record=_acme-challenge.mail.domain.com&data=hCc66w9ka7qaAFo1k51t-z85TBOWEuI2mmZCvzkeR9A HTTP/1.1"

When I manualy execute:

curl "https://web1.domain.com:8080/ddns/update.php?action=add&type=TXT&record=_acme-challenge.mail.domain.com&data=hCc66w9ka7qaAFo1k51t-z85TBOWEuI2mmZCvzkeR9A&token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

the text record is created confirming that I have no problem with access or permissions for the particular zone file or with the token used. Based on the record from the apache log it looks to me as if token is not transmited during the certificate creation attempt.

I have tried calling certbot with credentials files passed as an argument or with credentials on the command line, but it made no difference:

certbot certonly
--non-interactive
--agree-tos
--email webmaster@domain.com
--preferred-challenges dns
--authenticator dns-ispconfig-ddns
--dns-ispconfig-ddns-endpoint https://web1.domain.com:8080
--dns-ispconfig-ddns-token xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--dns-ispconfig-ddns-propagation-seconds 180
-d 'mail.domain.com'
-d 'mx1.domain.com'
-d 'mx2.domain.com'

Anyone have an idea what I might be doing wrong?!
Thank you.

PS. I've masked the domain and token for security reasons.

[mhofer117]

The plugin uses basic auth to pass the token.
It's possible that your server is not forwarding the authorization header to the ddns script.

You can verify this with curl:
curl -v -u anonymous:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "https://web1.domain.com:8080/ddns/update.php?action=add&type=TXT&record=_acme-challenge.mail.domain.com&data=hCc66w9ka7qaAFo1k51t-z85TBOWEuI2mmZCvzkeR9A"

The advantage of using the authorzation header (with basic auth) is that the token will not appear in the logs/url.
The password from basic auth should be available on the server in PHP with $_SERVER['PHP_AUTH_PW'], unless it is stripped by apache or some other component / or some php configuration.

[dmiljk]

Thank you very much, Marcel!

You were right, apperently the token wasn't passed. The command you suggested resulted in "Missing or invalid token." response.

I've googled around and I finally got the command to work after creating an .htaccess file in ddns folder containing the following:

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.)
RewriteRule . - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Please note that I'm running Apache 2.4.52 with PHP 8.1 on Ubuntu 22.04 and ISPConfig 3.2.11p1. I would say everything is running on pretty much default settings and that I haven't done anything, at least to my knowledge, that would disable that kind of authentication.

Regards

[mhofer117]

Thanks a lot for your investigation and feedback.

This seems to be related to PHP in CGI mode (maybe with some security settings).

I have published a new version of the ispconfig-ddns-module which includes your fix: https://github.com/mhofer117/ispconfig-ddns-module/releases/tag/v1.4.2