Page 2 of 2 FirstFirst 12
Results 21 to 39 of 39

Thread: Any new letsencrypt's wildcard plugin?

  1. #21
    Join Date
    Jan 2013
    Posts
    45
    Still got an error for wildcard:

    "Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
    Requesting new certificate order...
    Processing authorization for xxx.com...
    Challenge is valid.
    Processing authorization for xxx.com...
    DNS challenge test fail for _acme-challenge.xxx.com IN TXT "xxxxxxxxxxxxxxxxxxxxxxxxxx", retrying...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    Retry failed, trying again in 15s...
    DNS validation failed. Exiting..."

    and still without problem(created successfully) when getting cert of non-wildcard

    Thanks

  2. #22
    Join Date
    Jan 2013
    Posts
    45
    I think it is about letsencrypt's verification TXT records problem, if letencrypt's plugin add "named" services reload and restart , will it help?
    Last edited by darkbear; 05-14-2018 at 02:27 AM.

  3. #23
    Join Date
    Aug 2006
    Location
    LT, EU
    Posts
    7,248
    Are you using local nameservers?
    Martynas Bendorius
    MB Martynas IT. Professional server management company. Official DirectAdmin, CloudLinux, LiteSpeed and Comodo partners.

  4. #24
    Join Date
    Jan 2013
    Posts
    45
    yes, and I was try a new domain just registered and get same problem.
    Thanks

  5. #25
    Join Date
    Aug 2006
    Location
    LT, EU
    Posts
    7,248
    May you create a ticket at tickets.directadmin.com ? Access to the server would help to investigate it. Are you sure this feature is enabled on your server? https://www.directadmin.com/features.php?id=2118
    Martynas Bendorius
    MB Martynas IT. Professional server management company. Official DirectAdmin, CloudLinux, LiteSpeed and Comodo partners.

  6. #26
    Join Date
    Aug 2015
    Posts
    314
    I donīt want to disturb this threat, but could you explain a bit more about the text record? See #17 in this threat.
    Is it generated once and keeps the same or generates it a new key at every automatic renewal? If it keeps the same, we could let it "stay" in external dns.
    Kind regards, Fred

    Alentejo Webdesign
    Webdesign with Passion is what we do
    Web development, Hosting, Speed Optimizing & More......

  7. #27
    Join Date
    Aug 2006
    Location
    LT, EU
    Posts
    7,248
    It's removed immediately after generation of the cert, it will not be the same on the next renewal time.
    Martynas Bendorius
    MB Martynas IT. Professional server management company. Official DirectAdmin, CloudLinux, LiteSpeed and Comodo partners.

  8. #28
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,654
    Creating dns entries on the fly, the ttl has to be so low?

  9. #29
    Join Date
    Jan 2013
    Posts
    45
    Yes, dns_ttl=1

    I was create a ticket, thanks
    Last edited by darkbear; 05-14-2018 at 07:52 PM.

  10. #30
    Join Date
    Jan 2013
    Posts
    45
    Quote Originally Posted by Peter Laws View Post
    Creating dns entries on the fly, the ttl has to be so low?
    You better to set ttl to 1

  11. #31
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,498
    It won't work with multiserver function yet, won't it?

    Some wild dances with DNS_SERVER="8.8.8.8" and other public DNS from https://public-dns.info/ Probably you could add more than one DNS into the script?

    And temporary commented

    Code:
    echo "action=dns&do=delete&domain=${single_domain}&type=TXT&name=_acme-challenge" >> ${TASK_QUEUE}
    for mutliserver to catch the records.

    And an attempt #4 or #5 succeeded.... a wildcard cert installed for 2 domains.

  12. #32
    Join Date
    Aug 2006
    Location
    LT, EU
    Posts
    7,248
    Quote Originally Posted by zEitEr View Post
    It won't work with multiserver function yet, won't it?
    It should have no problems with DA multi-server.

    Quote Originally Posted by zEitEr View Post
    Some wild dances with DNS_SERVER="8.8.8.8" and other public DNS from https://public-dns.info/ Probably you could add more than one DNS into the script?
    Did you experience issues with it? We could change it or add others, if you had problems with it.

    Quote Originally Posted by zEitEr View Post
    And temporary commented

    Code:
    echo "action=dns&do=delete&domain=${single_domain}&type=TXT&name=_acme-challenge" >> ${TASK_QUEUE}
    for mutliserver to catch the records.
    This should not be needed, because record is only removed when the status of let's encrypt challenge is "valid". Meaning verification is done already.
    Martynas Bendorius
    MB Martynas IT. Professional server management company. Official DirectAdmin, CloudLinux, LiteSpeed and Comodo partners.

  13. #33
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,498
    #VERSION=1.1.2

    OK, here is what I did:

    Code:
    echo 'action=dns&do=delete&domain=domain.com&type=TXT&name=_acme-challenge' >> /usr/local/directadmin/data/task.queue
    echo 'action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes' >> /usr/local/directadmin/data/task.queue
    /usr/local/directadmin/dataskq d1000

    then check (locally)

    Code:
    cat /var/named/domain.com.db | grep TXT
    and there is no _acme-challenge record.





    The commands are executed in a reverse order:

    Code:
    dataskq: command: action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes
    File /var/named/domain.com.db.temp appears ok to named-checkzone
    Doing an immediate reload of named
    dataskq: command: action=dns&do=delete&domain=domain.com&type=TXT&name=_acme-challenge
    and the local and remote name servers do not contain the TXT record even before the challenge tests begin...

    What do I miss?


    The single command works fine:

    Code:
    echo 'action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes' >> /usr/local/directadmin/data/task.queue
    /usr/local/directadmin/dataskq d1000
    without delete.


    As far as I see you add an ACME record, reload the named and remove ACME record without reloading named. ACME records exists in a running named until it reloads/restarts.... but .... if it restarts by another reason...


    Did you experience issues with it? We could change it or add others, if you had problems with it.


    The Google caches for too long... I had to switch DNS to avoid it. So I guess you might want to add several DNS servers for testing.


    ~~~ added ~~~

    As for MS to work. Should remote DA servers be updated with pre-release version?
    Last edited by zEitEr; 05-15-2018 at 03:14 PM.

  14. #34
    Join Date
    May 2014
    Posts
    95
    Quote Originally Posted by smtalk View Post
    Did you experience issues with it? We could change it or add others, if you had problems with it.
    I think it's better to have two DNS servers active in letsencrypt.sh by default. If 8.8.8.8 didn't work for hours or days, letsencrypts.sh doesn't work either. Another fallback DNS server (not 8.8.4.4) is then handy .

    Indeed, 8.8.8.8 has little or no interference. But everything is possible

  15. #35
    Join Date
    Jan 2013
    Posts
    45
    why don't 1.1.1.1?

  16. #36
    Join Date
    Sep 2014
    Posts
    38
    What if you use an external DNS provider? Does that influence the TXT validation in any way?

  17. #37
    Yes, it cannot currently be done with external DNS since DA cannot control it.
    There are some 3rd party modules we're looking into, where DA could then control the external DNS system (assuming it's a larger DNS provider that's included in the module)

    John

  18. #38
    Join Date
    Aug 2006
    Location
    LT, EU
    Posts
    7,248
    Quote Originally Posted by zEitEr View Post
    OK, here is what I did:

    Code:
    echo 'action=dns&do=delete&domain=domain.com&type=TXT&name=_acme-challenge' >> /usr/local/directadmin/data/task.queue
    echo 'action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes' >> /usr/local/directadmin/data/task.queue
    /usr/local/directadmin/dataskq d1000

    then check (locally)

    Code:
    cat /var/named/domain.com.db | grep TXT
    and there is no _acme-challenge record.
    Fixed in 1.1.4, thank you for the report!
    Martynas Bendorius
    MB Martynas IT. Professional server management company. Official DirectAdmin, CloudLinux, LiteSpeed and Comodo partners.

  19. #39
    Join Date
    May 2018
    Posts
    1
    Quote Originally Posted by smtalk View Post
    Fixed in 1.1.4, thank you for the report!
    So happy this finally will become available

    Any idea when this update will be released in production? What is the approximate timeframe?
    I now I could install the pre-release but no prior experience with that, so If I can avoid it... but If this would take another several months to be released I would give it a try.
    (I saw sometimes updates are frequent, sometimes not so...)

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •