Any new letsencrypt's wildcard plugin?

Still got an error for wildcard:

"Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
Requesting new certificate order...
Processing authorization for xxx.com...
Challenge is valid.
Processing authorization for xxx.com...
DNS challenge test fail for _acme-challenge.xxx.com IN TXT "xxxxxxxxxxxxxxxxxxxxxxxxxx", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
DNS validation failed. Exiting..."

and still without problem(created successfully) when getting cert of non-wildcard

Thanks
 
I think it is about letsencrypt's verification TXT records problem, if letencrypt's plugin add "named" services reload and restart , will it help?
 
Last edited:
yes, and I was try a new domain just registered and get same problem.
Thanks
 
I don´t want to disturb this threat, but could you explain a bit more about the text record? See #17 in this threat.
Is it generated once and keeps the same or generates it a new key at every automatic renewal? If it keeps the same, we could let it "stay" in external dns.
 
It's removed immediately after generation of the cert, it will not be the same on the next renewal time.
 
Yes, dns_ttl=1

I was create a ticket, thanks
 
Last edited:
It won't work with multiserver function yet, won't it?

Some wild dances with DNS_SERVER="8.8.8.8" and other public DNS from https://public-dns.info/ Probably you could add more than one DNS into the script?

And temporary commented

Code:
echo "action=dns&do=delete&domain=${single_domain}&type=TXT&name=_acme-challenge" >> ${TASK_QUEUE}

for mutliserver to catch the records.

And an attempt #4 or #5 succeeded.... a wildcard cert installed for 2 domains.
 
It won't work with multiserver function yet, won't it?

It should have no problems with DA multi-server.

Some wild dances with DNS_SERVER="8.8.8.8" and other public DNS from https://public-dns.info/ Probably you could add more than one DNS into the script?

Did you experience issues with it? We could change it or add others, if you had problems with it.

And temporary commented

Code:
echo "action=dns&do=delete&domain=${single_domain}&type=TXT&name=_acme-challenge" >> ${TASK_QUEUE}

for mutliserver to catch the records.

This should not be needed, because record is only removed when the status of let's encrypt challenge is "valid". Meaning verification is done already.
 
#VERSION=1.1.2

OK, here is what I did:

Code:
echo 'action=dns&do=delete&domain=domain.com&type=TXT&name=_acme-challenge' >> /usr/local/directadmin/data/task.queue
echo 'action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes' >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d1000


then check (locally)

Code:
cat /var/named/domain.com.db | grep TXT

and there is no _acme-challenge record.





The commands are executed in a reverse order:

Code:
dataskq: command: action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes
File /var/named/domain.com.db.temp appears ok to named-checkzone
Doing an immediate reload of named
dataskq: command: action=dns&do=delete&domain=domain.com&type=TXT&name=_acme-challenge

and the local and remote name servers do not contain the TXT record even before the challenge tests begin...

What do I miss?


The single command works fine:

Code:
echo 'action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes' >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d1000

without delete.


As far as I see you add an ACME record, reload the named and remove ACME record without reloading named. ACME records exists in a running named until it reloads/restarts.... but .... if it restarts by another reason...


Did you experience issues with it? We could change it or add others, if you had problems with it.


The Google caches for too long... I had to switch DNS to avoid it. So I guess you might want to add several DNS servers for testing.


~~~ added ~~~

As for MS to work. Should remote DA servers be updated with pre-release version?
 
Last edited:
Did you experience issues with it? We could change it or add others, if you had problems with it.

I think it's better to have two DNS servers active in letsencrypt.sh by default. If 8.8.8.8 didn't work for hours or days, letsencrypts.sh doesn't work either. Another fallback DNS server (not 8.8.4.4) is then handy ;).

Indeed, 8.8.8.8 has little or no interference. But everything is possible :cool:
 
What if you use an external DNS provider? Does that influence the TXT validation in any way?
 
Yes, it cannot currently be done with external DNS since DA cannot control it.
There are some 3rd party modules we're looking into, where DA could then control the external DNS system (assuming it's a larger DNS provider that's included in the module)

John
 
OK, here is what I did:

Code:
echo 'action=dns&do=delete&domain=domain.com&type=TXT&name=_acme-challenge' >> /usr/local/directadmin/data/task.queue
echo 'action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes' >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d1000


then check (locally)

Code:
cat /var/named/domain.com.db | grep TXT

and there is no _acme-challenge record.

Fixed in 1.1.4, thank you for the report!
 
Fixed in 1.1.4, thank you for the report!
So happy this finally will become available :)

Any idea when this update will be released in production? What is the approximate timeframe?
I now I could install the pre-release but no prior experience with that, so If I can avoid it... but If this would take another several months to be released I would give it a try.
(I saw sometimes updates are frequent, sometimes not so...)
 
converting comodo wildcard to LE

So I have a domain with an expanding amount of subdomains:
www.maindomain.com
client1.maindomain.com
client2.maindomain.com
etc...

Right now I'm using a Comodo wildcard certificate. I'm no expert but also not a noob. But I'm very much struggling with this one as it's on a live domain and I can't have it fail (too long).

  1. First I want to prepare the LE wildcard, but I'm not sure if I can while the comodo SSL is still in place.
  2. I've read this post about the new feature, but it doesn't make sense to me. It keeps saying Must select more than zero entries. |LETSENCRYPT_WC_OPTIONS|
  3. The domain/dns are on a different server than the DA/hosting so I assume that won't work anyway because the local DA can't change the remote DNS, right?

Do you think my safest bet would be to keep just keep the comodo?
 
Back
Top