LetsEncrypt Issue

[Richard G]

I don't have external DNS and sometimes also have an issue that the first time when the certificat renews it gives a acme challenge issue stating the challenge code does not match or is incorrect or something like that.
If I do nothing or if I renew manually, the second attempt there is no problem anymore. However, this does not happen always.
So it might already be enough to just retry it when you get a acme_challenge error.

 

[glio]

@glio
Are you sure it's not only a matter of deleting the _acme-challenge record? Because I had the same problem in some previous versions.

@crenet
This thread was initiated by my ISP and virtually marked as solved by me because some versions ago DA actually started to works with LE wildcard on external DNS. Read some pages back on this thread.

The old version < 1.1.25 is the only 1 was work for my server(before 1.1.35), but... it not work now.
Also _acme-challenge will add and delete by letsencrypt's plugin, so nothing you can do about it

 

[glio]

I don't have external DNS and sometimes also have an issue that the first time when the certificat renews it gives a acme challenge issue stating the challenge code does not match or is incorrect or something like that.
If I do nothing or if I renew manually, the second attempt there is no problem anymore. However, this does not happen always.
So it might already be enough to just retry it when you get a acme_challenge error.

You mean they add "test"/"pre-check" record than get error?
If yes, so I think your problem just like my, I need to add some record to get work:
_acme-challenge-test.xxxx.net. 1 TXT "pre-check"
_acme-challenge-test.xxxx.net. 1 TXT pre-check

Also after added, You need to reload and restart named service

 

[glio]

The link was fine and some how it stop working.

This is what we can read in Plesk doc about Let's Encrypt certificates, DA urgently need to add this feature in Directadmin for users that are using external DNS services. I think this a basic feature for who want to optimize DNS.
I just can not believe that DA is not able to do it.
To forum administrator this is not a promotion link this is just a prove that it´s possible to allow DA users to add LE wildcard certificates into DirectAdmin, you must use this feature as soon as possible.

Thank you so much
So this mean nothing we can do now, untill DA added LE wildcard external DNS services support right?

 

[Richard G]

You mean they add "test"/"pre-check" record than get error?

No, I mean I get that error without adding that record. I never add records myself.

Wildcard DNS with external nameservers is not possible. However, if you check all options (www, ftp, mail etc.) instead of using wildcard then it will work.

 

[glio]

No, I mean I get that error without adding that record. I never add records myself.

Wildcard DNS with external nameservers is not possible. However, if you check all options (www, ftp, mail etc.) instead of using wildcard then it will work.

so you need to add by yourself to get work.
No, The 1.1.25 was work for that. but I think LE was change something, and it not work anymore now

 

[_rik_]

It's a bit of a mess.
First, I confirm what @Richard G said above:

if I renew manually, the second attempt there is no problem anymore

Just tested now on an error renewing manually. The second time it works.

This is what happen in the first attempt
Challenge status: invalid. Challenge error: "type": "dns-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Incorrect TXT record \"_AymKPwxxxxxxxxxxxxxxxxxxxxxxxx\" found at _acme-challenge.xxxxxx.xxx", "status": 403 . Exiting...
(the xxx are just to hide sensitive info)

Second: DA+LE are OK with external DNS are OK for me. Apparently not for others people here on the forum.


Third (new for me): I've noticed that the wildcard function seems to work NOT 100% as a real *.domain.ltd. It works more like checking manually all the fields under the section "Let's Encrypt Certificate Entries" (where you can see a limited number of names: ftp, mail, www, etc.). I'm saying this because only such names get 100% a proper certificate. Any other name gets a certificate with the wrong common name: instead of the domain name it contains the server name.

For example, if I add to the DNS "incoming" cname "mail",
incoming.domain.tld gets a certificate but the common name contains the server name instead of the domain (and any client, email or browser, get warned of forgery). On the contrary, mail.domain.tld gets the proper common name. Maybe it's a normal behaviour? I don't know. I've "solved" it simply not inventing new names, simply using those already listed in the section "Let's Encrypt Certificate Entries".

 

[MaXi32]

To be able to renew the wildcard certificate automatically for external DNS, we need to make sure this:

1) the external DNS server has an API that can be called from DA. I think for open source DNS sever software like BIG-IP DNS has this (eg. linode DNS has their own API).
2) I modified the letsencrypt_pre.sh and I focus only the update API, write a script to update the external DNS from given $DNSENTRY and $domain. The value $domain is supported by letsencrypt_pre.sh. So it can detect which domain can be renew automatically.
3) Create DNS record _acme-challenge = 0 and _acme-challenge-test = 0 for every new domain at the external DNS before we invoke the renewing script.
4) increase wait time at letsencrypt.sh (DIG_SECONDS) (maximum 24 hours) for the domain to propagate properly. we need to make sure that letsencrypt server can ping _acme-challenge or it will fail. Majority problem shown in the forum is this number 4 problem.
5) That's it, the external DNS wildcard can be used anytime, and the renew process is automatic.

EDIT: Scratch the above. See my solution here: https://forum.directadmin.com/threads/letsencrypt-issue.59017/post-316694

 

[Richard G]

but I think LE was change something,

Yes, as I explained before, somewhere here in this thread or somewhere else on this forum, LE has changed their validation. Normal validation (so if you select the things you want SSL for) still works via http validation. Wildcard SSL now needs DNS validation, hence the issues with running external nameservers and SSL wildcard generation via DA.

Nice catch and explanation @maxi32!

 

[RogierMaas]

Sorry to rattle things up, but am I correct in assuming when you let LetsEncrypt create a wildcard for a particular domain, you would have to run your own nameserver(s) where the script or DA creates a test record for LetsEncrypt to check before validating your request? If so: I run my nameserver as master and have two GoDaddy nameservers to handle the load. So my nameserver is not listed in the zone files for my domains although my own server is the master. And creating a wildcard for any domain doesn't work, probably because syncing the zone file with the GoDaddy servers and have them update their records take longer than the script waits. GoDaddy is fast, but perhaps not as fast as required by the script or LetsEncrypt. Perhaps the kind people at DA could do a DNS check themselves before starting the actual process of requesting the certificate with LetsEncrypt? Or have the admin set a value to wait between DNS-record inserts and starting the request?

 

[Richard G]

Sorry to rattle things up, but am I correct in assuming when you let LetsEncrypt create a wildcard for a particular domain, you would have to run your own nameserver(s) where the script or DA creates a test record for LetsEncrypt to check before validating your request?

Correct, if you want to use wildcards a DNS check will take place instead of a http check like it was in the beginning. Since external DNS can not automatically adjusted by Directadmin, you will have to run your own nameservers on your server.
Or create some system with a delay (found it somewhere on the forums) with afxr so external DNS can be adjusted in time, before Letsencrypt validates the check.
It's spoken of somewhere on the forum, but for this your external DNS must allow you do automatically create changes to begin with.

So my nameserver is not listed in the zone files for my domains

I don't understand this part. Why should it not be listed in the zonefiles for your domains if it's the master nameserver? Unless you did not put this as primary nameserver yourself?

Or have the admin set a value to wait between DNS-record inserts and starting the request?

There is an option for a delay, it's spoken of on the forums.

Have a look at this thread, especailly post #12.

letsencrypt.sh dns verification on external dns server before proceeding with acme challenge.

Hi there, When customers try to request wildcard dns-01 certificates, or renew we often run into the issue that the TXT record propagates too slow over all external hosted dns servers. Therefore we got a lot of timeouts like the one below. I was digging in the letsencrypt.sh script and was...

forum.directadmin.com

 

[RogierMaas]

I don't understand this part. Why should it not be listed in the zonefiles for your domains if it's the master nameserver? Unless you did not put this as primary nameserver yourself?

My nameserver is the master for all my domains, but is not listed in the SOA because GoDaddy doesn't allow listing their servers as 'Custom Servers' anymore. They only allow setting their 'Standard Servers' which does not include my own.
So I have two options: run my server along with another in another subnet or use GoDaddy's servers while not listing my own. This works quite well, although the AXFR's aren't being requested fast enough. I'll take a look at the delay-option in the link you provided. Thanks!

 

[Richard G]

They only allow setting their 'Standard Servers' which does not include my own.

Ah oke, so if I understand correctly GoDaddy is your registrar and does not allow you to put their nameservers up as secondary nameservers, because you can't put your own as primary nameservers. Is that correct? Sorry if I sometimes are a bit slow, just curious about how this is working with LE wildcards then and I'm not native English.

Seems to me if your nameserver is not listed as primary nameserver at your registrar, for letsencrypt you are using kind of external nameservers. I hope the delay-option will fixed that for you. I've read it would work for some people.

 

[RogierMaas]

You're right, I register all my domains with GoDaddy. Their web-based GUI is awfully slow but I only spend time there creating or deleting domains; the rest is done on my DA server.

In the past, I could tell GD to use 'other' name servers, like for example (drumroll) their own! I just had to enter the hostnames and IP-addresses and GD would pick that up just fine. So I used Godaddy's two nameserver pdns13 and pdns14 (.domaincontrol.com) for every tld out there (.com, .net, .info, .nl, .de, .to, etc). Those servers are licensed, certified, accredited, etc, etc. I would also add my own nameserver in the list so that all my domains had 3 name servers. Then I would tell pdns13/14 to be slaves and all was well.

Since about a year ago, GD doesn't allow you yo manually enter their own hostnames or IP-addresses. You can either 'use their servers' or 'enter your own'. Because I have only one server (or better still, I have one subnet and since The Internets likes name servers to reside on different branches), I couldn't use my own. So to work my way around that, I called them up and asked the kind lady to move all my domains to the pdns13/14 pair so I could enter those in my zone template. That way I could just create a new user with a domain, website, mail, etc; all on those two servers. To have DA dictate the contents of the zone files on GD's servers, I had to set my own server as Master. But since I cannot add my own server to the NS list when using 'Our Servers', I simply let GD run my DNS with my own server being the Master, without my server being listed as NS. That worked well for a while, until...

GD went in another direction of assigning my newly registered domains to random servers and there is no way Support will change them to the 13/14 pair. So now I'm usually on 1/2, 3/4, 7/8 and 13/14. Because of that, whenever adding a new domain I now have to check my domain list at GD to see what server pair I'm on and change the zone file on my own server before telling GD they are slave for the newly added domain. A bit of a fuss, but it works well. I just set the name servers to pdns.domaincontrol.com and fill in the numbers at a later time. Thankfully their two transfer servers remain the same. -for now-

Hope you liked the read, vriend uit het zuiden des lands

 

[RogierMaas]

Sliding back on topic, I have now found a bit of a workaround (I've posted this in another thread as well): make the LE Wildcard request 10 to 5 seconds before the top-of-the-minute. That way, DA will (hopefully) Send Notifies and the LE script has more time to do its magic. If you make a wildcard request at --:05, DA will wait 55 seconds before the task queue is run, essentially wasting those 55 seconds. By timing correctly (and thanks to the fast AXFR-servers at GoDaddy), my wildcard requests are being generated successfully about 80% of the time without any changes to scripts.

 

[Richard G]

Thank you for the extended explanation on how that worked there. Pity you can't do that anymore.
The only thing I don't know is why you're only at GD for registering domains, unless it was for that nameserver option. I always use several registrars depending on the domein name requested.
Still.... if you know that for like 1€ a month you could have a vps with an ipv4 ip (ionos in Germany vps S), put directslave on there and you have your own slave DNS which works directly with DA for a price which is cheaper than an extra ip on most servers/vps.

I like your solution though too, just pity GD kind like throwed sand in the food.
Yep, kon het wel waarderen vriend uit elders in het land.

 

[MaXi32]

Hello guys, let me share you how I managed to solve this problem using letsencrypt requesting wildcard on external DNS. It works perfectly. I hope this post will help somebody here. You don't need to edit any other things, (no need to manually add record in external DNS like _acme-challenge-test or _acme-challenge, no need to increase the DIG_SECONDS like what I said before even you don't have to touch letsencrypt.sh) just one piece of script and it will manage everything. I'm using Linode to manage my DNS externally but I think this guide is likely the same for other DNS providers like GoDaddy, DigitalOcean.. etc. Even you can use various DNS providers to renew this wildcard certs.. In this case you need to check in your script which registrar is the domain that you are trying to request wildcard certs is in, if it belongs to GoDaddy then, call GoDaddy API else call DigitalOcean API... etc. But in my case I only use Linode so only 1 API is needed:

1) First step, I need to be able to use API in my server in order to be able to do add, delete domain. Here is the link for Linode how to install linode-cli in my server: https://www.linode.com/docs/platform/api/linode-cli/ . I followed the instruction there how to install the API until I'm able to fire up linode-cli -h in my server terminal and I do add, delete operation for testing in terminal. For GoDaddy I think it would be here. https://developer.godaddy.com/. The important requirement is that, your external DNS must have API to do basic domain operation like add, delete.

2) Then as pointed by @smtalk we can use taskq_dns_post.sh in /usr/local/directadmin/scripts/custom/taskq_dns_post.sh

3) For this taskq_dns_post.sh, I have the following content (for add, delete and update operation (just in case), you can see the API documentation):

#!/bin/sh
# taskq_dns_post.sh
# Author - Arafat Ali : github.com/arafatx | gitlab.com/arafatx
# [email protected]
#DA wildcard request for linode external DNS
LPYENV="/home/admin/maxipy/bin/./linode-cli"
MYEMAIL="[email protected]"
MYHOSTNAME=`/bin/hostname`
WARNING_STATUS="OK"
MAIL_BIN="/usr/local/bin/mail"
REPORT_FILE="/tmp/taskq-dns-post-report.log"
cat /dev/null > $REPORT_FILE
#DEFINED VARIABLES PASSED FOR taskq_dns_post.sh:
ACTION=$action
DOMAIN=$domain
DO_ACTION=$do
TYPE=$type
NAME=$name
VALUE=`echo "$value" | tr -d '"'`
NAMED_RELOAD=$named_reload
TTL=$ttl
DNS_USER_TTL_SEC="5"  # Decrease this value the lowest possible for best propagation. You can see what is the lowest TTL value can go in your DNS from your external DNS record manager.

# get Domain ID
getLinodeDomainID()
{
        $LPYENV domains list --domain $DOMAIN --pretty --json |
                fgrep '"id":' |
                sed -r 's/[^0-9]//g'
}

# get existing DNS record name
getDNSRecordNameACME()
{
        LinodeDomainID=$( getLinodeDomainID $DOMAIN)

        if [ -n "$LinodeDomainID" ]; then
                if [ "$NAME" == "_acme-challenge" ]; then
                        $LPYENV domains records-list --page 2 $LinodeDomainID --pretty --json | grep "\"name\": \"$NAME\"" | grep -o '_acme[^"]challenge'
                elif [ "$NAME" == "_acme-challenge-test" ]; then
                        $LPYENV domains records-list --page 2 $LinodeDomainID --pretty --json | grep "\"name\": \"$NAME\"" | grep -o '_acme[^"]challenge-test'
                fi
        fi
}


#get existing DNS record ID
getDNSRecordID()
{
        LinodeDomainID=$(getLinodeDomainID $DOMAIN)

        if [ -n "$LinodeDomainID" ]; then
                $LPYENV domains records-list --page 2 $LinodeDomainID --pretty --json | grep "\"name\": \"$NAME\"" -B 1 | head -n 1 | sed -r 's/[^0-9]//g'
        fi
}

# Sync the records. whenever DA add record in local DNS, it will pass DO_ACTION value, so we can use it to sync to external DNS:

if [ "$DO_ACTION" == "add" ]; then
        #addDNSRecord
        echo  "[taskq_dns_post | info]: Operation: $DO_ACTION, ACTION: $ACTION" | tee -a $REPORT_FILE
        LinodeDomainID=$(getLinodeDomainID $DOMAIN)
        DNSRecordName=$(getDNSRecordNameACME $DOMAIN)

        if [ -z "$DNSRecordName" ]; then # If record empty then add new
                echo "[taskq_dns_post | info]: OK, existing record name not found. adding new record ... " | tee -a $REPORT_FILE
                $LPYENV domains records-create $LinodeDomainID --pretty --json \
                        --name $NAME \
                        --target $VALUE \
                        --type $TYPE \
                        --ttl_sec $DNS_USER_TTL_SEC
                echo "[taskq_dns_post | info]: OK, DNS record entry $NAME for $DOMAIN has been added with TTL_SEC = \"$DNS_USER_TTL_SEC\"." | tee -a $REPORT_FILE
        #sleep 60m
        else
                WARNING_STATUS="WARNING"
                echo "[taskq_dns_post | info]: Warning, unable to add new record for \"$NAME\" because existing record name \"$DNSRecordName\" is found." | tee -a $REPORT_FILE
        fi
elif [ "$DO_ACTION" == "delete" ]; then
        #deleteDNSRecord
        echo  "[taskq_dns_post | info]: Operation: $DO_ACTION, ACTION: $ACTION" | tee -a $REPORT_FILE
        LinodeDomainID=$(getLinodeDomainID $DOMAIN)
        DNSRecordID=$(getDNSRecordID $DOMAIN)

        if [ -n "$DNSRecordID" ]; then # If ID exist (not empty) then can do delete operation
                echo "[taskq_dns_post | info]: OK, DNSRecordID found "
                $LPYENV domains records-delete $LinodeDomainID $DNSRecordID
                echo "[taskq_dns_post | info]: OK, DNS record entry $NAME for $DOMAIN has been deleted." | tee -a $REPORT_FILE
        else
                echo "[taskq_dns_post | info]: Warning, unable to delete existing record for $DOMAIN because DNSRecordID returns empty value." | tee -a $REPORT_FILE
        fi

elif [ "$DO_ACTION" == "update" ]; then
        #updateDNSRecord
         echo  "[taskq_dns_post | info]: Operation: $DO_ACTION, ACTION: $ACTION" | tee -a $REPORT_FILE
        LinodeDomainID=$(getLinodeDomainID $DOMAIN)
        DNSRecordID=$(getDNSRecordID $DOMAIN)

        if [ -n "$DNSRecordID" ]; then # If record ID exist, then can do update operation
                echo "[taskq_dns_post | info]: OK, DNSRecordID found "
                $LPYENV domains records-update $LinodeDomainID $DNSRecordID --pretty --json \

                        --name $NAME \
                        --target $VALUE \
                        --ttl_sec $DNS_USER_TTL_SEC
                echo "[taskq_dns_post | info]: OK, DNS record for $DOMAIN with entry name \"$NAME\" has been updated to \"$VALUE\" with TTL_SEC = \"$DNS_USER_TTL_SEC\""  | tee -a $REPORT_FILE
        else
                echo "[taskq_dns_post | info]: Warning, unable to update existing record for $DOMAIN because DNSRecordID returns empty value." | tee -a $REPORT_FILE
        fi
else
        echo "[taskq_dns_post | info]: Warning, unknown action: $DO_ACTION" | tee -a $REPORT_FILE
fi

echo "=====================================================================" | tee -a $REPORT_FILE

$MAIL_BIN  -s "[letsencrypt | $DOMAIN | $WARNING_STATUS]: Post Script has executed $DO_ACTION operation @ $MYHOSTNAME" $MYEMAIL < $REPORT_FILE

4) Make sure to chmod +x taskq_dns_post.sh

5) Then you can test requesting wildcard certificate

How does it work? With this script, everytime when letsencrypt trying to add or delete a domain, it will also do the same operation on the external domain in linode external DNS. So, both records are matching. The time to request this wildcard certificate took less than 1 minute on my linode external DNS. You also will get email about the delete,add operation that is happening on the external DNS. You can change the email in this script. You see this script basically the same structure and you just need to know how to call it using API on other registrars. Also the renewing process is working perfectly like what it is used to be. In case if the record is not propagate in time for some unknown reasons, you can uncomment this value #sleep 60m and let the script to wait for few minutes before verification: example 15 minutes sleep: sleep 15m. But for linode DNS, I don't have this propagation issue so I comment this out (Maybe I put the lowest TTL here: (DNS_USER_TTL_SEC="5"). When you use this sleep function, keep in mind that letsencrypt actually execute taskq_dns_post.sh more than 1 time until the validation is success where the basic operation is to delete and to add record instead of using update method. (https://forum.directadmin.com/threads/question-on-taskq_dns_post-sh.61615/). So if you put sleep 15m, and if the taskq_dns_post.sh is called 3 times for the add operation, until it success, then you are going to wait for 15minutes X 3 ~ 45 minutes for the script to finish executed in one request!


Here is the screenshot for requesting this wildcard certs when my domain is on external DNS:

 

[Richard G]

I don't use it myself, but thank you for sharing to the community!

 

[MaXi32]

Good news, the new letsencrypt 2.0 has ability to do this: https://directadmin.com/features.php?id=2825

 

[TheMask]

domain works perfect.
letsencrypt updated...

and i got this error for my all domains in this server

2020/11/18 21:15:19 [INFO] [dersalilacxxxxx.com, www.dersalilacxxxxx.com] acme: Obtaining SAN certificate
2020/11/18 21:15:25 [INFO] [dersalilacxxxxxx.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8696482974
2020/11/18 21:15:25 [INFO] [www.dersalilacxxxxx.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8696482975
2020/11/18 21:15:25 [INFO] [dersalilacxxxxx.com] acme: Could not find solver for: tls-alpn-01
2020/11/18 21:15:25 [INFO] [dersalilacxxxxx.com] acme: use http-01 solver
2020/11/18 21:15:25 [INFO] [www.dersalilacxxxxx.com] acme: Could not find solver for: tls-alpn-01
2020/11/18 21:15:25 [INFO] [www.dersalilacxxxxxx.com] acme: use http-01 solver
2020/11/18 21:15:25 [INFO] [dersalilacdxxxxx.com] acme: Trying to solve HTTP-01
2020/11/18 21:15:30 [INFO] [www.dersalilacxxxxx.com] acme: Trying to solve HTTP-01
2020/11/18 21:16:21 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8696482974
2020/11/18 21:16:22 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8696482974
2020/11/18 21:16:22 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8696482975
2020/11/18 21:16:22 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8696482975
2020/11/18 21:16:22 Could not obtain certificates:
error: one or more domains had a problem:
[dersalilacxxxxx.com] acme: error: 400 :: urn:ietfarams:acme:error:dns :: During secondary validation: DNS problem: SERVFAIL looking up A for dersalilacdxxxxx.com - the domain's nameservers may be malfunctioning, url:
[www.dersalilacxxxxx.com] acme: error: 400 :: urn:ietfarams:acme:error:dns :: During secondary validation: DNS problem: SERVFAIL looking up A for www.dersalilacxxxxx.com - the domain's nameservers may be malfunctioning, url:
Certificate generation failed.