Any new letsencrypt's wildcard plugin?

darkbear

Verified User
Joined
Jan 31, 2013
Messages
45
Still got an error for wildcard:

"Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
Requesting new certificate order...
Processing authorization for xxx.com...
Challenge is valid.
Processing authorization for xxx.com...
DNS challenge test fail for _acme-challenge.xxx.com IN TXT "xxxxxxxxxxxxxxxxxxxxxxxxxx", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
DNS validation failed. Exiting..."

and still without problem(created successfully) when getting cert of non-wildcard

Thanks
 

darkbear

Verified User
Joined
Jan 31, 2013
Messages
45
I think it is about letsencrypt's verification TXT records problem, if letencrypt's plugin add "named" services reload and restart , will it help?
 
Last edited:

darkbear

Verified User
Joined
Jan 31, 2013
Messages
45
yes, and I was try a new domain just registered and get same problem.
Thanks
 

Awd

Verified User
Joined
Aug 9, 2015
Messages
316
I don´t want to disturb this threat, but could you explain a bit more about the text record? See #17 in this threat.
Is it generated once and keeps the same or generates it a new key at every automatic renewal? If it keeps the same, we could let it "stay" in external dns.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,328
Location
LT, EU
It's removed immediately after generation of the cert, it will not be the same on the next renewal time.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
It won't work with multiserver function yet, won't it?

Some wild dances with DNS_SERVER="8.8.8.8" and other public DNS from https://public-dns.info/ Probably you could add more than one DNS into the script?

And temporary commented

Code:
echo "action=dns&do=delete&domain=${single_domain}&type=TXT&name=_acme-challenge" >> ${TASK_QUEUE}
for mutliserver to catch the records.

And an attempt #4 or #5 succeeded.... a wildcard cert installed for 2 domains.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,328
Location
LT, EU
It won't work with multiserver function yet, won't it?
It should have no problems with DA multi-server.

Some wild dances with DNS_SERVER="8.8.8.8" and other public DNS from https://public-dns.info/ Probably you could add more than one DNS into the script?
Did you experience issues with it? We could change it or add others, if you had problems with it.

And temporary commented

Code:
echo "action=dns&do=delete&domain=${single_domain}&type=TXT&name=_acme-challenge" >> ${TASK_QUEUE}
for mutliserver to catch the records.
This should not be needed, because record is only removed when the status of let's encrypt challenge is "valid". Meaning verification is done already.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
#VERSION=1.1.2

OK, here is what I did:

Code:
echo 'action=dns&do=delete&domain=domain.com&type=TXT&name=_acme-challenge' >> /usr/local/directadmin/data/task.queue
echo 'action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes' >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d1000

then check (locally)

Code:
cat /var/named/domain.com.db | grep TXT
and there is no _acme-challenge record.





The commands are executed in a reverse order:

Code:
dataskq: command: action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes
File /var/named/domain.com.db.temp appears ok to named-checkzone
Doing an immediate reload of named
dataskq: command: action=dns&do=delete&domain=domain.com&type=TXT&name=_acme-challenge
and the local and remote name servers do not contain the TXT record even before the challenge tests begin...

What do I miss?


The single command works fine:

Code:
echo 'action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes' >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d1000
without delete.


As far as I see you add an ACME record, reload the named and remove ACME record without reloading named. ACME records exists in a running named until it reloads/restarts.... but .... if it restarts by another reason...


Did you experience issues with it? We could change it or add others, if you had problems with it.


The Google caches for too long... I had to switch DNS to avoid it. So I guess you might want to add several DNS servers for testing.


~~~ added ~~~

As for MS to work. Should remote DA servers be updated with pre-release version?
 
Last edited:

dave097

Verified User
Joined
May 8, 2014
Messages
113
Did you experience issues with it? We could change it or add others, if you had problems with it.
I think it's better to have two DNS servers active in letsencrypt.sh by default. If 8.8.8.8 didn't work for hours or days, letsencrypts.sh doesn't work either. Another fallback DNS server (not 8.8.4.4) is then handy ;).

Indeed, 8.8.8.8 has little or no interference. But everything is possible :cool:
 

webunity

Verified User
Joined
Sep 23, 2014
Messages
41
What if you use an external DNS provider? Does that influence the TXT validation in any way?
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,919
Yes, it cannot currently be done with external DNS since DA cannot control it.
There are some 3rd party modules we're looking into, where DA could then control the external DNS system (assuming it's a larger DNS provider that's included in the module)

John
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,328
Location
LT, EU
OK, here is what I did:

Code:
echo 'action=dns&do=delete&domain=domain.com&type=TXT&name=_acme-challenge' >> /usr/local/directadmin/data/task.queue
echo 'action=dns&do=add&domain=domain.com&type=TXT&name=_acme-challenge&value="AAaaaCCCmeee-Cccchhallenge"&ttl=5&named_reload=yes' >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d1000

then check (locally)

Code:
cat /var/named/domain.com.db | grep TXT
and there is no _acme-challenge record.
Fixed in 1.1.4, thank you for the report!
 

goashawk

New member
Joined
May 28, 2018
Messages
1
Fixed in 1.1.4, thank you for the report!
So happy this finally will become available :)

Any idea when this update will be released in production? What is the approximate timeframe?
I now I could install the pre-release but no prior experience with that, so If I can avoid it... but If this would take another several months to be released I would give it a try.
(I saw sometimes updates are frequent, sometimes not so...)
 

deeoo

New member
Joined
Jan 11, 2019
Messages
1
converting comodo wildcard to LE

So I have a domain with an expanding amount of subdomains:
www.maindomain.com
client1.maindomain.com
client2.maindomain.com
etc...

Right now I'm using a Comodo wildcard certificate. I'm no expert but also not a noob. But I'm very much struggling with this one as it's on a live domain and I can't have it fail (too long).

  1. First I want to prepare the LE wildcard, but I'm not sure if I can while the comodo SSL is still in place.
  2. I've read this post about the new feature, but it doesn't make sense to me. It keeps saying Must select more than zero entries. |LETSENCRYPT_WC_OPTIONS|
  3. The domain/dns are on a different server than the DA/hosting so I assume that won't work anyway because the local DA can't change the remote DNS, right?

Do you think my safest bet would be to keep just keep the comodo?
 
Top