Acme.sh: cloudflare invalid domain

Created on 11 Apr 2017 · 9Comments · Source: acmesh-official/acme.sh

# acme.sh --renew -d stethoscope-sandbox.methods.co.uk --debug 2 | tee ~/ac.log
[Tue Apr 11 12:40:59 BST 2017] Lets find script dir.
[Tue Apr 11 12:40:59 BST 2017] _SCRIPT_='/root/.acme.sh/acme.sh'
[Tue Apr 11 12:40:59 BST 2017] _script='/root/.acme.sh/acme.sh'
[Tue Apr 11 12:40:59 BST 2017] _script_home='/root/.acme.sh'
[Tue Apr 11 12:40:59 BST 2017] 6:ACCOUNT_EMAIL='XX'
[Tue Apr 11 12:40:59 BST 2017] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.6.5
[Tue Apr 11 12:40:59 BST 2017] DOMAIN_PATH='/etc/ssl/private//stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:40:59 BST 2017] Renew: 'stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:40:59 BST 2017] Using api: https://acme-v01.api.letsencrypt.org
[Tue Apr 11 12:40:59 BST 2017] Le_NextRenewTime='1490054442'
[Tue Apr 11 12:40:59 BST 2017] 1:Le_Domain='stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:40:59 BST 2017] 2:Le_Alt='no'
[Tue Apr 11 12:40:59 BST 2017] 3:Le_Webroot='dns_cf'
[Tue Apr 11 12:40:59 BST 2017] 4:Le_PreHook=''
[Tue Apr 11 12:40:59 BST 2017] 5:Le_PostHook=''
[Tue Apr 11 12:40:59 BST 2017] 6:Le_RenewHook=''
[Tue Apr 11 12:40:59 BST 2017] 7:Le_API='https://acme-v01.api.letsencrypt.org'
[Tue Apr 11 12:40:59 BST 2017] _on_before_issue
[Tue Apr 11 12:40:59 BST 2017] 'dns_cf' does not contain 'no'
[Tue Apr 11 12:40:59 BST 2017] Le_LocalAddress
[Tue Apr 11 12:40:59 BST 2017] Check for domain='stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:40:59 BST 2017] _currentRoot='dns_cf'
[Tue Apr 11 12:40:59 BST 2017] 'dns_cf' does not contain 'apache'
[Tue Apr 11 12:40:59 BST 2017] _saved_account_key_hash='XXX'
[Tue Apr 11 12:40:59 BST 2017] _saved_account_key_hash is not changed, skip register account.
[Tue Apr 11 12:40:59 BST 2017] Read key length:
[Tue Apr 11 12:40:59 BST 2017] _createcsr
[Tue Apr 11 12:40:59 BST 2017] domain='stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:40:59 BST 2017] domainlist
[Tue Apr 11 12:40:59 BST 2017] csrkey='/etc/ssl/private//stethoscope-sandbox.methods.co.uk/stethoscope-sandbox.methods.co.uk.key'
[Tue Apr 11 12:40:59 BST 2017] csr='/etc/ssl/private//stethoscope-sandbox.methods.co.uk/stethoscope-sandbox.methods.co.uk.csr'
[Tue Apr 11 12:40:59 BST 2017] csrconf='/etc/ssl/private//stethoscope-sandbox.methods.co.uk/stethoscope-sandbox.methods.co.uk.csr.conf'
[Tue Apr 11 12:40:59 BST 2017] Single domain='stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:40:59 BST 2017] _is_idn_d='stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:40:59 BST 2017] _idn_temp
[Tue Apr 11 12:40:59 BST 2017] _csr_cn='stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:40:59 BST 2017] 8:Le_Keylength=''
[Tue Apr 11 12:40:59 BST 2017] Getting domain auth token for each domain
[Tue Apr 11 12:40:59 BST 2017] Getting webroot for domain='stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:40:59 BST 2017] _w='dns_cf'
[Tue Apr 11 12:40:59 BST 2017] _currentRoot='dns_cf'
[Tue Apr 11 12:40:59 BST 2017] Getting new-authz for domain='stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:40:59 BST 2017] Try new-authz for the 0 time.
[Tue Apr 11 12:40:59 BST 2017] _is_idn_d='stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:40:59 BST 2017] _idn_temp
[Tue Apr 11 12:40:59 BST 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Apr 11 12:40:59 BST 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "stethoscope-sandbox.methods.co.uk"}}'
[Tue Apr 11 12:40:59 BST 2017] RSA key
[Tue Apr 11 12:40:59 BST 2017] Get nonce.
[Tue Apr 11 12:40:59 BST 2017] GET
[Tue Apr 11 12:40:59 BST 2017] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Apr 11 12:40:59 BST 2017] timeout
[Tue Apr 11 12:40:59 BST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.0vsxH17Yfg '
[Tue Apr 11 12:41:00 BST 2017] ret='0'
[Tue Apr 11 12:41:00 BST 2017] _headers='HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: XXX
Replay-Nonce: XXX
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 11 Apr 2017 11:41:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 11 Apr 2017 11:41:00 GMT
Connection: keep-alive
'
[Tue Apr 11 12:41:00 BST 2017] _CACHED_NONCE='XXX'
[Tue Apr 11 12:41:00 BST 2017] nonce='XXX'
[Tue Apr 11 12:41:00 BST 2017] POST
[Tue Apr 11 12:41:00 BST 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Apr 11 12:41:00 BST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": XXX"}}, "protected": "XXX", "payload": "XXX", "signature": "XXX"}'
[Tue Apr 11 12:41:00 BST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.lwIFD3NtmW '
[Tue Apr 11 12:41:01 BST 2017] _ret='0'
[Tue Apr 11 12:41:01 BST 2017] original='{
  "identifier": {
    "type": "dns",
    "value": "stethoscope-sandbox.methods.co.uk"
  },
  "status": "pending",
  "expires": "2017-04-18T11:41:01.138926965Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/XXX/1002600464",
      "token": "XXX"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/XXX/1002600465",
      "token": "XXX"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/XXX/1002600466",
      "token": "XXX"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      0
    ],
    [
      2
    ]
  ]
}'
[Tue Apr 11 12:41:01 BST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Tue, 11 Apr 2017 11:41:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 1021
Boulder-Request-Id: XXX
Boulder-Requester: 6455430
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/XXX
Replay-Nonce: XXX
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 11 Apr 2017 11:41:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 11 Apr 2017 11:41:01 GMT
Connection: keep-alive
'
[Tue Apr 11 12:41:01 BST 2017] response='{"identifier":{"type":"dns","value":"stethoscope-sandbox.methods.co.uk"},"status":"pending","expires":"2017-04-18T11:41:01.138926965Z","challenges":[{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/XXX/1002600464","token":"XXX"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/XXX/1002600465","token":"XXX"},{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/XXX/1002600466","token":"XXX"}],"combinations":[[1],[0],[2]]}'
[Tue Apr 11 12:41:01 BST 2017] code='201'
[Tue Apr 11 12:41:01 BST 2017] The new-authz request is ok.
[Tue Apr 11 12:41:01 BST 2017] entry='"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/XXX/1002600466","token":"XXX"'
[Tue Apr 11 12:41:01 BST 2017] token='XXX'
[Tue Apr 11 12:41:01 BST 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/XXX/1002600466'
[Tue Apr 11 12:41:01 BST 2017] keyauthorization='XXX.XXX'
[Tue Apr 11 12:41:01 BST 2017] dvlist='stethoscope-sandbox.methods.co.uk#XXX.XXX#https://acme-v01.api.letsencrypt.org/acme/challenge/XXX/1002600466#dns-01#dns_cf'
[Tue Apr 11 12:41:01 BST 2017] txtdomain='_acme-challenge.stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:41:01 BST 2017] txt='XXX'
[Tue Apr 11 12:41:01 BST 2017] d_api='/root/.acme.sh/dnsapi/dns_cf.sh'
[Tue Apr 11 12:41:01 BST 2017] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Tue Apr 11 12:41:01 BST 2017] 31:CF_Key='XXX'
[Tue Apr 11 12:41:01 BST 2017] 33:CF_Email='XXX'
[Tue Apr 11 12:41:01 BST 2017] First detect the root zone
[Tue Apr 11 12:41:01 BST 2017] zones?name=stethoscope-sandbox.methods.co.uk
[Tue Apr 11 12:41:01 BST 2017] GET
[Tue Apr 11 12:41:01 BST 2017] url='https://api.cloudflare.com/client/v4/zones?name=stethoscope-sandbox.methods.co.uk'
[Tue Apr 11 12:41:01 BST 2017] timeout
[Tue Apr 11 12:41:01 BST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.dDngL1jw2s '
[Tue Apr 11 12:41:01 BST 2017] ret='0'
[Tue Apr 11 12:41:01 BST 2017] response='{"success":false,"errors":[{"code":9103,"message":"Unknown X-Auth-Key or X-Auth-Email"}],"messages":[],"result":null}'
[Tue Apr 11 12:41:01 BST 2017] zones?name=methods.co.uk
[Tue Apr 11 12:41:01 BST 2017] GET
[Tue Apr 11 12:41:01 BST 2017] url='https://api.cloudflare.com/client/v4/zones?name=methods.co.uk'
[Tue Apr 11 12:41:01 BST 2017] timeout
[Tue Apr 11 12:41:01 BST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.Pyv2E0ZsXJ '
[Tue Apr 11 12:41:02 BST 2017] ret='0'
[Tue Apr 11 12:41:02 BST 2017] response='{"success":false,"errors":[{"code":9103,"message":"Unknown X-Auth-Key or X-Auth-Email"}],"messages":[],"result":null}'
[Tue Apr 11 12:41:02 BST 2017] zones?name=co.uk
[Tue Apr 11 12:41:02 BST 2017] GET
[Tue Apr 11 12:41:02 BST 2017] url='https://api.cloudflare.com/client/v4/zones?name=co.uk'
[Tue Apr 11 12:41:02 BST 2017] timeout
[Tue Apr 11 12:41:02 BST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.Imv31SeYUY '
[Tue Apr 11 12:41:02 BST 2017] ret='0'
[Tue Apr 11 12:41:02 BST 2017] response='{"success":false,"errors":[{"code":9103,"message":"Unknown X-Auth-Key or X-Auth-Email"}],"messages":[],"result":null}'
[Tue Apr 11 12:41:02 BST 2017] zones?name=uk
[Tue Apr 11 12:41:02 BST 2017] GET
[Tue Apr 11 12:41:02 BST 2017] url='https://api.cloudflare.com/client/v4/zones?name=uk'
[Tue Apr 11 12:41:02 BST 2017] timeout
[Tue Apr 11 12:41:02 BST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.foyM39CrdM '
[Tue Apr 11 12:41:02 BST 2017] ret='0'
[Tue Apr 11 12:41:02 BST 2017] response='{"success":false,"errors":[{"code":9103,"message":"Unknown X-Auth-Key or X-Auth-Email"}],"messages":[],"result":null}'
[Tue Apr 11 12:41:02 BST 2017] invalid domain
[Tue Apr 11 12:41:02 BST 2017] Error add txt for domain:_acme-challenge.stethoscope-sandbox.methods.co.uk
[Tue Apr 11 12:41:02 BST 2017] pid
[Tue Apr 11 12:41:02 BST 2017] _clearupdns
[Tue Apr 11 12:41:02 BST 2017] Dns not added, skip.
[Tue Apr 11 12:41:02 BST 2017] _on_issue_err
[Tue Apr 11 12:41:02 BST 2017] Please add '--debug' or '--log' to check more details.
[Tue Apr 11 12:41:02 BST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Tue Apr 11 12:41:02 BST 2017] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2g  1 Mar 2016
apache:
apache doesn't exists.
nc:
OpenBSD netcat (Debian patchlevel 1.105-7ubuntu1)
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
      [-P proxy_username] [-p source_port] [-q seconds] [-s source]
      [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
      [-x proxy_address[:port]] [destination] [port]
    Command Summary:
        -4      Use IPv4
        -6      Use IPv6
        -b      Allow broadcast
        -C      Send CRLF as line-ending
        -D      Enable the debug socket option
        -d      Detach from stdin
        -h      This help text
        -I length   TCP receive buffer length
        -i secs     Delay interval for lines sent, ports scanned
        -j      Use jumbo frame
        -k      Keep inbound sockets open for multiple connects
        -l      Listen mode, for inbound connects
        -n      Suppress name/port resolutions
        -O length   TCP send buffer length
        -P proxyuser    Username for proxy authentication
        -p port     Specify local port for remote connects
            -q secs     quit after EOF on stdin and delay of secs
        -r      Randomize remote ports
        -S      Enable the TCP MD5 signature option
        -s addr     Local source address
        -T toskeyword   Set IP Type of Service
        -t      Answer TELNET negotiation
        -U      Use UNIX domain socket
        -u      UDP mode
        -V rtable   Specify alternate routing table
        -v      Verbose
        -w secs     Timeout for connects and final net reads
        -X proto    Proxy protocol: "4", "5" (SOCKS) or "connect"
        -x addr[:port]  Specify proxy address and port
        -Z      DCCP mode
        -z      Zero-I/O mode [used for scanning]
    Port numbers can be individual or ranges: lo-hi [inclusive]

Source

FernandoMiguel

Most helpful comment

keep this issue open, I will fix soon.

Thanks.

Neilpang on 11 Apr 2017

❤1 😄1

All 9 comments

Your api key seems changed:

response='{"success":false,"errors":[{"code":9103,"message":"Unknown X-Auth-Key or X-Auth-Email"}],"messages":[],"result":null}'

Neilpang on 11 Apr 2017

i did export them just before running renew.
shouldnt that update acme.sh config file where it saves the keys?

FernandoMiguel on 11 Apr 2017

@FernandoMiguel
Yes, that's a known issue, which I'm thinking to fix.
for now, please edit the account.conf with the new api key.

Neilpang on 11 Apr 2017

👍1

I've just manually updated the account.conf and now it works :(

FernandoMiguel on 11 Apr 2017

👍1

keep this issue open, I will fix soon.

Thanks.

Neilpang on 11 Apr 2017

❤1 😄1

@FernandoMiguel

I just made a fix https://github.com/Neilpang/acme.sh/pull/785

You can change CF_Key and CF_Email from env variable now.

Please try with the latest v2.6.9 version.

If there is no problem, I will fix it for all the other dns apis.

Thanks.

Neilpang on 11 Apr 2017

I've already fixed manually the accountconf and reissued the certs.
cant test again for that one.
i'll keep an eye on the rest of the fleet and let you know if we have any more problems

FernandoMiguel on 11 Apr 2017

helpful! thanks!