Acme.sh: DNS mode: use dns over https to poll the dns status, instead of a fixed sleep time

DoT/DoH is just a way to talk to the DNS resolver over a TLS protocol or a HTTPS encrypted socket.

I dont think that can in anyway change how you connect to a DNS zone waiting for it to tell you it has updated

@FernandoMiguel
To check if the TXT record has already taken effect we can use nslookup or dig, which uses normal dns over udp.

what I mean is to use dns over https there.

ok, so you are improving security.
I agree.

but the sleep is still required

@FernandoMiguel

It's not only about security. With polling the dns status, we don't need to sleep a long time, we can continue as soon as the txt record is available.

ok, maybe i'm missing something here, and gonna trust your kb on it :)

I dont see how we can do polling, but if we can, great.

do keep in mind some ppl might now want to use neither google nor cloudflare DNS servers (cause paranoia)

and that cloudflare enforces DNSSEC and it can fail for some domains

the following addresses privacy/security concerns re DNS for individuals/sysadmins that i worked up for some mentees and modified for this topic. i am not exactly sure what direction acme.sh is going, but some readers that see the topic might benefit from these observations.

1.1.1.1/1.0.0.1/[2606:4700:4700::1111]/[2606:4700:4700::1001] (cloudflare nameserving IP's) do not insist on DNSSEC to answer a query, but they will fail if the object site has faulty DNSSEC configured. the security DNSSEC is supposed to offer is the very reason such a site produces a failure from cloudflare and other nameserver services. cloudflare's main benefit is their globally-extensive anycast N/W of POP's and assurances they will always add hard-ware to keep their port 53 service faster than most others. promises are great, but they have suffered outages and some have stretched for more than a day. a major dislocation also was caused by an upgrade for cisco routers that mis-directed their IP's because they were incorrectly fixed in the BGP tables. of course, this was not cloudflare's fault; but the outages are and one would hope cloudflare has fixed what ever previously was wrong (our experience is that they have). aside from speed, cloudflare does not record queries except for short-term logs only utilized for internal system analysis/integrity purposes. NOTE: cloudflare acquired the right to use the memorable IPv4 addr's from the RIR APNIC in exchange for providing them the traffic data, strictly for research purposes, until 2023. the data is not maintained on-line and there is no reason to believe that this huge amount of data could be externally accessed or that it even has any commercial value in the form received by APNIC.

none of the well-known privately-operated DNS alternatives such as google or cisco or even your own ISP will give any privacy assurances. the known case of google harvesting your search terms is a mere step away from them also knowing every site you visit or email you send when you hand over all your DNS look-ups. cisco, itself, may not have a major motive to record your activities; but it is clear that what they harvest is of great interest to numerous "big data" brokers and cisco is free to sell to the highest bidder. do they? cisco is not saying.

so, what can be done?! there is the 9.9.9.9 public DNS N/W (Global Cyber Alliance; AKA 'quad9'; https://www.quad9.net/faq/) run by a non-profit IT-industry amalgam that promises DNS look-ups that maintain your anonymity and provide free access to the IBM (a partner in the org) 'X-Force' threat database (a compilation of many databases). this is the oldest such database in existence and the one most subjected to independent research. here one would be opting for privacy/safety/security (bad-actor sites/addresses are filtered; the IP doing a look-up is not recorded) rather than blinding speed.

and what about speed? we have some of our servers in a DC where google, cloudflare, and quad9 maintain POP's. cached RTT responses are splendid — in order, supra — 1-3 ms, 0.4-1 ms, and 1-5 ms. non-cached responses are 25-80 ms, 10-60 ms, and 20-70 ms. for a remote POP example, in another DC we find all three POP's to be one hop away from the DC at incremental costs of 10-12 ms for cached and 0-10 ms for non-cached.

RECAP: if anonymity is a concern, both 1.1.1.1 and 9.9.9.9 offer this. if the security of a well-documented threat-abatement service is the primary goal, 9.9.9.9 offers a very deep and wide database compiled from over a dozen highly-respected sources that make updates in real-time or no less than several times per day. cloudflare's threat-mitigating offering seems to originate internally and about which not much is known. as far as speed is concerned, individual users should opt for safety in 9.9.9.9 since a speed delta of a few ms is totally beyond recognition. even most server needs can be satisfactorily filled with 9.9.9.9 and especially when operating local caching nameservers and/or mailservers with rDNS milters or even as a custom secondary dnsbl/dnswl check. results can even be fed into a dynamic ipset system to extend control to the firewall.

IMPORTANT: utilizing either 1.1.1.1 or 9.9.9.9 provides nameserver anonymity and some degree of security without any change to nameserving access using the usual UDP on port 53. closer to home (i.e., your ISP), it should also be considered that utilizing the time-/resource-wise much more expensive DNS over TLS (DoT) [or DNS over HTTPS (DoH)] will mask what you are asking about. however, immediately turning around and going to such-and-such an IP is a dead give-away of what you are doing even when that subsequent action is using a secure protocol. so, DoT offers little in the way of privacy protection at the ISP level since your traffic flow is completely transparent. thus, using 1.1.1.1 or 9.9.9.9 eliminates a remote privacy concern, but not the local one. servers have even less benefit — if any benefit actually exists — in using DoT since traffic flows are inherently much less serial in nature and ISP-level intrusion should be a threat eliminated by appropriate siting decisions.

@vonp :O

cloudflare enforces DNSSEC and it can fail for some domains

I can't speak to other ACME servers but if your domain has a broken DNSSEC configuration it will fail domain validation with Let's Encrypt, who also run a DNSSEC enforcing recursive resolver. Finding that out before expending rate limit quota to attempt a validation is a plus and not a minus :-)

Neither of these resolvers support non-cache requests, which means you will run into the same problem, as without this feature.

Furthermore privacy in this instance is not that important. When the SSL certificates is issued it will be publicly available on https://crt.sh. I know privacy is important, but the hostname will be available later on.

@FernandoMiguel @vonp @raunsbaekdk

Guys, I just finished doh support. would you please give it a try, and let me know your feedbacks.

upgrade to doh branch.

acme.sh --upgrade -b doh

Just issue a cert with any dns api you have, don't need to specify --dnssleep anymore.

acme.sh  --issue  -d   mydomain.com  --dns dns_cf  --test

@FernandoMiguel @vonp @raunsbaekdk
I just tested a dozen of dns apis, all worked well.

I'll give it a try in a few hours, with AWS and Cloudflare

$ acme.sh --issue --dns dns_cf -d doh.imperialus.house \
> --keylength ec-256 \
> --staging
[Sat 16 Feb 2019 10:46:34 GMT] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Sat 16 Feb 2019 10:46:36 GMT] Creating domain key
[Sat 16 Feb 2019 10:46:36 GMT] Single domain='doh.imperialus.house'
[Sat 16 Feb 2019 10:46:36 GMT] Getting domain auth token for each domain
[Sat 16 Feb 2019 10:46:36 GMT] Getting webroot for domain='doh.imperialus.house'
[Sat 16 Feb 2019 10:46:36 GMT] Getting new-authz for domain='doh.imperialus.house'
[Sat 16 Feb 2019 10:46:37 GMT] The new-authz request is ok.
[Sat 16 Feb 2019 10:46:38 GMT] Adding record
[Sat 16 Feb 2019 10:46:38 GMT] Added, OK
[Sat 16 Feb 2019 10:46:38 GMT] Let's check each dns records now. Sleep 20 seconds first.
[Sat 16 Feb 2019 10:46:59 GMT] Checking doh.imperialus.house for _acme-challenge.doh.imperialus.house
[Sat 16 Feb 2019 10:47:00 GMT] Domain doh.imperialus.house '_acme-challenge.doh.imperialus.house' success.
[Sat 16 Feb 2019 10:47:00 GMT] All success, let's return
[Sat 16 Feb 2019 10:47:00 GMT] Verifying: doh.imperialus.house
[Sat 16 Feb 2019 10:47:03 GMT] Success
[Sat 16 Feb 2019 10:47:03 GMT] Removing DNS records.
[Sat 16 Feb 2019 10:47:05 GMT] Verify finished, start to sign.
tr: Illegal byte sequence
[Sat 16 Feb 2019 10:47:06 GMT] Cert success.

seems to be setting the default 20 seconds sleep ?

also got this tr: Illegal byte sequence

FYI

$ acme.sh --upgrade -b doh
[Sat 16 Feb 2019 10:42:46 GMT] Unknown parameter : -b

:~$ acme.sh --upgrade
[Sat 16 Feb 2019 10:42:54 GMT] Installing from online archive.
[Sat 16 Feb 2019 10:42:54 GMT] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sat 16 Feb 2019 10:42:55 GMT] Extracting master.tar.gz
[Sat 16 Feb 2019 10:42:55 GMT] It is recommended to install socat first.
[Sat 16 Feb 2019 10:42:55 GMT] We use socat for standalone server if you use standalone mode.
[Sat 16 Feb 2019 10:42:55 GMT] If you don't use standalone mode, just ignore this warning.
[Sat 16 Feb 2019 10:42:55 GMT] Installing to /Users/fernando/.acme.sh
[Sat 16 Feb 2019 10:42:55 GMT] Installed to /Users/fernando/.acme.sh/acme.sh
[Sat 16 Feb 2019 10:42:55 GMT] Good, bash is found, so change the shebang to use bash as preferred.
[Sat 16 Feb 2019 10:42:56 GMT] OK
[Sat 16 Feb 2019 10:42:56 GMT] Install success!
[Sat 16 Feb 2019 10:42:56 GMT] Upgrade success!

:~$ acme.sh --upgrade -b doh
[Sat 16 Feb 2019 10:42:59 GMT] Installing from online archive.
[Sat 16 Feb 2019 10:42:59 GMT] Downloading https://github.com/Neilpang/acme.sh/archive/doh.tar.gz
[Sat 16 Feb 2019 10:43:00 GMT] Extracting doh.tar.gz
[Sat 16 Feb 2019 10:43:00 GMT] It is recommended to install socat first.
[Sat 16 Feb 2019 10:43:00 GMT] We use socat for standalone server if you use standalone mode.
[Sat 16 Feb 2019 10:43:00 GMT] If you don't use standalone mode, just ignore this warning.
[Sat 16 Feb 2019 10:43:00 GMT] Installing to /Users/fernando/.acme.sh
[Sat 16 Feb 2019 10:43:00 GMT] Installed to /Users/fernando/.acme.sh/acme.sh
[Sat 16 Feb 2019 10:43:00 GMT] Good, bash is found, so change the shebang to use bash as preferred.
[Sat 16 Feb 2019 10:43:01 GMT] OK
[Sat 16 Feb 2019 10:43:01 GMT] Install success!
[Sat 16 Feb 2019 10:43:01 GMT] Upgrade success!

:~$ acme.sh --version
https://github.com/Neilpang/acme.sh
v2.8.1

@FernandoMiguel
Can you try with --debug 2 ? so that we can tell which line caused the tr error.

Thanks.

acme.sh --issue --dns dns_cf -d doh5.imperialus.house \
--keylength ec-256 \
--staging \
--debug 2

[Sat 16 Feb 2019 12:29:49 GMT] Lets find script dir.
[Sat 16 Feb 2019 12:29:49 GMT] _SCRIPT_='/Users/fernando/.acme.sh/acme.sh'
[Sat 16 Feb 2019 12:29:49 GMT] _script='/Users/fernando/.acme.sh/acme.sh'
[Sat 16 Feb 2019 12:29:49 GMT] _script_home='/Users/fernando/.acme.sh'
[Sat 16 Feb 2019 12:29:49 GMT] Using config home:/Users/fernando/.acme.sh
[Sat 16 Feb 2019 12:29:49 GMT] LE_WORKING_DIR='/Users/fernando/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.8.1
[Sat 16 Feb 2019 12:29:49 GMT] _main_domain='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:49 GMT] _alt_domains='no'
[Sat 16 Feb 2019 12:29:49 GMT] Using config home:/Users/fernando/.acme.sh
[Sat 16 Feb 2019 12:29:49 GMT] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Sat 16 Feb 2019 12:29:49 GMT] ACME_DIRECTORY='https://acme-staging.api.letsencrypt.org/directory'
[Sat 16 Feb 2019 12:29:49 GMT] _ACME_SERVER_HOST='acme-staging.api.letsencrypt.org'
[Sat 16 Feb 2019 12:29:49 GMT] DOMAIN_PATH='/Users/fernando/.acme.sh/doh6.imperialus.house_ecc'
[Sat 16 Feb 2019 12:29:49 GMT] 'dns_cf' does not contain 'dns'
[Sat 16 Feb 2019 12:29:49 GMT] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Sat 16 Feb 2019 12:29:49 GMT] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Sat 16 Feb 2019 12:29:49 GMT] GET
[Sat 16 Feb 2019 12:29:49 GMT] url='https://acme-staging.api.letsencrypt.org/directory'
[Sat 16 Feb 2019 12:29:49 GMT] timeout=
[Sat 16 Feb 2019 12:29:49 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.di7JewSn  -g '
[Sat 16 Feb 2019 12:29:49 GMT] ret='0'
[Sat 16 Feb 2019 12:29:49 GMT] response='{
  "AZaghX7Mblo": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
}'
[Sat 16 Feb 2019 12:29:50 GMT] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Sat 16 Feb 2019 12:29:50 GMT] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Sat 16 Feb 2019 12:29:50 GMT] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Sat 16 Feb 2019 12:29:50 GMT] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Sat 16 Feb 2019 12:29:50 GMT] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Sat 16 Feb 2019 12:29:50 GMT] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Sat 16 Feb 2019 12:29:50 GMT] ACME_NEW_NONCE
[Sat 16 Feb 2019 12:29:50 GMT] ACME_VERSION
[Sat 16 Feb 2019 12:29:50 GMT] _on_before_issue
[Sat 16 Feb 2019 12:29:50 GMT] _chk_main_domain='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:50 GMT] _chk_alt_domains
[Sat 16 Feb 2019 12:29:50 GMT] 'dns_cf' does not contain 'no'
[Sat 16 Feb 2019 12:29:50 GMT] Le_LocalAddress
[Sat 16 Feb 2019 12:29:50 GMT] d='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:50 GMT] Check for domain='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:50 GMT] _currentRoot='dns_cf'
[Sat 16 Feb 2019 12:29:50 GMT] d
[Sat 16 Feb 2019 12:29:50 GMT] 'dns_cf' does not contain 'apache'
[Sat 16 Feb 2019 12:29:50 GMT] _saved_account_key_hash='REDACTED'
[Sat 16 Feb 2019 12:29:50 GMT] _saved_account_key_hash is not changed, skip register account.
[Sat 16 Feb 2019 12:29:50 GMT] Read key length:
[Sat 16 Feb 2019 12:29:50 GMT] Creating domain key
[Sat 16 Feb 2019 12:29:50 GMT] Using config home:/Users/fernando/.acme.sh
[Sat 16 Feb 2019 12:29:50 GMT] ACME_DIRECTORY='https://acme-staging.api.letsencrypt.org/directory'
[Sat 16 Feb 2019 12:29:50 GMT] _ACME_SERVER_HOST='acme-staging.api.letsencrypt.org'
[Sat 16 Feb 2019 12:29:50 GMT] _createkey for file:/Users/fernando/.acme.sh/doh6.imperialus.house_ecc/doh6.imperialus.house.key
[Sat 16 Feb 2019 12:29:50 GMT] Use length 256
[Sat 16 Feb 2019 12:29:50 GMT] Using ec name: prime256v1
[Sat 16 Feb 2019 12:29:50 GMT] The domain key is here: /Users/fernando/.acme.sh/doh6.imperialus.house_ecc/doh6.imperialus.house.key
[Sat 16 Feb 2019 12:29:50 GMT] _createcsr
[Sat 16 Feb 2019 12:29:50 GMT] domain='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:50 GMT] domainlist
[Sat 16 Feb 2019 12:29:50 GMT] csrkey='/Users/fernando/.acme.sh/doh6.imperialus.house_ecc/doh6.imperialus.house.key'
[Sat 16 Feb 2019 12:29:50 GMT] csr='/Users/fernando/.acme.sh/doh6.imperialus.house_ecc/doh6.imperialus.house.csr'
[Sat 16 Feb 2019 12:29:50 GMT] csrconf='/Users/fernando/.acme.sh/doh6.imperialus.house_ecc/doh6.imperialus.house.csr.conf'
[Sat 16 Feb 2019 12:29:50 GMT] Single domain='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:50 GMT] _is_idn_d='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:50 GMT] _idn_temp
[Sat 16 Feb 2019 12:29:50 GMT] _csr_cn='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:50 GMT] Getting domain auth token for each domain
[Sat 16 Feb 2019 12:29:50 GMT] d='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:50 GMT] Getting webroot for domain='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:50 GMT] _w='dns_cf'
[Sat 16 Feb 2019 12:29:50 GMT] _currentRoot='dns_cf'
[Sat 16 Feb 2019 12:29:50 GMT] Getting new-authz for domain='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:50 GMT] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Sat 16 Feb 2019 12:29:50 GMT] Try new-authz for the 0 time.
[Sat 16 Feb 2019 12:29:50 GMT] _is_idn_d='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:50 GMT] _idn_temp
[Sat 16 Feb 2019 12:29:50 GMT] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Sat 16 Feb 2019 12:29:50 GMT] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "doh6.imperialus.house"}}'
[Sat 16 Feb 2019 12:29:50 GMT] RSA key
[Sat 16 Feb 2019 12:29:50 GMT] Get nonce with GET. ACME_DIRECTORY='https://acme-staging.api.letsencrypt.org/directory'
[Sat 16 Feb 2019 12:29:50 GMT] GET
[Sat 16 Feb 2019 12:29:50 GMT] url='https://acme-staging.api.letsencrypt.org/directory'
[Sat 16 Feb 2019 12:29:50 GMT] timeout=
[Sat 16 Feb 2019 12:29:50 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.SQudkQ8w  -g '
[Sat 16 Feb 2019 12:29:50 GMT] ret='0'
[Sat 16 Feb 2019 12:29:50 GMT] _headers='HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 704
Replay-Nonce: REDACTED
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 16 Feb 2019 12:29:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 16 Feb 2019 12:29:50 GMT
Connection: keep-alive
'
[Sat 16 Feb 2019 12:29:50 GMT] _CACHED_NONCE='REDACTED'
[Sat 16 Feb 2019 12:29:50 GMT] nonce='REDACTED'
[Sat 16 Feb 2019 12:29:50 GMT] POST
[Sat 16 Feb 2019 12:29:50 GMT] _post_url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Sat 16 Feb 2019 12:29:50 GMT] body='{"protected": "REDACTED", "payload": "REDACTED", "signature": "REDACTED"}'
[Sat 16 Feb 2019 12:29:50 GMT] _postContentType='application/jose+json'
[Sat 16 Feb 2019 12:29:50 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.i7EzLRwj  -g '
[Sat 16 Feb 2019 12:29:51 GMT] _ret='0'
[Sat 16 Feb 2019 12:29:51 GMT] original='{
  "identifier": {
    "type": "dns",
    "value": "doh6.imperialus.house"
  },
  "status": "pending",
  "expires": "2019-02-23T12:29:51Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302579",
      "token": "REDACTED"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302580",
      "token": "REDACTED"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581",
      "token": "REDACTED"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      2
    ],
    [
      1
    ]
  ]
}'
[Sat 16 Feb 2019 12:29:51 GMT] responseHeaders='HTTP/1.1 100 Continue
Expires: Sat, 16 Feb 2019 12:29:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 1009
Boulder-Requester: 5032425
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/REDACTED
Replay-Nonce: REDACTED
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 16 Feb 2019 12:29:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 16 Feb 2019 12:29:51 GMT
Connection: keep-alive
'
[Sat 16 Feb 2019 12:29:51 GMT] response='{"identifier":{"type":"dns","value":"doh6.imperialus.house"},"status":"pending","expires":"2019-02-23T12:29:51Z","challenges":[{"type":"tls-alpn-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302579","token":"REDACTED"},{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302580","token":"REDACTED"},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581","token":"REDACTED"}],"combinations":[[0],[2],[1]]}'
[Sat 16 Feb 2019 12:29:51 GMT] code='201'
[Sat 16 Feb 2019 12:29:51 GMT] The new-authz request is ok.
[Sat 16 Feb 2019 12:29:51 GMT] entry='"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581","token":"REDACTED"'
[Sat 16 Feb 2019 12:29:51 GMT] token='REDACTED'
[Sat 16 Feb 2019 12:29:51 GMT] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581'
[Sat 16 Feb 2019 12:29:51 GMT] keyauthorization='REDACTED.REDACTED'
[Sat 16 Feb 2019 12:29:51 GMT] dvlist='doh6.imperialus.house#REDACTED.REDACTED#https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581#dns-01#dns_cf'
[Sat 16 Feb 2019 12:29:51 GMT] d
[Sat 16 Feb 2019 12:29:51 GMT] vlist='doh6.imperialus.house#REDACTED.REDACTED#https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581#dns-01#dns_cf,'
[Sat 16 Feb 2019 12:29:52 GMT] d='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:52 GMT] _d_alias
[Sat 16 Feb 2019 12:29:52 GMT] txtdomain='_acme-challenge.doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:52 GMT] txt='REDACTED'
[Sat 16 Feb 2019 12:29:52 GMT] d_api='/Users/fernando/.acme.sh/dnsapi/dns_cf.sh'
[Sat 16 Feb 2019 12:29:52 GMT] doh6.imperialus.house,_acme-challenge.doh6.imperialus.house,,dns_cf,REDACTED,/Users/fernando/.acme.sh/dnsapi/dns_cf.sh

[Sat 16 Feb 2019 12:29:52 GMT] Found domain api file: /Users/fernando/.acme.sh/dnsapi/dns_cf.sh
[Sat 16 Feb 2019 12:29:52 GMT] First detect the root zone
[Sat 16 Feb 2019 12:29:52 GMT] h='doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:52 GMT] zones?name=doh6.imperialus.house
[Sat 16 Feb 2019 12:29:52 GMT] GET
[Sat 16 Feb 2019 12:29:52 GMT] url='https://api.cloudflare.com/client/v4/zones?name=doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:52 GMT] timeout=
[Sat 16 Feb 2019 12:29:52 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.ARtCKetv  -g '
[Sat 16 Feb 2019 12:29:52 GMT] ret='0'
[Sat 16 Feb 2019 12:29:52 GMT] response='{"result":[],"result_info":{"page":1,"per_page":20,"total_pages":0,"count":0,"total_count":0},"success":true,"errors":[],"messages":[]}'
[Sat 16 Feb 2019 12:29:52 GMT] h='imperialus.house'
[Sat 16 Feb 2019 12:29:52 GMT] zones?name=imperialus.house
[Sat 16 Feb 2019 12:29:52 GMT] GET
[Sat 16 Feb 2019 12:29:52 GMT] url='https://api.cloudflare.com/client/v4/zones?name=imperialus.house'
[Sat 16 Feb 2019 12:29:52 GMT] timeout=
[Sat 16 Feb 2019 12:29:52 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.WsasYxcZ  -g '
[Sat 16 Feb 2019 12:29:52 GMT] ret='0'
[Sat 16 Feb 2019 12:29:52 GMT] response='{"result":[{"id":"REDACTED","name":"imperialus.house","status":"active","paused":false,"type":"full","development_mode":0,"name_servers":["REDACTED.ns.cloudflare.com","REDACTED.ns.cloudflare.com"],"original_name_servers":["REDACTED.com","ns2.REDACTED.com","ns3.REDACTED.com"],"original_registrar":null,"original_dnshost":"REDACTED","modified_on":"2019-02-16T12:28:52.752397Z","created_on":"2016-02-15T21:20:15.215047Z","activated_on":"2016-02-16T11:02:45.277001Z","meta":{"step":4,"wildcard_proxiable":false,"custom_certificate_quota":0,"page_rule_quota":3,"phishing_detected":false,"multiple_railguns_allowed":false},"owner":{"id":"REDACTED","type":"user","email":"REDACTED"},"account":{"id":"REDACTED","name":"REDACTED"},"permissions":["#access:edit","#access:read","#analytics:read","#app:edit","#auditlogs:read","#billing:edit","#billing:read","#cache_purge:edit","#dns_records:edit","#dns_records:read","#lb:edit","#lb:read","#legal:edit","#legal:read","#logs:edit","#logs:read","#member:edit","#member:read","#organization:edit","#organization:read","#ssl:edit","#ssl:read","#stream:edit","#stream:read","#subscription:edit","#subscription:read","#waf:edit","#waf:read","#webhooks:edit","#webhooks:read","#worker:edit","#worker:read","#zone:edit","#zone:read","#zone_settings:edit","#zone_settings:read"],"plan":{"id":"REDACTED","name":"Free Website","price":0,"currency":"USD","frequency":"","is_subscribed":true,"can_subscribe":false,"legacy_id":"free","legacy_discount":false,"externally_managed":false}}],"result_info":{"page":1,"per_page":20,"total_pages":1,"count":1,"total_count":1},"success":true,"errors":[],"messages":[]}'
[Sat 16 Feb 2019 12:29:52 GMT] _domain_id='REDACTED'
[Sat 16 Feb 2019 12:29:52 GMT] _sub_domain='_acme-challenge.doh6'
[Sat 16 Feb 2019 12:29:52 GMT] _domain='imperialus.house'
[Sat 16 Feb 2019 12:29:52 GMT] Getting txt records
[Sat 16 Feb 2019 12:29:52 GMT] zones/REDACTED/dns_records?type=TXT&name=_acme-challenge.doh6.imperialus.house
[Sat 16 Feb 2019 12:29:52 GMT] GET
[Sat 16 Feb 2019 12:29:52 GMT] url='https://api.cloudflare.com/client/v4/zones/REDACTED/dns_records?type=TXT&name=_acme-challenge.doh6.imperialus.house'
[Sat 16 Feb 2019 12:29:52 GMT] timeout=
[Sat 16 Feb 2019 12:29:52 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.xQ1R6L2L  -g '
[Sat 16 Feb 2019 12:29:53 GMT] ret='0'
[Sat 16 Feb 2019 12:29:53 GMT] response='{"result":[],"result_info":{"page":1,"per_page":20,"total_pages":0,"count":0,"total_count":0},"success":true,"errors":[],"messages":[]}'
[Sat 16 Feb 2019 12:29:53 GMT] Adding record
[Sat 16 Feb 2019 12:29:53 GMT] zones/REDACTED/dns_records
[Sat 16 Feb 2019 12:29:53 GMT] data='{"type":"TXT","name":"_acme-challenge.doh6.imperialus.house","content":"REDACTED","ttl":120}'
[Sat 16 Feb 2019 12:29:53 GMT] POST
[Sat 16 Feb 2019 12:29:53 GMT] _post_url='https://api.cloudflare.com/client/v4/zones/REDACTED/dns_records'
[Sat 16 Feb 2019 12:29:53 GMT] body='{"type":"TXT","name":"_acme-challenge.doh6.imperialus.house","content":"REDACTED","ttl":120}'
[Sat 16 Feb 2019 12:29:53 GMT] _postContentType
[Sat 16 Feb 2019 12:29:53 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.151C2l4Z  -g '
[Sat 16 Feb 2019 12:29:53 GMT] _ret='0'
[Sat 16 Feb 2019 12:29:53 GMT] response='{"result":{"id":"REDACTED","type":"TXT","name":"_acme-challenge.doh6.imperialus.house","content":"REDACTED","proxiable":false,"proxied":false,"ttl":120,"locked":false,"zone_id":"REDACTED","zone_name":"imperialus.house","modified_on":"2019-02-16T12:29:53.450656Z","created_on":"2019-02-16T12:29:53.450656Z","meta":{"auto_added":false,"managed_by_apps":false,"managed_by_argo_tunnel":false}},"success":true,"errors":[],"messages":[]}'
[Sat 16 Feb 2019 12:29:53 GMT] Added, OK
[Sat 16 Feb 2019 12:29:53 GMT] Let's check each dns records now. Sleep 20 seconds first.
[Sat 16 Feb 2019 12:30:13 GMT] d='doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:13 GMT] txtdomain='_acme-challenge.doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:13 GMT] aliasDomain='_acme-challenge.doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:13 GMT] txt='REDACTED'
[Sat 16 Feb 2019 12:30:13 GMT] d_api='/Users/fernando/.acme.sh/dnsapi/dns_cf.sh'
[Sat 16 Feb 2019 12:30:13 GMT] Checking doh6.imperialus.house for _acme-challenge.doh6.imperialus.house
[Sat 16 Feb 2019 12:30:13 GMT] _c_txtdomain='_acme-challenge.doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:13 GMT] _c_aliasdomain='_acme-challenge.doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:13 GMT] _c_txt='REDACTED'
[Sat 16 Feb 2019 12:30:13 GMT] _ns_ep='https://cloudflare-dns.com/dns-query'
[Sat 16 Feb 2019 12:30:13 GMT] _ns_domain='_acme-challenge.doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:13 GMT] _ns_type='TXT'
[Sat 16 Feb 2019 12:30:13 GMT] GET
[Sat 16 Feb 2019 12:30:13 GMT] url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.doh6.imperialus.house&type=TXT'
[Sat 16 Feb 2019 12:30:13 GMT] timeout=
[Sat 16 Feb 2019 12:30:13 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.Juwrwlf6  -g '
[Sat 16 Feb 2019 12:30:13 GMT] ret='0'
[Sat 16 Feb 2019 12:30:13 GMT] response='{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": false,"CD": false,"Question":[{"name": "_acme-challenge.doh6.imperialus.house.", "type": 16}],"Answer":[{"name": "_acme-challenge.doh6.imperialus.house.", "type": 16, "TTL": 120, "data": "\"REDACTED\""}]}'
[Sat 16 Feb 2019 12:30:13 GMT] _answers='"Answer":[
"name": "_acme-challenge.doh6.imperialus.house.", "type": 16, "TTL": 120, "data": "\"REDACTED\""
]'
[Sat 16 Feb 2019 12:30:13 GMT] Domain doh6.imperialus.house '_acme-challenge.doh6.imperialus.house' success.
[Sat 16 Feb 2019 12:30:13 GMT] All success, let's return
[Sat 16 Feb 2019 12:30:13 GMT] ok, let's start to verify
[Sat 16 Feb 2019 12:30:13 GMT] Verifying: doh6.imperialus.house
[Sat 16 Feb 2019 12:30:13 GMT] d='doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:13 GMT] keyauthorization='REDACTED.REDACTED'
[Sat 16 Feb 2019 12:30:13 GMT] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581'
[Sat 16 Feb 2019 12:30:13 GMT] _currentRoot='dns_cf'
[Sat 16 Feb 2019 12:30:13 GMT] Trigger domain validation.
[Sat 16 Feb 2019 12:30:13 GMT] _t_url='https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581'
[Sat 16 Feb 2019 12:30:13 GMT] _t_key_authz='REDACTED.REDACTED'
[Sat 16 Feb 2019 12:30:13 GMT] _t_vtype='dns-01'
[Sat 16 Feb 2019 12:30:13 GMT] url='https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581'
[Sat 16 Feb 2019 12:30:13 GMT] payload='{"resource": "challenge", "type": "dns-01", "keyAuthorization": "REDACTED.REDACTED"}'
[Sat 16 Feb 2019 12:30:13 GMT] Use cached jwk for file: /Users/fernando/.acme.sh/ca/acme-staging.api.letsencrypt.org/account.key
[Sat 16 Feb 2019 12:30:13 GMT] Use _CACHED_NONCE='REDACTED'
[Sat 16 Feb 2019 12:30:13 GMT] nonce='REDACTED'
[Sat 16 Feb 2019 12:30:14 GMT] POST
[Sat 16 Feb 2019 12:30:14 GMT] _post_url='https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581'
[Sat 16 Feb 2019 12:30:14 GMT] body='{"protected": "REDACTED", "payload": "REDACTED", "signature": "REDACTED"}'
[Sat 16 Feb 2019 12:30:14 GMT] _postContentType='application/jose+json'
[Sat 16 Feb 2019 12:30:14 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.sd23GEVh  -g '
[Sat 16 Feb 2019 12:30:14 GMT] _ret='0'
[Sat 16 Feb 2019 12:30:14 GMT] original='{
  "type": "dns-01",
  "status": "pending",
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581",
  "token": "REDACTED",
  "keyAuthorization": "REDACTED.REDACTED"
}'
[Sat 16 Feb 2019 12:30:14 GMT] responseHeaders='HTTP/1.1 100 Continue
Expires: Sat, 16 Feb 2019 12:30:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Requester: 5032425
Link: <https://acme-staging.api.letsencrypt.org/acme/authz/REDACTED>;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581
Replay-Nonce: REDACTED
Expires: Sat, 16 Feb 2019 12:30:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 16 Feb 2019 12:30:14 GMT
Connection: keep-alive
'
[Sat 16 Feb 2019 12:30:14 GMT] response='{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581","token":"REDACTED","keyAuthorization":"REDACTED.REDACTED"}'
[Sat 16 Feb 2019 12:30:14 GMT] code='202'
[Sat 16 Feb 2019 12:30:14 GMT] sleep 2 secs to verify
[Sat 16 Feb 2019 12:30:16 GMT] checking
[Sat 16 Feb 2019 12:30:16 GMT] GET
[Sat 16 Feb 2019 12:30:16 GMT] url='https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581'
[Sat 16 Feb 2019 12:30:16 GMT] timeout=
[Sat 16 Feb 2019 12:30:16 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.em0A2HPo  -g '
[Sat 16 Feb 2019 12:30:17 GMT] ret='0'
[Sat 16 Feb 2019 12:30:17 GMT] original='{
  "type": "dns-01",
  "status": "valid",
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581",
  "token": "REDACTED",
  "validationRecord": [
    {
      "hostname": "doh6.imperialus.house"
    }
  ]
}'
[Sat 16 Feb 2019 12:30:17 GMT] response='{"type":"dns-01","status":"valid","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/REDACTED/247302581","token":"REDACTED","validationRecord":[{"hostname":"doh6.imperialus.house"}]}'
[Sat 16 Feb 2019 12:30:17 GMT] Success
[Sat 16 Feb 2019 12:30:17 GMT] pid
[Sat 16 Feb 2019 12:30:17 GMT] Skip for removelevel:
[Sat 16 Feb 2019 12:30:17 GMT] pid
[Sat 16 Feb 2019 12:30:17 GMT] No need to restore nginx, skip.
[Sat 16 Feb 2019 12:30:17 GMT] _clearupdns
[Sat 16 Feb 2019 12:30:17 GMT] dns_entries='doh6.imperialus.house,_acme-challenge.doh6.imperialus.house,,dns_cf,REDACTED,/Users/fernando/.acme.sh/dnsapi/dns_cf.sh
'
[Sat 16 Feb 2019 12:30:17 GMT] Removing DNS records.
[Sat 16 Feb 2019 12:30:17 GMT] d='doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:17 GMT] txtdomain='_acme-challenge.doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:17 GMT] aliasDomain='_acme-challenge.doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:17 GMT] txt='REDACTED'
[Sat 16 Feb 2019 12:30:17 GMT] d_api='/Users/fernando/.acme.sh/dnsapi/dns_cf.sh'
[Sat 16 Feb 2019 12:30:17 GMT] First detect the root zone
[Sat 16 Feb 2019 12:30:17 GMT] h='doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:17 GMT] zones?name=doh6.imperialus.house
[Sat 16 Feb 2019 12:30:17 GMT] GET
[Sat 16 Feb 2019 12:30:17 GMT] url='https://api.cloudflare.com/client/v4/zones?name=doh6.imperialus.house'
[Sat 16 Feb 2019 12:30:17 GMT] timeout=
[Sat 16 Feb 2019 12:30:17 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.T8LS0Tth  -g '
[Sat 16 Feb 2019 12:30:17 GMT] ret='0'
[Sat 16 Feb 2019 12:30:17 GMT] response='{"result":[],"result_info":{"page":1,"per_page":20,"total_pages":0,"count":0,"total_count":0},"success":true,"errors":[],"messages":[]}'
[Sat 16 Feb 2019 12:30:17 GMT] h='imperialus.house'
[Sat 16 Feb 2019 12:30:17 GMT] zones?name=imperialus.house
[Sat 16 Feb 2019 12:30:17 GMT] GET
[Sat 16 Feb 2019 12:30:17 GMT] url='https://api.cloudflare.com/client/v4/zones?name=imperialus.house'
[Sat 16 Feb 2019 12:30:17 GMT] timeout=
[Sat 16 Feb 2019 12:30:17 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.fe4qzcH6  -g '
[Sat 16 Feb 2019 12:30:18 GMT] ret='0'
[Sat 16 Feb 2019 12:30:18 GMT] response='{"result":[{"id":"REDACTED","name":"imperialus.house","status":"active","paused":false,"type":"full","development_mode":0,"name_servers":["REDACTED.ns.cloudflare.com","REDACTED.ns.cloudflare.com"],"original_name_servers":["REDACTED.com","ns2.REDACTED.com","ns3.REDACTED.com"],"original_registrar":null,"original_dnshost":"REDACTED","modified_on":"2019-02-16T12:29:53.450656Z","created_on":"2016-02-15T21:20:15.215047Z","activated_on":"2016-02-16T11:02:45.277001Z","meta":{"step":4,"wildcard_proxiable":false,"custom_certificate_quota":0,"page_rule_quota":3,"phishing_detected":false,"multiple_railguns_allowed":false},"owner":{"id":"REDACTED","type":"user","email":"REDACTED"},"account":{"id":"REDACTED","name":"REDACTED"},"permissions":["#access:edit","#access:read","#analytics:read","#app:edit","#auditlogs:read","#billing:edit","#billing:read","#cache_purge:edit","#dns_records:edit","#dns_records:read","#lb:edit","#lb:read","#legal:edit","#legal:read","#logs:edit","#logs:read","#member:edit","#member:read","#organization:edit","#organization:read","#ssl:edit","#ssl:read","#stream:edit","#stream:read","#subscription:edit","#subscription:read","#waf:edit","#waf:read","#webhooks:edit","#webhooks:read","#worker:edit","#worker:read","#zone:edit","#zone:read","#zone_settings:edit","#zone_settings:read"],"plan":{"id":"REDACTED","name":"Free Website","price":0,"currency":"USD","frequency":"","is_subscribed":true,"can_subscribe":false,"legacy_id":"free","legacy_discount":false,"externally_managed":false}}],"result_info":{"page":1,"per_page":20,"total_pages":1,"count":1,"total_count":1},"success":true,"errors":[],"messages":[]}'
[Sat 16 Feb 2019 12:30:18 GMT] _domain_id='REDACTED'
[Sat 16 Feb 2019 12:30:18 GMT] _sub_domain='_acme-challenge.doh6'
[Sat 16 Feb 2019 12:30:18 GMT] _domain='imperialus.house'
[Sat 16 Feb 2019 12:30:18 GMT] Getting txt records
[Sat 16 Feb 2019 12:30:18 GMT] zones/REDACTED/dns_records?type=TXT&name=_acme-challenge.doh6.imperialus.house&content=REDACTED
[Sat 16 Feb 2019 12:30:18 GMT] GET
[Sat 16 Feb 2019 12:30:18 GMT] url='https://api.cloudflare.com/client/v4/zones/REDACTED/dns_records?type=TXT&name=_acme-challenge.doh6.imperialus.house&content=REDACTED'
[Sat 16 Feb 2019 12:30:18 GMT] timeout=
[Sat 16 Feb 2019 12:30:18 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.ftmSZiaO  -g '
[Sat 16 Feb 2019 12:30:18 GMT] ret='0'
[Sat 16 Feb 2019 12:30:18 GMT] response='{"result":[{"id":"REDACTED","type":"TXT","name":"_acme-challenge.doh6.imperialus.house","content":"REDACTED","proxiable":false,"proxied":false,"ttl":120,"locked":false,"zone_id":"REDACTED","zone_name":"imperialus.house","modified_on":"2019-02-16T12:29:53.450656Z","created_on":"2019-02-16T12:29:53.450656Z","meta":{"auto_added":false,"managed_by_apps":false,"managed_by_argo_tunnel":false}}],"result_info":{"page":1,"per_page":20,"total_pages":1,"count":1,"total_count":1},"success":true,"errors":[],"messages":[]}'
[Sat 16 Feb 2019 12:30:18 GMT] count='1'
[Sat 16 Feb 2019 12:30:18 GMT] record_id='REDACTED'
[Sat 16 Feb 2019 12:30:18 GMT] zones/REDACTED/dns_records/REDACTED
[Sat 16 Feb 2019 12:30:18 GMT] data
[Sat 16 Feb 2019 12:30:18 GMT] DELETE
[Sat 16 Feb 2019 12:30:18 GMT] _post_url='https://api.cloudflare.com/client/v4/zones/REDACTED/dns_records/REDACTED'
[Sat 16 Feb 2019 12:30:18 GMT] body
[Sat 16 Feb 2019 12:30:18 GMT] _postContentType
[Sat 16 Feb 2019 12:30:18 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.8ZSfjFT8  -g '
[Sat 16 Feb 2019 12:30:19 GMT] _ret='0'
[Sat 16 Feb 2019 12:30:19 GMT] response='{"result":{"id":"REDACTED"},"success":true,"errors":[],"messages":[]}'
[Sat 16 Feb 2019 12:30:19 GMT] Verify finished, start to sign.
[Sat 16 Feb 2019 12:30:19 GMT] i='2'
[Sat 16 Feb 2019 12:30:19 GMT] j='7'
[Sat 16 Feb 2019 12:30:19 GMT] url='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Sat 16 Feb 2019 12:30:19 GMT] payload='{"resource": "new-cert", "csr": "REDACTED"}'
[Sat 16 Feb 2019 12:30:19 GMT] Use cached jwk for file: /Users/fernando/.acme.sh/ca/acme-staging.api.letsencrypt.org/account.key
[Sat 16 Feb 2019 12:30:19 GMT] Use _CACHED_NONCE='REDACTED'
[Sat 16 Feb 2019 12:30:19 GMT] nonce='REDACTED'
[Sat 16 Feb 2019 12:30:19 GMT] POST
[Sat 16 Feb 2019 12:30:19 GMT] _post_url='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Sat 16 Feb 2019 12:30:19 GMT] body='{"protected": "REDACTED", "payload": "REDACTED", "signature": "REDACTED"}'
[Sat 16 Feb 2019 12:30:19 GMT] _postContentType='application/jose+json'
[Sat 16 Feb 2019 12:30:19 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.SL2mvnoo  -g '
[Sat 16 Feb 2019 12:30:20 GMT] _ret='0'
[Sat 16 Feb 2019 12:30:20 GMT] original='REDACTED'
[Sat 16 Feb 2019 12:30:20 GMT] responseHeaders='HTTP/1.1 100 Continue
Expires: Sat, 16 Feb 2019 12:30:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/pkix-cert
Content-Length: 1147
Boulder-Requester: 5032425
Link: <https://acme-staging.api.letsencrypt.org/acme/issuer-cert>;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/cert/REDACTED
Replay-Nonce: REDACTED
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 16 Feb 2019 12:30:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 16 Feb 2019 12:30:20 GMT
Connection: keep-alive
'
[Sat 16 Feb 2019 12:30:20 GMT] response='MIIEdzCCA1+gAwIBAgITAPrWtRC5g98eH/xz12wCXWW47DANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xOTAyMTYxMTMwMTlaFw0xOTA1MTcxMTMwMTlaMCAxHjAcBgNVBAMTFWRvaDYuaW1wZXJpYWx1cy5ob3VzZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFgR0Rn/l9zdzQaRJ1ozG0tzKsvpLEQgfxH46eLHshbgsm65vxoTN7KFjedhaqhmF1+PoyKwJurTRicbYI4tMOejggJxMIICbTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKWK13JeOrjRXvE7msWjqcUy0B4mMB8GA1UdIwQYMBaAFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHcGCCsGAQUFBwEBBGswaTAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Auc3RnLWludC14MS5sZXRzZW5jcnlwdC5vcmcwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jZXJ0LnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3JnLzAgBgNVHREEGTAXghVkb2g2LmltcGVyaWFsdXMuaG91c2UwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQAW6GnB0ZXq18P4lxrj8HYB94zhtp0xqFIYtoN/MagVCAAAAWj2STcoAAAEAwBGMEQCICzu70mhvDH/o6HHKS87VRvuoDOtvkydwXa8vaikLDZJAiAWwkejxKJiNOHnpz08+24PY7wiLvdbhr1ihIlzZicUZQB2ACh2GhiQJ/vvPNDWGgGNdrBQVynHp0EbzL32BPRdQmFTAAABaPZJNykAAAQDAEcwRQIga05mL9jOhlTYl3xgl8VA/W6uGqSYO2JzvM3FLRGlsTACIQDxXsc8QX5YakZooqBBRmiMPf9IC2WXRkx+D1Bm/TtPfjANBgkqhkiG9w0BAQsFAAOCAQEAzLQkPEbhpR4Cgf9HkHOaqoDPbOQb/vsg6CKU3ZO/0PypeEwHJrjqAK4R/oCQZJNRT4jPb3N+QUX9gcRCjOZK0zkqUJ3377ERhp+zmya9cpgMdY5JV8tFpv2NxuFIE+Moh/Davg2h+GqfbGGg4NlIVKgf6B6hsoqNV7ZNpy5wyvh2cm+UcuQozu6BMixickPVH+Ns5ikWcw2+gyDgv+Oi7HbIoKcCMy+ZoN1gliDWXl4PTrfxP1vVN1qJOxG3rVtenBGGTut6jNLlEVj0iMoVl7xMqbJJhYJlc98KxtHf3vIhzcjHdSmXPHrFRux+Y13rSPwttlfQPV+vNNJU4YkKAQ=='
[Sat 16 Feb 2019 12:30:20 GMT] code='201'
tr: Illegal byte sequence
[Sat 16 Feb 2019 12:30:20 GMT] Le_LinkCert='https://acme-staging.api.letsencrypt.org/acme/cert/REDACTED'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fa:d6:b5:10:b9:83:df:1e:1f:fc:73:d7:6c:02:5d:65:b8:ec
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Fake LE Intermediate X1
        Validity
            Not Before: Feb 16 11:30:19 2019 GMT
            Not After : May 17 11:30:19 2019 GMT
        Subject: CN = doh6.imperialus.house
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:58:11:d1:19:ff:97:dc:dd:cd:06:91:27:5a:33:
                    1b:4b:73:2a:cb:e9:2c:44:20:7f:11:f8:e9:e2:c7:
                    b2:16:e0:b2:6e:b9:bf:1a:13:37:b2:85:8d:e7:61:
                    6a:a8:66:17:5f:8f:a3:22:b0:26:ea:d3:46:27:1b:
                    60:8e:2d:30:e7
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                A5:8A:D7:72:5E:3A:B8:D1:5E:F1:3B:9A:C5:A3:A9:C5:32:D0:1E:26
            X509v3 Authority Key Identifier:
                keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A

            Authority Information Access:
                OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org
                CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:doh6.imperialus.house
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 16:E8:69:C1:D1:95:EA:D7:C3:F8:97:1A:E3:F0:76:01:
                                F7:8C:E1:B6:9D:31:A8:52:18:B6:83:7F:31:A8:15:08
                    Timestamp : Feb 16 12:30:19.944 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:2C:EE:EF:49:A1:BC:31:FF:A3:A1:C7:29:
                                2F:3B:55:1B:EE:A0:33:AD:BE:4C:9D:C1:76:BC:BD:A8:
                                A4:2C:36:49:02:20:16:C2:47:A3:C4:A2:62:34:E1:E7:
                                A7:3D:3C:FB:6E:0F:63:BC:22:2E:F7:5B:86:BD:62:84:
                                89:73:66:27:14:65
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 28:76:1A:18:90:27:FB:EF:3C:D0:D6:1A:01:8D:76:B0:
                                50:57:29:C7:A7:41:1B:CC:BD:F6:04:F4:5D:42:61:53
                    Timestamp : Feb 16 12:30:19.945 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:6B:4E:66:2F:D8:CE:86:54:D8:97:7C:60:
                                97:C5:40:FD:6E:AE:1A:A4:98:3B:62:73:BC:CD:C5:2D:
                                11:A5:B1:30:02:21:00:F1:5E:C7:3C:41:7E:58:6A:46:
                                68:A2:A0:41:46:68:8C:3D:FF:48:0B:65:97:46:4C:7E:
                                0F:50:66:FD:3B:4F:7E
    Signature Algorithm: sha256WithRSAEncryption
         cc:b4:24:3c:46:e1:a5:1e:02:81:ff:47:90:73:9a:aa:80:cf:
         6c:e4:1b:fe:fb:20:e8:22:94:dd:93:bf:d0:fc:a9:78:4c:07:
         26:b8:ea:00:ae:11:fe:80:90:64:93:51:4f:88:cf:6f:73:7e:
         41:45:fd:81:c4:42:8c:e6:4a:d3:39:2a:50:9d:f7:ef:b1:11:
         86:9f:b3:9b:26:bd:72:98:0c:75:8e:49:57:cb:45:a6:fd:8d:
         c6:e1:48:13:e3:28:87:f0:da:be:0d:a1:f8:6a:9f:6c:61:a0:
         e0:d9:48:54:a8:1f:e8:1e:a1:b2:8a:8d:57:b6:4d:a7:2e:70:
         ca:f8:76:72:6f:94:72:e4:28:ce:ee:81:32:2c:62:72:43:d5:
         1f:e3:6c:e6:29:16:73:0d:be:83:20:e0:bf:e3:a2:ec:76:c8:
         a0:a7:02:33:2f:99:a0:dd:60:96:20:d6:5e:5e:0f:4e:b7:f1:
         3f:5b:d5:37:5a:89:3b:11:b7:ad:5b:5e:9c:11:86:4e:eb:7a:
         8c:d2:e5:11:58:f4:88:ca:15:97:bc:4c:a9:b2:49:85:82:65:
         73:df:0a:c6:d1:df:de:f2:21:cd:c8:c7:75:29:97:3c:7a:c5:
         46:ec:7e:63:5d:eb:48:fc:2d:b6:57:d0:3d:5f:af:34:d2:54:
         e1:89:0a:01
[Sat 16 Feb 2019 12:30:20 GMT] Cert success.
-----BEGIN CERTIFICATE-----
MIIEdzCCA1+gAwIBAgITAPrWtRC5g98eH/xz12wCXWW47DANBgkqhkiG9w0BAQsF
hYJlc98KxtHf3vIhzcjHdSmXPHrFRux+Y13rSPwttlfQPV+vNNJU4YkKAQ==
-----END CERTIFICATE-----
[Sat 16 Feb 2019 12:30:20 GMT] Your cert is in  /Users/fernando/.acme.sh/doh6.imperialus.house_ecc/doh6.imperialus.house.cer
[Sat 16 Feb 2019 12:30:20 GMT] Your cert key is in  /Users/fernando/.acme.sh/doh6.imperialus.house_ecc/doh6.imperialus.house.key
[Sat 16 Feb 2019 12:30:20 GMT] Le_LinkIssuer='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
[Sat 16 Feb 2019 12:30:20 GMT] _link_issuer_retry='0'
[Sat 16 Feb 2019 12:30:20 GMT] GET
[Sat 16 Feb 2019 12:30:20 GMT] url='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
[Sat 16 Feb 2019 12:30:20 GMT] timeout=
[Sat 16 Feb 2019 12:30:20 GMT] _CURL='curl -L --silent --dump-header /Users/fernando/.acme.sh/http.header  --trace-ascii /var/folders/d6/REDACTED/T/tmp.oJZQZhcj  -g '
[Sat 16 Feb 2019 12:30:20 GMT] ret='0'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8b:e1:2a:0e:59:44:ed:3c:54:64:31:f0:97:61:4f:e5
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Fake LE Root X1
        Validity
            Not Before: May 23 22:07:59 2016 GMT
            Not After : May 23 22:07:59 2036 GMT
        Subject: CN = Fake LE Intermediate X1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ed:58:ac:92:0e:7e:eb:59:97:39:82:08:f3:dd:
                    90:74:f2:33:b8:c6:d8:b7:bb:32:0d:7c:3e:6c:43:
                    b2:e3:ee:1c:de:b5:44:fe:c1:0a:1b:fa:25:d2:66:
                    48:67:bf:1f:88:bd:d6:d7:17:9f:f2:b7:c6:96:3e:
                    95:0a:9c:fc:a6:a0:bc:6c:62:22:39:81:00:4b:c4:
                    d0:f3:21:e7:34:38:86:9f:95:6a:80:af:6f:66:ec:
                    9f:3e:34:db:40:a4:43:7c:9d:91:67:7f:76:e1:7a:
                    16:56:ec:0c:66:4b:59:b4:66:74:ac:74:7c:34:17:
                    0f:9b:82:2c:4f:83:63:10:f6:4f:68:79:f1:5e:a9:
                    af:bb:2a:a7:65:cf:96:db:ad:46:15:da:fa:25:c6:
                    10:c5:b6:72:38:32:1f:01:89:60:8d:c4:31:f5:1e:
                    2c:ea:f8:62:82:70:7b:22:9c:36:56:ba:b0:aa:75:
                    ea:ff:69:f2:41:9d:0b:3e:48:14:8b:e8:c5:40:a4:
                    7b:7e:77:7e:73:8c:10:fd:d9:f3:b6:25:ee:7a:76:
                    13:1f:cc:28:0e:29:77:89:df:8d:16:85:6d:d3:8c:
                    3d:73:a8:b6:57:79:a0:b2:50:d4:67:7c:e9:96:65:
                    5f:27:12:1b:47:38:56:d4:09:4e:eb:fc:a9:23:31:
                    93:bd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier:
                C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A
            Authority Information Access:
                OCSP - URI:http://ocsp.stg-root-x1.letsencrypt.org/
                CA Issuers - URI:http://cert.stg-root-x1.letsencrypt.org/

            X509v3 Authority Key Identifier:
                keyid:C1:26:74:A4:8A:44:A0:E6:FA:20:28:D8:5C:23:9A:45:88:18:79:E0

    Signature Algorithm: sha256WithRSAEncryption
         05:84:ae:e0:89:7e:7c:8d:0c:61:4e:36:39:39:84:8f:ed:47:
         a9:0e:43:bf:20:1e:c8:20:3a:b0:6b:99:77:08:c5:50:67:95:
         3a:fd:cd:9c:bc:9f:a1:fb:94:3a:31:1b:63:98:ab:14:20:ed:
         9e:ff:b4:72:4b:a4:51:93:7d:97:3e:10:d9:88:d6:19:4a:56:
         e1:34:ee:de:27:93:b1:a0:bd:00:5b:c2:4a:03:47:27:25:92:
         56:d5:af:07:95:c3:c6:ca:9a:c2:5d:4a:cc:7c:f3:c2:bd:77:
         d9:b1:76:ae:d1:ad:6b:34:aa:56:a2:bd:13:4e:ec:18:73:02:
         7f:ec:e9:0d:05:43:55:51:ad:a9:93:c7:c1:7d:ca:a9:4b:5e:
         7c:4e:b6:d5:bf:11:23:a5:42:97:8a:03:df:43:a5:7f:ca:63:
         bb:31:b8:24:a0:45:44:57:25:cc:b4:63:a3:f8:7b:22:49:1f:
         8d:9f:30:0d:ae:df:68:e8:d5:5f:1e:a7:f9:e5:10:db:d7:08:
         30:2c:eb:f3:fa:cd:58:74:bd:a5:81:86:40:a2:62:63:6c:66:
         54:2f:61:d7:61:fd:f5:7c:9f:cd:61:3d:bd:be:73:28:fd:cc:
         54:6e:a7:79:7d:61:49:da:3b:3c:40:1b:f5:fa:91:84:79:2a:
         56:ca:94:bc:99:48:46:6b:d7:bd:52:93:c0:d0:8f:dd:e0:a3:
         44:20:88:3d:30:2f:8d:5f:b8:9e:2e:fc:ea:25:f0:c0:56:0d:
         cf:c9:77:3e:63:cb:0b:24:17:58:6a:21:9c:9f:22:06:6f:b9:
         9e:4e:ce:db:29:da:3d:55:b4:53:65:be:a6:dd:b0:49:5b:af:
         74:33:39:cc:6b:f6:7f:d9:6d:35:65:22:61:91:c9:d6:69:8e:
         f7:b8:d2:63:fe:98:7d:d3:94:1f:ae:a2:46:d4:2d:0e:41:c1:
         45:d9:0d:06:c3:1b:0f:e1:26:d9:38:01:95:db:47:35:22:41:
         7c:1d:e9:9b:d1:5b:96:03:9c:27:41:52:59:c5:03:58:9e:ef:
         3b:4f:8d:4d:79:60:ad:1a:1f:45:3e:a9:57:2c:33:c5:5a:3a:
         74:d0:f4:5b:36:25:4d:67:94:56:c3:b8:d3:12:6a:86:05:10:
         44:44:7d:60:b3:8b:c4:9d:0e:e8:2f:22:d3:11:71:00:c2:8e:
         b5:27:68:74:c0:77:44:8c:2d:ed:11:50:d2:ec:ad:9f:96:79:
         32:a9:18:86:53:08:dc:9d:6d:3d:14:e9:d6:71:2d:f5:fc:86:
         b2:90:4e:3b:4e:60:8b:5e:3c:41:ab:29:fb:73:7e:b2:fa:8a:
         a2:6a:10:82:53:68:03:15
[Sat 16 Feb 2019 12:30:20 GMT] The intermediate CA cert is in  /Users/fernando/.acme.sh/doh6.imperialus.house_ecc/ca.cer
[Sat 16 Feb 2019 12:30:20 GMT] And the full chain certs is there:  /Users/fernando/.acme.sh/doh6.imperialus.house_ecc/fullchain.cer
[Sat 16 Feb 2019 12:30:20 GMT] _on_issue_success
[Sat 16 Feb 2019 12:30:20 GMT] '' does not contain 'dns'

@FernandoMiguel

I can not find the tr error in you log, can you ?

Connection: keep-alive
'
[Sat 16 Feb 2019 12:30:20 GMT] response='MIIEdzCCA1+gAwIBAgITAPrWtRC5g98eH/xz12wCXWW47DANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xOTAyMTYxMTMwMTlaFw0xOTA1MTcxMTMwMTlaMCAxHjAcBgNVBAMTFWRvaDYuaW1wZXJpYWx1cy5ob3VzZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFgR0Rn/l9zdzQaRJ1ozG0tzKsvpLEQgfxH46eLHshbgsm65vxoTN7KFjedhaqhmF1+PoyKwJurTRicbYI4tMOejggJxMIICbTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKWK13JeOrjRXvE7msWjqcUy0B4mMB8GA1UdIwQYMBaAFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHcGCCsGAQUFBwEBBGswaTAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Auc3RnLWludC14MS5sZXRzZW5jcnlwdC5vcmcwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jZXJ0LnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3JnLzAgBgNVHREEGTAXghVkb2g2LmltcGVyaWFsdXMuaG91c2UwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQAW6GnB0ZXq18P4lxrj8HYB94zhtp0xqFIYtoN/MagVCAAAAWj2STcoAAAEAwBGMEQCICzu70mhvDH/o6HHKS87VRvuoDOtvkydwXa8vaikLDZJAiAWwkejxKJiNOHnpz08+24PY7wiLvdbhr1ihIlzZicUZQB2ACh2GhiQJ/vvPNDWGgGNdrBQVynHp0EbzL32BPRdQmFTAAABaPZJNykAAAQDAEcwRQIga05mL9jOhlTYl3xgl8VA/W6uGqSYO2JzvM3FLRGlsTACIQDxXsc8QX5YakZooqBBRmiMPf9IC2WXRkx+D1Bm/TtPfjANBgkqhkiG9w0BAQsFAAOCAQEAzLQkPEbhpR4Cgf9HkHOaqoDPbOQb/vsg6CKU3ZO/0PypeEwHJrjqAK4R/oCQZJNRT4jPb3N+QUX9gcRCjOZK0zkqUJ3377ERhp+zmya9cpgMdY5JV8tFpv2NxuFIE+Moh/Davg2h+GqfbGGg4NlIVKgf6B6hsoqNV7ZNpy5wyvh2cm+UcuQozu6BMixickPVH+Ns5ikWcw2+gyDgv+Oi7HbIoKcCMy+ZoN1gliDWXl4PTrfxP1vVN1qJOxG3rVtenBGGTut6jNLlEVj0iMoVl7xMqbJJhYJlc98KxtHf3vIhzcjHdSmXPHrFRux+Y13rSPwttlfQPV+vNNJU4YkKAQ=='
[Sat 16 Feb 2019 12:30:20 GMT] code='201'
tr: Illegal byte sequence
[Sat 16 Feb 2019 12:30:20 GMT] Le_LinkCert='https://acme-staging.api.letsencrypt.org/acme/cert/REDACTED'

that's all i see

@FernandoMiguel which OS are you using ?

Latest mac OS, bash v5

@FernandoMiguel

please try following code:

source  ./acme.sh

response='MIIEdzCCA1+gAwIBAgITAPrWtRC5g98eH/xz12wCXWW47DANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xOTAyMTYxMTMwMTlaFw0xOTA1MTcxMTMwMTlaMCAxHjAcBgNVBAMTFWRvaDYuaW1wZXJpYWx1cy5ob3VzZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFgR0Rn/l9zdzQaRJ1ozG0tzKsvpLEQgfxH46eLHshbgsm65vxoTN7KFjedhaqhmF1+PoyKwJurTRicbYI4tMOejggJxMIICbTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKWK13JeOrjRXvE7msWjqcUy0B4mMB8GA1UdIwQYMBaAFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHcGCCsGAQUFBwEBBGswaTAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Auc3RnLWludC14MS5sZXRzZW5jcnlwdC5vcmcwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jZXJ0LnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3JnLzAgBgNVHREEGTAXghVkb2g2LmltcGVyaWFsdXMuaG91c2UwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQAW6GnB0ZXq18P4lxrj8HYB94zhtp0xqFIYtoN/MagVCAAAAWj2STcoAAAEAwBGMEQCICzu70mhvDH/o6HHKS87VRvuoDOtvkydwXa8vaikLDZJAiAWwkejxKJiNOHnpz08+24PY7wiLvdbhr1ihIlzZicUZQB2ACh2GhiQJ/vvPNDWGgGNdrBQVynHp0EbzL32BPRdQmFTAAABaPZJNykAAAQDAEcwRQIga05mL9jOhlTYl3xgl8VA/W6uGqSYO2JzvM3FLRGlsTACIQDxXsc8QX5YakZooqBBRmiMPf9IC2WXRkx+D1Bm/TtPfjANBgkqhkiG9w0BAQsFAAOCAQEAzLQkPEbhpR4Cgf9HkHOaqoDPbOQb/vsg6CKU3ZO/0PypeEwHJrjqAK4R/oCQZJNRT4jPb3N+QUX9gcRCjOZK0zkqUJ3377ERhp+zmya9cpgMdY5JV8tFpv2NxuFIE+Moh/Davg2h+GqfbGGg4NlIVKgf6B6hsoqNV7ZNpy5wyvh2cm+UcuQozu6BMixickPVH+Ns5ikWcw2+gyDgv+Oi7HbIoKcCMy+ZoN1gliDWXl4PTrfxP1vVN1qJOxG3rVtenBGGTut6jNLlEVj0iMoVl7xMqbJJhYJlc98KxtHf3vIhzcjHdSmXPHrFRux+Y13rSPwttlfQPV+vNNJU4YkKAQ=='

 echo "$response" | _dbase64 | tr -d '\0'

I assume you mean
source ~/.acme.sh/acme.sh.env

$  echo "$response" | _dbase64 | tr -d '\0'
tr: Illegal byte sequence

this comment applies solely to cloudflare ('CF').

i must be missing something re acme.sh's desire to move to DoH.

CF currently operates their anycast service at 1.1.1.1. this is a fully-anonymized (https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/) recursive nameserving end-point offering query servicing of all standard and newer protocols (TCP, UDP, TLS and HTTPS). DoH is a 'newer' protocol using HTTPS. this can be enabled at the O/S level by enabling a service provided by CF or several third-party providers. CF also has app support through a proprietary end-point (https://cloudflare-dns.com/dns-query) allowing dev's to independently use DoH instead of the resident O/S service.

since DoH for a single query is much slower than a regular UDP request, moving to DoH really comes down to one's level of paranoia. as i pointed out in my re-posted modified tut on this subject, supra; DoH is only private in transit past your router. should your router get hacked, even that is not safe from parties beyond your ISP. and, of course, your ISP always knows what you are doing since the DNS request is immediately followed by a connection request.

fixed-base DC-sited servers can pick-and-choose their ISP quite freely, but most home/business sites are limited to only a single broadband provider. mobile users have a choice, but there is little likelihood that any of the choices are going to respect anyone's privacy more than the next. in fact, we have already received a report (citation is not possible due to confidentiality in distribution) that a major mobile ISP has completed testing (deployment status is, as yet, unknown) of matching DoH/connection requests which circumvents any privacy value of DoH — at least for single-site queries — through that ISP.

however, DoH does have a very stellar feature and this may be of value to acme.sh (and, most certainly, to letsencrypt itself) in that multiple queries can be included in just one nameserver request. CF also supports both dns-json and dns-message (wireformat) so that app integration should be a snap if one wants to go the DoH route.

so, what we would really like to know is what is the point of acme.sh moving to DoH. the confirmation of the CF addition of the token sub-domain back to acme.sh means that CF's fully recursive anycast servers anywhere in the world will ultimately respond. our own raw connection base-line metrics only represent 1-hop (RTT <=1ms) and 2-hop (RTT <10ms) nameserving. given these params, our experience of the worst-case latency between CF's addition-confirmation and nameserver (1.1.1.1) response for the two scenarios is < 50/80 ms. google and oracle will almost universally be in the triple digits even for 1-hop service.

then, for acme.sh to insist upon a positive DNS response is actually a duplication of what letsencrypt is going to do. thus, it seems this acme.sh step is not even necessary and there is no case supporting the insertion of double-digit seconds of wait-state before requesting a DNS response. if streamlining the token-setting proc is not an issue for acme.sh and it is not going to abandon this superfluous step, are multiple sub-domains going to be bundled into a single DoH request or is the current one-at-a-time proc going to be used with all the excessive DoH O/H?

speaking of bundling, we also do not see any movement re utilizing the bind9 file format for multiple sub-domain additions in a single request to CF. is this on the horizon or …

@FernandoMiguel
Please try again.

no more weird errors

$ acme.sh --issue --dns dns_cf -d doh7.imperialus.house --keylength ec-256 --staging --force
[Sun 17 Feb 2019 08:59:49 GMT] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Sun 17 Feb 2019 08:59:50 GMT] Single domain='doh7.imperialus.house'
[Sun 17 Feb 2019 08:59:50 GMT] Getting domain auth token for each domain
[Sun 17 Feb 2019 08:59:50 GMT] Getting webroot for domain='doh7.imperialus.house'
[Sun 17 Feb 2019 08:59:50 GMT] Getting new-authz for domain='doh7.imperialus.house'
[Sun 17 Feb 2019 08:59:51 GMT] The new-authz request is ok.
[Sun 17 Feb 2019 08:59:51 GMT] Found domain api file: /Users/fernando/.acme.sh/dnsapi/dns_cf.sh
[Sun 17 Feb 2019 08:59:52 GMT] Adding record
[Sun 17 Feb 2019 08:59:53 GMT] Added, OK
[Sun 17 Feb 2019 08:59:53 GMT] Let's check each dns records now. Sleep 20 seconds first.
[Sun 17 Feb 2019 09:00:14 GMT] Checking doh7.imperialus.house for _acme-challenge.doh7.imperialus.house
[Sun 17 Feb 2019 09:00:14 GMT] Domain doh7.imperialus.house '_acme-challenge.doh7.imperialus.house' success.
[Sun 17 Feb 2019 09:00:14 GMT] All success, let's return
[Sun 17 Feb 2019 09:00:14 GMT] Verifying: doh7.imperialus.house
[Sun 17 Feb 2019 09:00:17 GMT] Success
[Sun 17 Feb 2019 09:00:17 GMT] Removing DNS records.
[Sun 17 Feb 2019 09:00:19 GMT] Verify finished, start to sign.
[Sun 17 Feb 2019 09:00:20 GMT] Cert success.
-----BEGIN CERTIFICATE-----

back to point of this thread:
wasnt the all idea of using DoH not having to sleep, but instead using smart polling?
i still see a silly 20 sec sleep there

let me try with AWS Route53, which needs 60 sec

bash-5.0$ ./.acme.sh/acme.sh --issue --dns dns_aws     -d dohtest1.REDACTED.com
[Sun 17 Feb 2019 09:18:32 GMT] Creating domain key
[Sun 17 Feb 2019 09:18:32 GMT] The domain key is here: /Users/fernando/.acme.sh/dohtest1.REDACTED.com/dohtest1.REDACTED.com.key
[Sun 17 Feb 2019 09:18:32 GMT] Single domain='dohtest1.REDACTED.com'
[Sun 17 Feb 2019 09:18:32 GMT] Getting domain auth token for each domain
[Sun 17 Feb 2019 09:18:32 GMT] Getting webroot for domain='dohtest1.REDACTED.com'
[Sun 17 Feb 2019 09:18:32 GMT] Getting new-authz for domain='dohtest1.REDACTED.com'
[Sun 17 Feb 2019 09:18:34 GMT] The new-authz request is ok.
[Sun 17 Feb 2019 09:18:34 GMT] Found domain api file: /Users/fernando/.acme.sh/dnsapi/dns_aws.sh
[Sun 17 Feb 2019 09:18:34 GMT] Geting existing records for _acme-challenge.dohtest1.REDACTED.com
[Sun 17 Feb 2019 09:18:36 GMT] TXT record updated successfully.
[Sun 17 Feb 2019 09:18:36 GMT] Let's check each dns records now. Sleep 20 seconds first.
[Sun 17 Feb 2019 09:18:57 GMT] Checking dohtest1.REDACTED.com for _acme-challenge.dohtest1.REDACTED.com
[Sun 17 Feb 2019 09:18:57 GMT] Domain dohtest1.REDACTED.com '_acme-challenge.dohtest1.REDACTED.com' success.
[Sun 17 Feb 2019 09:18:57 GMT] All success, let's return
[Sun 17 Feb 2019 09:18:57 GMT] Verifying: dohtest1.REDACTED.com
[Sun 17 Feb 2019 09:19:00 GMT] Success
[Sun 17 Feb 2019 09:19:00 GMT] Removing DNS records.
[Sun 17 Feb 2019 09:19:01 GMT] Getting existing records for _acme-challenge.dohtest1.REDACTED.com
[Sun 17 Feb 2019 09:19:03 GMT] TXT record deleted successfully.
[Sun 17 Feb 2019 09:19:03 GMT] Verify finished, start to sign.
[Sun 17 Feb 2019 09:19:04 GMT] Cert success.
-----BEGIN CERTIFICATE-----

I'm happy... you just made my certs on aws take 2/3 less time :D

that should have been a staging lol... DOH

@FernandoMiguel
Yes, it's all for saving time.
In my test, 20 seconds is a good minimum waiting time for most of the apis.

👍

Do these changes allow fallback to non-DoH? I wholly support the addition of DoH, even as default, but does acme.sh still allow fallback to standard DNS?

I am having the same issues as described here.