Acme.sh: the supported validation types are: http-01 , but you specified: dns-01
Hello,
I know about error with supported dns-01 - specified dns-01, but I get vice-versa error now.
[Fri Jan 17 09:00:39 CET 2020] Error, can not get domain token entry **.org
[Fri Jan 17 09:00:39 CET 2020] The supported validation types are: http-01 , but you specified: dns-01
It is wildcard certificate for 2 domains. This is scripted enviroment, others requests are ok. But why I got http-01 for wildcard?
Thank you Pavel
rajcz
All 20 comments
A note: I got the "the supported validation types are: http-01 , but you specified: dns-01" error, when requesting a certificate (with --signcsr) for 4 domains (example.com, *.example.com, otherdomain.com, www.otherdomain.com).
example.com got dns-01 challenges, but otherdomain.com apparently received only http-01 challenges.
Maybe this is possibly coming from Let's Encrypt, when dns-01 is not supported for a domain? (But I'm unsure why this should happen.)
I worked around this by getting two separate certificates: example.com, *.example.com with dns-01 validation, and otherdomain.com, www.otherdomain.com with http-01 validation.
Maybe this is related to this thread from the Let's Encrypt forum: https://community.letsencrypt.org/t/undocumented-challenge-hangs-for-dns-01-on-the-apex-domain-w-valid-http-01/106214/8
joellimberg
on 18 Jan 2020
Same here with a renew:
# acme.sh --renew-all
[Di 21. Jan 21:59:58 CET 2020] Renew: 'dom1.de'
[Di 21. Jan 21:59:59 CET 2020] Multi domain='dom1.de,dom2.de,DNS:*.dom1.de,DNS:*.dom2.de'
[Di 21. Jan 21:59:59 CET 2020] Getting domain auth token for each domain
[Di 21. Jan 22:00:03 CET 2020] Getting webroot for domain='dom1.de'
[Di 21. Jan 22:00:03 CET 2020] Getting webroot for domain='dom2.de'
[Di 21. Jan 22:00:03 CET 2020] Error, can not get domain token entry dom2.de
[Di 21. Jan 22:00:03 CET 2020] The supported validation types are: http-01 , but you specified: dns-01
[Di 21. Jan 22:00:03 CET 2020] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Di 21. Jan 22:00:04 CET 2020] Error renew dom1.de.
worked before for month - nothing was changed.
chrostek
on 21 Jan 2020
OK, next domains has this error. It is trouble for us. Any idea?
rajcz
on 22 Jan 2020
please paste your full command line, and output with --debug 2
Neilpang
on 22 Jan 2020
`
[root@ ~]# /root/.acme.sh/acme.sh -r -d domain.cz --force --debug 2
[Wed Jan 22 22:41:51 CET 2020] Lets find script dir.
[Wed Jan 22 22:41:51 CET 2020] _SCRIPT_='/root/.acme.sh/acme.sh'
[Wed Jan 22 22:41:51 CET 2020] _script='/root/.acme.sh/acme.sh'
[Wed Jan 22 22:41:51 CET 2020] _script_home='/root/.acme.sh'
[Wed Jan 22 22:41:51 CET 2020] Using default home:/root/.acme.sh
[Wed Jan 22 22:41:51 CET 2020] Using config home:/root/.acme.sh
[Wed Jan 22 22:41:51 CET 2020] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.8.1
[Wed Jan 22 22:41:51 CET 2020] Using config home:/root/.acme.sh
[Wed Jan 22 22:41:51 CET 2020] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed Jan 22 22:41:51 CET 2020] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Wed Jan 22 22:41:51 CET 2020] DOMAIN_PATH='/root/.acme.sh/domain.cz'
[Wed Jan 22 22:41:51 CET 2020] Renew: 'domain.cz'
[Wed Jan 22 22:41:51 CET 2020] Le_API
[Wed Jan 22 22:41:51 CET 2020] _main_domain='domain.cz'
[Wed Jan 22 22:41:51 CET 2020] _alt_domains='.domain.cz'
[Wed Jan 22 22:41:51 CET 2020] 'dns_giga' does not contain 'dns'
[Wed Jan 22 22:41:51 CET 2020] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Wed Jan 22 22:41:51 CET 2020] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Wed Jan 22 22:41:51 CET 2020] GET
[Wed Jan 22 22:41:51 CET 2020] url='https://acme-v02.api.letsencrypt.org/directory'
[Wed Jan 22 22:41:51 CET 2020] timeout=
[Wed Jan 22 22:41:51 CET 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.caoXm2GacG -g '
[Wed Jan 22 22:41:52 CET 2020] ret='0'
[Wed Jan 22 22:41:52 CET 2020] response='{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"oaSsWm45GiM": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Wed Jan 22 22:41:52 CET 2020] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Wed Jan 22 22:41:52 CET 2020] ACME_NEW_AUTHZ
[Wed Jan 22 22:41:52 CET 2020] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Jan 22 22:41:52 CET 2020] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed Jan 22 22:41:52 CET 2020] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Wed Jan 22 22:41:52 CET 2020] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Wed Jan 22 22:41:52 CET 2020] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Jan 22 22:41:52 CET 2020] ACME_VERSION='2'
[Wed Jan 22 22:41:52 CET 2020] Le_NextRenewTime='1584782674'
[Wed Jan 22 22:41:52 CET 2020] _on_before_issue
[Wed Jan 22 22:41:52 CET 2020] _chk_main_domain='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _chk_alt_domains='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] 'dns_giga' does not contain 'no'
[Wed Jan 22 22:41:52 CET 2020] Le_LocalAddress
[Wed Jan 22 22:41:52 CET 2020] d='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] Check for domain='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _currentRoot='dns_giga'
[Wed Jan 22 22:41:52 CET 2020] d='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] Check for domain='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _currentRoot='dns_giga'
[Wed Jan 22 22:41:52 CET 2020] d
[Wed Jan 22 22:41:52 CET 2020] 'dns_giga' does not contain 'apache'
[Wed Jan 22 22:41:52 CET 2020] _saved_account_key_hash='***+zOmRo0oM='
[Wed Jan 22 22:41:52 CET 2020] _saved_account_key_hash is not changed, skip register account.
[Wed Jan 22 22:41:52 CET 2020] Read key length:
[Wed Jan 22 22:41:52 CET 2020] _createcsr
[Wed Jan 22 22:41:52 CET 2020] domain='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] domainlist='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] csrkey='/root/.acme.sh/domain.cz/domain.cz.key'
[Wed Jan 22 22:41:52 CET 2020] csr='/root/.acme.sh/domain.cz/domain.cz.csr'
[Wed Jan 22 22:41:52 CET 2020] csrconf='/root/.acme.sh/domain.cz/domain.cz.csr.conf'
[Wed Jan 22 22:41:52 CET 2020] _is_idn_d='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _idn_temp
[Wed Jan 22 22:41:52 CET 2020] domainlist='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] Multi domain='DNS:domain.cz,DNS:.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _is_idn_d='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] _idn_temp
[Wed Jan 22 22:41:52 CET 2020] _csr_cn='domain.cz'
[Wed Jan 22 22:41:52 CET 2020] Getting domain auth token for each domain
[Wed Jan 22 22:41:52 CET 2020] d='.domain.cz'
[Wed Jan 22 22:41:52 CET 2020] d
[Wed Jan 22 22:41:52 CET 2020] _identifiers='{"type":"dns","value":"domain.cz"},{"type":"dns","value":".domain.cz"}'
[Wed Jan 22 22:41:52 CET 2020] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Jan 22 22:41:52 CET 2020] payload='{"identifiers": [{"type":"dns","value":"domain.cz"},{"type":"dns","value":".domain.cz"}]}'
[Wed Jan 22 22:41:52 CET 2020] RSA key
[Wed Jan 22 22:41:53 CET 2020] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Jan 22 22:41:53 CET 2020] HEAD
[Wed Jan 22 22:41:53 CET 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Jan 22 22:41:53 CET 2020] body
[Wed Jan 22 22:41:53 CET 2020] _postContentType='application/jose+json'
[Wed Jan 22 22:41:53 CET 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.O8rE9E3EkJ -g '
[Wed Jan 22 22:46:51 CET 2020] _ret='0'
[Wed Jan 22 22:46:51 CET 2020] _headers='HTTP/1.1 200 OK
Server: nginx
Date: Wed, 22 Jan 2020 21:41:53 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: *-k3aSr100
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
'
[Wed Jan 22 22:46:51 CET 2020] _CACHED_NONCE='*-k3aSr100'
[Wed Jan 22 22:46:51 CET 2020] nonce='**-k3aSr100'
[Wed Jan 22 22:46:51 CET 2020] POST
[Wed Jan 22 22:46:51 CET 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Jan 22 22:46:51 CET 2020] body='{"protected": "***", "payload": "*", "signature": "*-"}'
[Wed Jan 22 22:46:51 CET 2020] _postContentType='application/jose+json'
[Wed Jan 22 22:46:51 CET 2020] Http already initialized.
[Wed Jan 22 22:46:51 CET 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.O8rE9E3EkJ -g '
[Wed Jan 22 22:46:52 CET 2020] _ret='0'
[Wed Jan 22 22:46:52 CET 2020] responseHeaders='HTTP/1.1 201 Created
Server: nginx
Date: Wed, 22 Jan 2020 21:46:52 GMT
Content-Type: application/json
Content-Length: 463
Connection: keep-alive
Boulder-Requester: 55317865
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order//*
Replay-Nonce:
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
'
[Wed Jan 22 22:46:52 CET 2020] code='201'
[Wed Jan 22 22:46:52 CET 2020] original='{
"status": "pending",
"expires": "2020-01-29T11:09:39Z",
"identifiers": [
{
"type": "dns",
"value": ".domain.cz"
},
{
"type": "dns",
"value": "domain.cz"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/*****"
}'
[Wed Jan 22 22:46:52 CET 2020] response='{"status":"pending","expires":"2020-01-29T11:09:39Z","identifiers":[{"type":"dns","value":".domain.cz"},{"type":"dns","value":"domain.cz"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz-v3/**","https://acme-v02.api.letsencrypt.org/acme/authz-v3/*"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize//"}'
[Wed Jan 22 22:46:52 CET 2020] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/*'
[Wed Jan 22 22:46:52 CET 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize//*'
[Wed Jan 22 22:46:52 CET 2020] _authorizations_seg='https://acme-v02.api.letsencrypt.org/acme/authz-v3/,https://acme-v02.api.letsencrypt.org/acme/authz-v3/'
[Wed Jan 22 22:46:52 CET 2020] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2413895279'
[Wed Jan 22 22:46:52 CET 2020] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2413895279'
[Wed Jan 22 22:46:52 CET 2020] payload
[Wed Jan 22 22:46:52 CET 2020] Use cached jwk for file: /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.key
[Wed Jan 22 22:46:52 CET 2020] Use _CACHED_NONCE='0001OBKG-tA5GymWPgsJ_YSBzOD8H3zziI3whIpbcUchhek'
[Wed Jan 22 22:46:52 CET 2020] nonce='0001OBKG-tA5GymWPgsJ_YSBzOD8H3zziI3whIpbcUchhek'
[Wed Jan 22 22:46:52 CET 2020] POST
[Wed Jan 22 22:46:52 CET 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/'
[Wed Jan 22 22:46:52 CET 2020] body='{"protected": "*"}'
[Wed Jan 22 22:46:52 CET 2020] _postContentType='application/jose+json'
[Wed Jan 22 22:46:52 CET 2020] Http already initialized.
[Wed Jan 22 22:46:52 CET 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.O8rE9E3EkJ -g '
[Wed Jan 22 22:46:53 CET 2020] _ret='0'
[Wed Jan 22 22:46:53 CET 2020] responseHeaders='HTTP/1.1 200 OK
Server: nginx
Date: Wed, 22 Jan 2020 21:46:53 GMT
Content-Type: application/json
Content-Length: 696
Connection: keep-alive
Boulder-Requester: 55317865
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: *
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
'
[Wed Jan 22 22:46:53 CET 2020] code='200'
[Wed Jan 22 22:46:53 CET 2020] original='{
"identifier": {
"type": "dns",
"value": "domain.cz"
},
"status": "valid",
"expires": "2020-02-21T09:24:26Z",
"challenges": [
{
"type": "http-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/2",
"token": "",
"validationRecord": [
{
"url": "http://domain.cz/.well-known/acme-challenge/*",
"hostname": "domain.cz",
"port": "80",
"addressesResolved": [
"185.6"
],
"addressUsed": "185."
}
]
}
]
}'
[Wed Jan 22 22:46:53 CET 2020] response='{"identifier":{"type":"dns","value":"domain.cz"},"status":"valid","expires":"2020-02-21T09:24:26Z","challenges":[{"type":"http-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/2413895279/y3CxHg","token":"","validationRecord":[{"url":"http://domain.cz/.well-known/acme-challenge/","hostname":"domain.cz","port":"80","addressesResolved":["185."],"addressUsed":"185."}]}]}'
[Wed Jan 22 22:46:53 CET 2020] response='{"identifier":{"type":"dns","value":"domain.cz"},"status":"valid","expires":"2020-02-21T09:24:26Z","challenges":[{"type":"http-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/2413895279/y3CxHg","token":"","validationRecord":[{"url":"http://domain.cz/.well-known/acme-challenge/","hostname":"domain.cz","port":"80","addressesResolved":["185."],"addressUsed":"185."}]}]}'
[Wed Jan 22 22:46:53 CET 2020] _d='domain.cz'
[Wed Jan 22 22:46:53 CET 2020] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2415049546'
[Wed Jan 22 22:46:53 CET 2020] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2415049546'
[Wed Jan 22 22:46:53 CET 2020] payload
[Wed Jan 22 22:46:53 CET 2020] Use cached jwk for file: /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.key
[Wed Jan 22 22:46:53 CET 2020] Use _CACHED_NONCE=''
[Wed Jan 22 22:46:53 CET 2020] nonce=''
[Wed Jan 22 22:46:53 CET 2020] POST
[Wed Jan 22 22:46:53 CET 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/2415049546'
[Wed Jan 22 22:46:53 CET 2020] body='{"protected": "", "payload": "", "signature": "-"}'
[Wed Jan 22 22:46:53 CET 2020] _postContentType='application/jose+json'
[Wed Jan 22 22:46:53 CET 2020] Http already initialized.
[Wed Jan 22 22:46:53 CET 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.O8rE9E3EkJ -g '
[Wed Jan 22 22:46:54 CET 2020] _ret='0'
[Wed Jan 22 22:46:54 CET 2020] responseHeaders='HTTP/1.1 200 OK
Server: nginx
Date: Wed, 22 Jan 2020 21:46:54 GMT
Content-Type: application/json
Content-Length: 382
Connection: keep-alive
Boulder-Requester: 55317865
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: *P6v0sA2byDrU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
'
[Wed Jan 22 22:46:54 CET 2020] code='200'
[Wed Jan 22 22:46:54 CET 2020] original='{
"identifier": {
"type": "dns",
"value": "domain.cz"
},
"status": "pending",
"expires": "2020-01-29T11:09:39Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/2415049546/atPxgw",
"token": "-4vtgdrTctrkhOIkec"
}
],
"wildcard": true
}'
[Wed Jan 22 22:46:54 CET 2020] response='{"identifier":{"type":"dns","value":"domain.cz"},"status":"pending","expires":"2020-01-29T11:09:39Z","challenges":[{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3//atPxgw","token":"-4vtgdrTctrkhOIkec"}],"wildcard": true}'
[Wed Jan 22 22:46:54 CET 2020] response='{"identifier":{"type":"dns","value":"domain.cz"},"status":"pending","expires":"2020-01-29T11:09:39Z","challenges":[{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3//atPxgw","token":"-4vtgdrTctrkhOIkec"}],"wildcard": true}'
[Wed Jan 22 22:46:54 CET 2020] _d='.domain.cz'
[Wed Jan 22 22:46:54 CET 2020] _authorizations_map='.domain.cz,{"identifier":{"type":"dns","value":"domain.cz"},"status":"pending","expires":"2020-01-29T11:09:39Z","challenges":[{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3//atPxgw","token":"-4vtgdrTctrkhOIkec"}],"wildcard": true}
domain.cz,{"identifier":{"type":"dns","value":"domain.cz"},"status":"valid","expires":"2020-02-21T09:24:26Z","challenges":[{"type":"http-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3//y3CxHg","token":"","validationRecord":[{"url":"http://domain.cz/.well-known/acme-challenge/","hostname":"domain.cz","port":"80","addressesResolved":["185."],"addressUsed":"185."}]}]}
'
[Wed Jan 22 22:46:54 CET 2020] d='domain.cz'
[Wed Jan 22 22:46:54 CET 2020] Getting webroot for domain='domain.cz'
[Wed Jan 22 22:46:54 CET 2020] _w='dns_giga'
[Wed Jan 22 22:46:54 CET 2020] _currentRoot='dns_giga'
[Wed Jan 22 22:46:54 CET 2020] response='{"identifier":{"type":"dns","value":"domain.cz"},"status":"valid","expires":"2020-02-21T09:24:26Z","challenges":[{"type":"http-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3//y3CxHg","token":"","validationRecord":[{"url":"http://domain.cz/.well-known/acme-challenge/","hostname":"domain.cz","port":"80","addressesResolved":["185.*"],"addressUsed":"185."}]}]}'
[Wed Jan 22 22:46:54 CET 2020] entry
[Wed Jan 22 22:46:54 CET 2020] Error, can not get domain token entry domain.cz
[Wed Jan 22 22:46:54 CET 2020] The supported validation types are: http-01 , but you specified: dns-01
[Wed Jan 22 22:46:54 CET 2020] pid
[Wed Jan 22 22:46:54 CET 2020] No need to restore nginx, skip.
[Wed Jan 22 22:46:54 CET 2020] _clearupdns
[Wed Jan 22 22:46:54 CET 2020] dns_entries
[Wed Jan 22 22:46:54 CET 2020] skip dns.
[Wed Jan 22 22:46:54 CET 2020] _on_issue_err
[Wed Jan 22 22:46:54 CET 2020] Please add '--debug' or '--log' to check more details.
[Wed Jan 22 22:46:54 CET 2020] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed Jan 22 22:46:54 CET 2020] _chk_vlist
[Wed Jan 22 22:46:54 CET 2020] 'dns_giga' does not contain 'dns'
[Wed Jan 22 22:46:54 CET 2020] socat doesn't exists.
[Wed Jan 22 22:46:54 CET 2020] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2k-fips 26 Jan 2017
apache:
apache doesn't exists.
nginx:
nginx doesn't exists.
socat:
`
rajcz
on 22 Jan 2020
Any idea please?
rajcz
on 25 Jan 2020
Same issue here. If domain has been verified earlier with http authentication (domain.fi), we are unable to get dns validated certificate for domain.fi (but can get one for *.domain.fi)
This used to work last month, but something has changed. acme.sh is the latest version (also tried with 2.8.5 branch)
I guess this has something to do with the order of validation requests, maybe Letsencrypt prefers the first one that has been successfully validated earlier and acme.sh incorrectly uses it instead of new dns-01 request. Validation requests will expire eventually, and it is possible that after expiration dns-01 will succeed.
Anyway this makes switching from http to dns validation very hard for plain domain name without any subdomains.
dlt-
on 27 Jan 2020
Post opened here too. https://community.letsencrypt.org/t/the-supported-validation-types-are-http-01-but-you-specified-dns-01/111561/4
Same issue here.
If you can write there too, we can do more :)
rajcz
on 27 Jan 2020
@rajcz I believe that this is caused by the Letsencrypt CA changes.
I'm fixing it now. wait a moment.
Neilpang
on 27 Jan 2020
Excellent! It's working now
Thanks a lot!
dlt-
on 27 Jan 2020
@dlt-
Just hold on, still testing.
Neilpang
on 27 Jan 2020
OK! But with that commit I got two different domains validated that caused errors earlier with 2.8.5 branch and 2.8.3.
dlt-
on 27 Jan 2020
@dlt-
Yes, you can do some testing on your side at the same time.
I'm also doing more testing before I'm sure to merge it.
Neilpang
on 27 Jan 2020
Hi All,
It's fixed. please upgrade to the latest code and try again.
acme.sh --upgrade
Hi @cpu
I would appreciate it very much if you could drop a comment.
It seems that the challenges objects in the authorization url response has changed recently.
Before, the response always contained 3 challenge objects: dns-01, http-01 and tls-alpn-01.
some of which may be valid, and some may be pending status.
However, for now, it returns 3 objects only when none of them is valid. Once one of them is valid status, it will return only the valid one.
Here are more details:
when we first issue a cert with standalone method:
acme.sh --issue --test -d example.org --standalone --debug 2
we got three challenge objects, all of which are pending.
{
"identifier": {
"type": "dns",
"value": "example.org"
},
"status": "pending",
"expires": "2020-02-03T15:44:19Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/35413462/DRfQJg",
"token": "LwGOPYGzof8CZfGjUUCLAYpibp0RUWykplyLZ5Jl_d0"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/35413462/GBhlng",
"token": "LwGOPYGzof8CZfGjUUCLAYpibp0RUWykplyLZ5Jl_d0"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/35413462/VE2JAA",
"token": "LwGOPYGzof8CZfGjUUCLAYpibp0RUWykplyLZ5Jl_d0"
}
]
}
We select the http-01 challenge to validate the domain. And everything is ok. We got the cert.
However, when we issue a new cert for the same domain with dns method,
acme.sh --issue --test -d example.org -d '*.example.org' --dns dns_cf --debug 2
we got authorization urls:
{
"status": "pending",
"expires": "2020-02-03T15:47:47.959309587Z",
"identifiers": [
{
"type": "dns",
"value": "*.example.org"
},
{
"type": "dns",
"value": "example.org"
}
],
"authorizations": [
"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/35413462",
"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/35414055"
],
"finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/12231866/72469605"
}
When we try the first authorization url https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/35413462 to get
the challenge objects, we got only one object returned:
{
"identifier": {
"type": "dns",
"value": "example.org"
},
"status": "valid",
"expires": "2020-02-26T15:44:25Z",
"challenges": [
{
"type": "http-01",
"status": "valid",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/35413462/DRfQJg",
"token": "LwGOPYGzof8CZfGjUUCLAYpibp0RUWykplyLZ5Jl_d0",
"validationRecord": [
{
"url": "http://example.org/.well-known/acme-challenge/LwGOPYGzof8CZfGjUUCLAYpibp0RUWykplyLZ5Jl_d0",
"hostname": "example.org",
"port": "80",
"addressesResolved": [
"104.24.116.182",
"104.24.117.182",
"2606:4700:3033::6818:74b6",
"2606:4700:3037::6818:75b6"
],
"addressUsed": "2606:4700:3033::6818:74b6"
}
]
}
]
}
It's http-01 type with valid status. But we want to validate it with dns-01 method.
Thanks in advance.
Neilpang
on 27 Jan 2020
The fix works for me. Thanks!
chrostek
on 27 Jan 2020
@Neilpang Yes, that changed recently. See https://community.letsencrypt.org/t/acme-v1-v2-changing-challenges-returned-for-invalid-valid-authorizations/107661. Apparently the old behavior was against RFC 8555.
mnordhoff
on 28 Jan 2020
@mnordhoff Thank you.
Neilpang
on 28 Jan 2020
@Neilpang I can confirm @mnordhoff's answer (thanks for posting!).
Pebble has been using this RFC 8555 compliant behaviour since ~April 2018. Have you considered adding integration testing against a Pebble CA to your CI?
cpu
on 29 Jan 2020
@cpu
Thank you so much.
I will add Pebble soon.
Thanks.
Neilpang
on 30 Jan 2020
Related issues
centminmod
·
4Comments
AriaLyy
·
5Comments
luochenzhimu
·
3Comments
extensionsapp
·
3Comments
hxx-fetch
·
4Comments
Most helpful comment
Hi All,
It's fixed. please upgrade to the latest code and try again.