search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.42k stars 4.89k forks source link

Report bugs to OpenProvider dns api #2104

Open TheLastProject opened 5 years ago

TheLastProject commented 5 years ago

This is the place to report bugs in the OpenProvider DNS API.

If you experience a bug, please report it in this issue.

Thanks!

weyert commented 5 years ago

How do I use the Openprovider API? I am trying to use it the following way: docker run --rm -it -e OPENPROVIDER_USER="username" -e OPENPROVIDER_PASSWORDHASH="passwordhash" -v "$(pwd)/out":/acme.sh neilpang/acme.sh --issue -d '*.domain.co' --dns dns_openprovider -k ec-384 --debug

Only now I am getting into a finite loop. Do I have to have my DNS records in a specific way to make this work? I am having the following zone file at OpenProvider:

  | www.domain.co | A | 1.2.3.4 |   | 15 minutes | Wijzig Verwijder
-- | -- | -- | -- | -- | -- | --
  | vpn.domain.co | A | 1.2.3.4 |   | 15 minutes | Wijzig Verwijder
  | *.domain.co | A | 1.2.3.4 |   | 15 minutes | Wijzig Verwijder
  | domain.co | SOA | ns1.openprovider.nl dns.openprovider.eu 2019090701 10800 3600 604800 3600 |   | 1 day |  
  | domain.co | NS | ns1.openprovider.nl |   | 1 hours |  
  | domain.co | NS | ns2.openprovider.be |   | 1 hours |  
  | domain.co | NS | ns3.openprovider.eu |   | 1 hours |  
  | domain.co | A | 1.2.3.4 |   | 15 minutes | Wijzig Verwijder
TheLastProject commented 5 years ago

Do you have the debug output? I sadly no longer have anything hosted at OpenProvider so it's hard for me to guess what it could be.

weyert commented 5 years ago

Appears to work when I don't have any A records. Let me try to get a debug log for you :) @TheLastProject Please find the log here: https://gist.github.com/weyert/08d55ce124263d6ef99d90167006d992

TheLastProject commented 5 years ago

The error is on https://github.com/Neilpang/acme.sh/blob/master/dnsapi/dns_openprovider.sh#L62, the sed statement doesn't seem to see the match and thus the list of records never changes. Not sure yet why this is the case...

weyert commented 5 years ago

Sorry, my shell scripting skill is like non-existent. Anyway I could assist you? I did notice that when I don't have any A records (e.g. .domain.co) it's working fine. Could it be falling over the case that A record for .domain.co exists for which I am also requesting a certificate?

TheLastProject commented 5 years ago

Nah, it's just not marking an item it dealt with as "done", and thus gets stuck in that loop. The sed statement is supposed to remove the item that it just dealt with from the list of items, but somehow that isn't working. May be some special characters weirdness, not quite sure why, probably someone whose POSIX shell scripting is less rusty could solve it in a second.

weyert commented 5 years ago

Oh okay, I hope someone can help us then :)

weyert commented 5 years ago

Not sure, how to progress this.

markoetie commented 4 years ago

I'm having the same loop problem as @weyert. The API is constantly looping over the existing A records and not adding the challenge records. Only when removing existing A records and re-running acme.sh the challenges are added.

It would be nice if someone could fix it.

Ritbit commented 4 years ago

Hi all, I Fixed the looping and a setting with custom NS servers, works like a charm :-)

Also lowered the TTL for the temporary acme record to 10 min, so you can retry after 10 minutes if it fails and you don't have to wait for a day until the records times out from dns-caches.

Will submit a pull-request with the changes. Note: requesting wildcard-domain certificates still fail, investigating cause..

weyert commented 4 years ago

Thanks @Ritbit that's great :)

johanneskonst commented 3 years ago

Tried Acme.sh with openprovider_dns, all I keep getting is a API request failed. message. Tested with a few diffrent domains, some with A records, some without. Adding --debug revealed response='<?xml version="1.0" encoding="UTF-8"?><openXML><reply><code>808</code><desc>Invalid record type</desc><data/></reply></openXML> even though types sent are only NS, MX and TXT types.

sigio commented 3 years ago

Same here... I've used the dns api on openprovider with dehydrated (I wrote that backend for dehydrated), but was looking into acme.sh since it has wider support, but giving me issues with openprovider.

It seems that API failures are printed in red, but then don't trigger stopping further requests/tests if the field was added.

[Mon 23 Nov 2020 10:01:41 PM CET] existing_items='A45.11.28.1086400NSns3.openprovider.eu3600NSns2.openprovider.be3600NSns1.openprovider.nl3600MXmail.sig-io.nl1086400AAAA2a0e:5700::1086400' [Mon 23 Nov 2020 10:01:41 PM CET] results_retrieved='7' [Mon 23 Nov 2020 10:01:41 PM CET] item='www.jaar2038.nlCNAMEjaar2038.nl86400' [Mon 23 Nov 2020 10:01:41 PM CET] existing_items='A45.11.28.1086400NSns3.openprovider.eu3600NSns2.openprovider.be3600NSns1.openprovider.nl3600MXmail.sig-io.nl1086400AAAA2a0e:5700::1086400wwwCNAMEjaar2038.nl86400' [Mon 23 Nov 2020 10:01:41 PM CET] results_retrieved='8' [Mon 23 Nov 2020 10:01:41 PM CET] item [Mon 23 Nov 2020 10:01:41 PM CET] total='8' [Mon 23 Nov 2020 10:01:41 PM CET] Creating acme record [Mon 23 Nov 2020 10:01:41 PM CET] POST [Mon 23 Nov 2020 10:01:41 PM CET] _post_url='https://api.openprovider.eu/' [Mon 23 Nov 2020 10:01:41 PM CET] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g ' [Mon 23 Nov 2020 10:01:42 PM CET] _ret='0' [Mon 23 Nov 2020 10:01:42 PM CET] response='<?xml version="1.0" encoding="UTF-8"?>

808Invalid record type' [Mon 23 Nov 2020 10:01:42 PM CET] API request failed. [Mon 23 Nov 2020 10:01:42 PM CET]
sigio commented 3 years ago

Removing 'NS' from line 72 worked for me.... the API docs also say the allowed field types are:

One of the following data types: A, AAAA, CNAME, MX, SPF, SRV, TXT, TLSA, SSHFP, CAA (In some cases NS records can be added after contacting Support.)

So... NS is not allowed by default... but is returned from the api (and automatically added it seems)

sigio commented 3 years ago

It also looks like the dns_openprovider.sh just replaces the entire zone/config, instead of just adding/removing a single record:

In the control-panel: 2020-11-24 15:53:08 Records have been replaced.

As opposed to the script used in dehydrated which adds/removes individual txt records: 2020-10-09 13:01:34 Record is deleted: name: _acme-challenge.jaar2038.nl, type: TXT, value: "XXX", ttl: 600 2020-10-09 13:01:30 Record is added: name: _acme-challenge.jaar2038.nl, type: TXT, value: "XXX", ttl: 600

Doing it this way would avoid issues with unknown or not-allowed record-types, and avoid losing existing records if they might not match the regex (or simultanious updates from other api-calls)

ixp-nl commented 3 years ago

This plugin should be rewritten to the Openprovider REST API (beta). The REST API has the option to add and remove single records.

WinSCaP commented 2 months ago

Created a pull request where the NS type is removed so it atleast works again.