Open TheLastProject opened 5 years ago
How do I use the Openprovider API? I am trying to use it the following way:
docker run --rm -it -e OPENPROVIDER_USER="username" -e OPENPROVIDER_PASSWORDHASH="passwordhash" -v "$(pwd)/out":/acme.sh neilpang/acme.sh --issue -d '*.domain.co' --dns dns_openprovider -k ec-384 --debug
Only now I am getting into a finite loop. Do I have to have my DNS records in a specific way to make this work? I am having the following zone file at OpenProvider:
| www.domain.co | A | 1.2.3.4 | | 15 minutes | Wijzig Verwijder
-- | -- | -- | -- | -- | -- | --
| vpn.domain.co | A | 1.2.3.4 | | 15 minutes | Wijzig Verwijder
| *.domain.co | A | 1.2.3.4 | | 15 minutes | Wijzig Verwijder
| domain.co | SOA | ns1.openprovider.nl dns.openprovider.eu 2019090701 10800 3600 604800 3600 | | 1 day |
| domain.co | NS | ns1.openprovider.nl | | 1 hours |
| domain.co | NS | ns2.openprovider.be | | 1 hours |
| domain.co | NS | ns3.openprovider.eu | | 1 hours |
| domain.co | A | 1.2.3.4 | | 15 minutes | Wijzig Verwijder
Do you have the debug output? I sadly no longer have anything hosted at OpenProvider so it's hard for me to guess what it could be.
Appears to work when I don't have any A records. Let me try to get a debug log for you :) @TheLastProject Please find the log here: https://gist.github.com/weyert/08d55ce124263d6ef99d90167006d992
The error is on https://github.com/Neilpang/acme.sh/blob/master/dnsapi/dns_openprovider.sh#L62, the sed statement doesn't seem to see the match and thus the list of records never changes. Not sure yet why this is the case...
Sorry, my shell scripting skill is like non-existent. Anyway I could assist you? I did notice that when I don't have any A records (e.g. .domain.co) it's working fine. Could it be falling over the case that A record for .domain.co exists for which I am also requesting a certificate?
Nah, it's just not marking an item it dealt with as "done", and thus gets stuck in that loop. The sed statement is supposed to remove the item that it just dealt with from the list of items, but somehow that isn't working. May be some special characters weirdness, not quite sure why, probably someone whose POSIX shell scripting is less rusty could solve it in a second.
Oh okay, I hope someone can help us then :)
Not sure, how to progress this.
I'm having the same loop problem as @weyert. The API is constantly looping over the existing A records and not adding the challenge records. Only when removing existing A records and re-running acme.sh the challenges are added.
It would be nice if someone could fix it.
Hi all, I Fixed the looping and a setting with custom NS servers, works like a charm :-)
Also lowered the TTL for the temporary acme record to 10 min, so you can retry after 10 minutes if it fails and you don't have to wait for a day until the records times out from dns-caches.
Will submit a pull-request with the changes. Note: requesting wildcard-domain certificates still fail, investigating cause..
Thanks @Ritbit that's great :)
Tried Acme.sh with openprovider_dns, all I keep getting is a API request failed.
message.
Tested with a few diffrent domains, some with A records, some without.
Adding --debug revealed response='<?xml version="1.0" encoding="UTF-8"?><openXML><reply><code>808</code><desc>Invalid record type</desc><data/></reply></openXML>
even though types sent are only NS, MX and TXT types.
Same here... I've used the dns api on openprovider with dehydrated (I wrote that backend for dehydrated), but was looking into acme.sh since it has wider support, but giving me issues with openprovider.
It seems that API failures are printed in red, but then don't trigger stopping further requests/tests if the field was added.
[Mon 23 Nov 2020 10:01:41 PM CET] existing_items='
808
Removing 'NS' from line 72 worked for me.... the API docs also say the allowed field types are:
One of the following data types: A, AAAA, CNAME, MX, SPF, SRV, TXT, TLSA, SSHFP, CAA (In some cases NS records can be added after contacting Support.)
So... NS is not allowed by default... but is returned from the api (and automatically added it seems)
It also looks like the dns_openprovider.sh just replaces the entire zone/config, instead of just adding/removing a single record:
In the control-panel: 2020-11-24 15:53:08 Records have been replaced.
As opposed to the script used in dehydrated which adds/removes individual txt records: 2020-10-09 13:01:34 Record is deleted: name: _acme-challenge.jaar2038.nl, type: TXT, value: "XXX", ttl: 600 2020-10-09 13:01:30 Record is added: name: _acme-challenge.jaar2038.nl, type: TXT, value: "XXX", ttl: 600
Doing it this way would avoid issues with unknown or not-allowed record-types, and avoid losing existing records if they might not match the regex (or simultanious updates from other api-calls)
This plugin should be rewritten to the Openprovider REST API (beta). The REST API has the option to add and remove single records.
Created a pull request where the NS type is removed so it atleast works again.
This is the place to report bugs in the OpenProvider DNS API.
If you experience a bug, please report it in this issue.
Thanks!