Open webhive opened 5 years ago
Hello.
I have the same problem, but it seems that it is Yandex DNS error.
Records are present in web interface of PDD, but are missing on DNS server.
dig TXT _acme-challenge.domain.name @dns.yandex.ru
returns no TXT records.
I've created an issue in PDD support, but at this moment they recommend to move domain to Connect which doesn't have DNS API.
Hello. Yandex support told me, that Yandex.Connect now support adding and deleting DNS records via same PDD API, so you can simply migrate your domain to Connect. I've tried this on my domain and it worked.
According to acme.sh.log, after I use the command
acme.sh --issue --dns dns_yandex -d <mydomain>
the script creates a new TXT record and tries to check the access to it (during 20 minutes max).
It uses https://cloudflare-dns.com/dns-query service for checking.
When cloudflare-dns tells OK (I got OK), the script make a POST request to https://acme-v02.api.letsencrypt.org/acme/challenge.
I suppose, acme-v02.api.letsencrypt.org make one more TXT record access checking. And it fails.
It seems to me, at this moment, not all dns servers know about our new TXT record. That is why, certificate issuing fails.
As a result I cannot use DNS auto mode :(
I have a much more interesting results. It can't find domain at all. But wildcard version of the same domain passess all checks fine
[Wed Sep 18 16:04:41 MSK 2019] d='*.bgiik.ru'
[Wed Sep 18 16:04:41 MSK 2019] Getting webroot for domain='*.bgiik.ru'
[Wed Sep 18 16:04:41 MSK 2019] _w='dns_yandex'
[Wed Sep 18 16:04:41 MSK 2019] _currentRoot='dns_yandex'
[Wed Sep 18 16:04:41 MSK 2019] _is_idn_d='*.bgiik.ru'
[Wed Sep 18 16:04:41 MSK 2019] _idn_temp
[Wed Sep 18 16:04:41 MSK 2019] response='{"identifier":{"type":"dns","value":"bgiik.ru"},"status":"valid","expires":"2019-10-24T00:16:39Z","challenges":[{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/374453631/MP8o51","token":"1zy0FilfwYQU95XUklU2IpQ08LPOTRzvbLcn8x22GO0","validationRecord":[{"hostname":"bgiik.ru"}]}],"wildcard": true}'
[Wed Sep 18 16:04:41 MSK 2019] base64 single line.
[Wed Sep 18 16:04:41 MSK 2019] entry='"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/374453631/MP8o51","token":"1zy0FilfwYQU95XUklU2IpQ08LPOTRzvbLcn8x22GO0","validationRecord":[{"hostname":"bgiik.ru"'
[Wed Sep 18 16:04:41 MSK 2019] token='1zy0FilfwYQU95XUklU2IpQ08LPOTRzvbLcn8x22GO0'
[Wed Sep 18 16:04:41 MSK 2019] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/374453631/MP8o51'
[Wed Sep 18 16:04:41 MSK 2019] keyauthorization='1zy0FilfwYQU95XUklU2IpQ08LPOTRzvbLcn8x22GO0.PUbaPtbUJ8XvqNHXS82cxKgQ81hphefNRGlLTpw69Oo'
[Wed Sep 18 16:04:41 MSK 2019] *.bgiik.ru is already verified.
[Wed Sep 18 16:04:41 MSK 2019] keyauthorization='verified_ok'
[Wed Sep 18 16:04:41 MSK 2019] dvlist='*.bgiik.ru#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/374453631/MP8o51#dns-01#dns_yandex'
[Wed Sep 18 16:04:41 MSK 2019] d='bgiik.ru'
[Wed Sep 18 16:04:41 MSK 2019] Getting webroot for domain='bgiik.ru'
[Wed Sep 18 16:04:41 MSK 2019] _w='dns_yandex'
[Wed Sep 18 16:04:41 MSK 2019] _currentRoot='dns_yandex'
[Wed Sep 18 16:04:41 MSK 2019] _is_idn_d='bgiik.ru'
[Wed Sep 18 16:04:41 MSK 2019] _idn_temp
[Wed Sep 18 16:04:41 MSK 2019] response='{"identifier":{"type":"dns","value":"bgiik.ru"},"status":"pending","expires":"2019-09-25T13:04:21Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/taJIJ1","token":"1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/l-6YY1","token":"1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/p-uXv1","token":"1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU"}]}'
[Wed Sep 18 16:04:41 MSK 2019] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/l-6YYQ","token":"1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfG1"'
[Wed Sep 18 16:04:41 MSK 2019] token='1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU'
[Wed Sep 18 16:04:41 MSK 2019] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/l-6YY1'
[Wed Sep 18 16:04:41 MSK 2019] keyauthorization='1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU.PUbaPtbUJ8XvqNHXS82cxKgQ81hphefNRGlLTpw69Oo'
[Wed Sep 18 16:04:41 MSK 2019] dvlist='bgiik.ru#1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU.PUbaPtbUJ8XvqNHXS82cxKgQ81hphefNRGlLTpw69Oo#https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/l-6YY1#dns-01#dns_yandex'
[Wed Sep 18 16:04:41 MSK 2019] d
[Wed Sep 18 16:04:41 MSK 2019] vlist='*.bgiik.ru#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/374453631/MP8o51#dns-01#dns_yandex,bgiik.ru#1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU.PUbaPtbUJ8XvqNHXS82cxKgQ81hphefNRGlLTpw69Oo#https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/l-6YY1#dns-01#dns_yandex,'
[Wed Sep 18 16:04:41 MSK 2019] d='*.bgiik.ru'
[Wed Sep 18 16:04:41 MSK 2019] *.bgiik.ru is already verified, skip dns-01.
[Wed Sep 18 16:04:41 MSK 2019] d='bgiik.ru'
[Wed Sep 18 16:04:41 MSK 2019] _d_alias
[Wed Sep 18 16:04:41 MSK 2019] txtdomain='_acme-challenge.bgiik.ru'
[Wed Sep 18 16:04:41 MSK 2019] base64 single line.
[Wed Sep 18 16:04:41 MSK 2019] txt='1JFQRYUueu76XfcAMhaGprIAQKQTnJ6y1mHwHfqHn1k'
[Wed Sep 18 16:04:41 MSK 2019] d_api='/usr/local/pkg/acme/dnsapi/dns_yandex.sh'
[Wed Sep 18 16:04:41 MSK 2019] dns_entry='bgiik.ru,_acme-challenge.bgiik.ru,,dns_yandex,1JFQRYUueu76XfcAMhaGprIAQKQTnJ6y1mHwHfqHn1k,/usr/local/pkg/acme/dnsapi/dns_yandex.sh'
[Wed Sep 18 16:04:41 MSK 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_yandex.sh
[Wed Sep 18 16:04:41 MSK 2019] dns_yandex_add exists=0
[Wed Sep 18 16:04:41 MSK 2019] Adding txt value: 1JFQRYUueu76XfcAMhaGprIAQKQTnJ6y1mHwHfqHn1k for domain: _acme-challenge.bgiik.ru
[Wed Sep 18 16:04:41 MSK 2019] Calling: dns_yandex_add() '_acme-challenge.bgiik.ru' '1JFQRYUueu76XfcAMhaGprIAQKQTnJ6y1mHwHfqHn1k'
[Wed Sep 18 16:04:41 MSK 2019] APP
[Wed Sep 18 16:04:41 MSK 2019] 5:PDD_Token='YDLA72DGQV3WHFATOLNUIVDRNGRQ24RSCZ3ZDHK2LFR2Y5FUSGV1Q'
[Wed Sep 18 16:04:41 MSK 2019] GET
[Wed Sep 18 16:04:41 MSK 2019] url='https://pddimp.yandex.ru/api2/admin/domain/domains?page=1&on_page=20'
[Wed Sep 18 16:04:41 MSK 2019] timeout=
[Wed Sep 18 16:04:41 MSK 2019] Http already initialized.
[Wed Sep 18 16:04:41 MSK 2019] _CURL='curl -L --silent --dump-header /tmp/acme/bgiikru//http.header -g '
[Wed Sep 18 16:04:49 MSK 2019] ret='0'
[Wed Sep 18 16:04:49 MSK 2019] res1='{"total": 1, "domains":[{"from_registrar":"no", "dkim-ready":"yes", "emails-max-count": 2147483647, "aliases":["bgiki.ru", "xn--90aepak.xn--p1ai"], "logo_enabled":"no", "master_admin": false, "workspace":"yes", "show-simple-check":"no", "ws_technical":"no", "show-ready-soon":"no", "emails-count": 181, "stage":"added", "status":"added", "nsdelegated":"yes", "name":"bgiik.ru"}], "on_page": 20, "success":"ok", "page": 1, "found": 1}'
[Wed Sep 18 16:04:49 MSK 2019] found: results on page
[Wed Sep 18 16:04:49 MSK 2019] last page: 1
[Wed Sep 18 16:04:49 MSK 2019] finding zone for domain bgiik.ru
[Wed Sep 18 16:04:49 MSK 2019] finding zone for domain ru
[Wed Sep 18 16:04:49 MSK 2019] finding zone for domain
[Wed Sep 18 16:04:49 MSK 2019] finding zone for domain
[Wed Sep 18 16:04:49 MSK 2019] finding zone for domain
[Wed Sep 18 16:04:49 MSK 2019] finding zone for domain
[Wed Sep 18 16:04:49 MSK 2019] finding zone for domain
[Wed Sep 18 16:04:49 MSK 2019] finding zone for domain
[Wed Sep 18 16:04:49 MSK 2019] No suitable domain found in your account
I have a much more interesting results. It can't find domain at all. But wildcard version of the same domain passess all checks fine
[Wed Sep 18 16:04:41 MSK 2019] d='*.bgiik.ru' [Wed Sep 18 16:04:41 MSK 2019] Getting webroot for domain='*.bgiik.ru' [Wed Sep 18 16:04:41 MSK 2019] _w='dns_yandex' [Wed Sep 18 16:04:41 MSK 2019] _currentRoot='dns_yandex' [Wed Sep 18 16:04:41 MSK 2019] _is_idn_d='*.bgiik.ru' [Wed Sep 18 16:04:41 MSK 2019] _idn_temp [Wed Sep 18 16:04:41 MSK 2019] response='{"identifier":{"type":"dns","value":"bgiik.ru"},"status":"valid","expires":"2019-10-24T00:16:39Z","challenges":[{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/374453631/MP8o51","token":"1zy0FilfwYQU95XUklU2IpQ08LPOTRzvbLcn8x22GO0","validationRecord":[{"hostname":"bgiik.ru"}]}],"wildcard": true}' [Wed Sep 18 16:04:41 MSK 2019] base64 single line. [Wed Sep 18 16:04:41 MSK 2019] entry='"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/374453631/MP8o51","token":"1zy0FilfwYQU95XUklU2IpQ08LPOTRzvbLcn8x22GO0","validationRecord":[{"hostname":"bgiik.ru"' [Wed Sep 18 16:04:41 MSK 2019] token='1zy0FilfwYQU95XUklU2IpQ08LPOTRzvbLcn8x22GO0' [Wed Sep 18 16:04:41 MSK 2019] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/374453631/MP8o51' [Wed Sep 18 16:04:41 MSK 2019] keyauthorization='1zy0FilfwYQU95XUklU2IpQ08LPOTRzvbLcn8x22GO0.PUbaPtbUJ8XvqNHXS82cxKgQ81hphefNRGlLTpw69Oo' [Wed Sep 18 16:04:41 MSK 2019] *.bgiik.ru is already verified. [Wed Sep 18 16:04:41 MSK 2019] keyauthorization='verified_ok' [Wed Sep 18 16:04:41 MSK 2019] dvlist='*.bgiik.ru#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/374453631/MP8o51#dns-01#dns_yandex' [Wed Sep 18 16:04:41 MSK 2019] d='bgiik.ru' [Wed Sep 18 16:04:41 MSK 2019] Getting webroot for domain='bgiik.ru' [Wed Sep 18 16:04:41 MSK 2019] _w='dns_yandex' [Wed Sep 18 16:04:41 MSK 2019] _currentRoot='dns_yandex' [Wed Sep 18 16:04:41 MSK 2019] _is_idn_d='bgiik.ru' [Wed Sep 18 16:04:41 MSK 2019] _idn_temp [Wed Sep 18 16:04:41 MSK 2019] response='{"identifier":{"type":"dns","value":"bgiik.ru"},"status":"pending","expires":"2019-09-25T13:04:21Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/taJIJ1","token":"1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/l-6YY1","token":"1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/p-uXv1","token":"1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU"}]}' [Wed Sep 18 16:04:41 MSK 2019] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/l-6YYQ","token":"1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfG1"' [Wed Sep 18 16:04:41 MSK 2019] token='1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU' [Wed Sep 18 16:04:41 MSK 2019] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/l-6YY1' [Wed Sep 18 16:04:41 MSK 2019] keyauthorization='1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU.PUbaPtbUJ8XvqNHXS82cxKgQ81hphefNRGlLTpw69Oo' [Wed Sep 18 16:04:41 MSK 2019] dvlist='bgiik.ru#1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU.PUbaPtbUJ8XvqNHXS82cxKgQ81hphefNRGlLTpw69Oo#https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/l-6YY1#dns-01#dns_yandex' [Wed Sep 18 16:04:41 MSK 2019] d [Wed Sep 18 16:04:41 MSK 2019] vlist='*.bgiik.ru#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/374453631/MP8o51#dns-01#dns_yandex,bgiik.ru#1pLuytU_sO5twz7U_1CT_IFQCFHbbuep29tHTIGGfGU.PUbaPtbUJ8XvqNHXS82cxKgQ81hphefNRGlLTpw69Oo#https://acme-v02.api.letsencrypt.org/acme/chall-v3/397069427/l-6YY1#dns-01#dns_yandex,' [Wed Sep 18 16:04:41 MSK 2019] d='*.bgiik.ru' [Wed Sep 18 16:04:41 MSK 2019] *.bgiik.ru is already verified, skip dns-01. [Wed Sep 18 16:04:41 MSK 2019] d='bgiik.ru' [Wed Sep 18 16:04:41 MSK 2019] _d_alias [Wed Sep 18 16:04:41 MSK 2019] txtdomain='_acme-challenge.bgiik.ru' [Wed Sep 18 16:04:41 MSK 2019] base64 single line. [Wed Sep 18 16:04:41 MSK 2019] txt='1JFQRYUueu76XfcAMhaGprIAQKQTnJ6y1mHwHfqHn1k' [Wed Sep 18 16:04:41 MSK 2019] d_api='/usr/local/pkg/acme/dnsapi/dns_yandex.sh' [Wed Sep 18 16:04:41 MSK 2019] dns_entry='bgiik.ru,_acme-challenge.bgiik.ru,,dns_yandex,1JFQRYUueu76XfcAMhaGprIAQKQTnJ6y1mHwHfqHn1k,/usr/local/pkg/acme/dnsapi/dns_yandex.sh' [Wed Sep 18 16:04:41 MSK 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_yandex.sh [Wed Sep 18 16:04:41 MSK 2019] dns_yandex_add exists=0 [Wed Sep 18 16:04:41 MSK 2019] Adding txt value: 1JFQRYUueu76XfcAMhaGprIAQKQTnJ6y1mHwHfqHn1k for domain: _acme-challenge.bgiik.ru [Wed Sep 18 16:04:41 MSK 2019] Calling: dns_yandex_add() '_acme-challenge.bgiik.ru' '1JFQRYUueu76XfcAMhaGprIAQKQTnJ6y1mHwHfqHn1k' [Wed Sep 18 16:04:41 MSK 2019] APP [Wed Sep 18 16:04:41 MSK 2019] 5:PDD_Token='YDLA72DGQV3WHFATOLNUIVDRNGRQ24RSCZ3ZDHK2LFR2Y5FUSGV1Q' [Wed Sep 18 16:04:41 MSK 2019] GET [Wed Sep 18 16:04:41 MSK 2019] url='https://pddimp.yandex.ru/api2/admin/domain/domains?page=1&on_page=20' [Wed Sep 18 16:04:41 MSK 2019] timeout= [Wed Sep 18 16:04:41 MSK 2019] Http already initialized. [Wed Sep 18 16:04:41 MSK 2019] _CURL='curl -L --silent --dump-header /tmp/acme/bgiikru//http.header -g ' [Wed Sep 18 16:04:49 MSK 2019] ret='0' [Wed Sep 18 16:04:49 MSK 2019] res1='{"total": 1, "domains":[{"from_registrar":"no", "dkim-ready":"yes", "emails-max-count": 2147483647, "aliases":["bgiki.ru", "xn--90aepak.xn--p1ai"], "logo_enabled":"no", "master_admin": false, "workspace":"yes", "show-simple-check":"no", "ws_technical":"no", "show-ready-soon":"no", "emails-count": 181, "stage":"added", "status":"added", "nsdelegated":"yes", "name":"bgiik.ru"}], "on_page": 20, "success":"ok", "page": 1, "found": 1}' [Wed Sep 18 16:04:49 MSK 2019] found: results on page [Wed Sep 18 16:04:49 MSK 2019] last page: 1 [Wed Sep 18 16:04:49 MSK 2019] finding zone for domain bgiik.ru [Wed Sep 18 16:04:49 MSK 2019] finding zone for domain ru [Wed Sep 18 16:04:49 MSK 2019] finding zone for domain [Wed Sep 18 16:04:49 MSK 2019] finding zone for domain [Wed Sep 18 16:04:49 MSK 2019] finding zone for domain [Wed Sep 18 16:04:49 MSK 2019] finding zone for domain [Wed Sep 18 16:04:49 MSK 2019] finding zone for domain [Wed Sep 18 16:04:49 MSK 2019] finding zone for domain [Wed Sep 18 16:04:49 MSK 2019] No suitable domain found in your account
I had the same problem.
Had the same problem as last two guys, No suitable domain found in your account. Do someone have any ideas how to fix it ?
Had the same problem as last two guys, No suitable domain found in your account. Do someone have any ideas how to fix it ?
remove alias domains or use DNS manual mode
As I know, YandexDNS has no support of aliases for domains, so, I have no configured aliases...
seems it was (unintentionaly? 😅) fixed in #2690 i'm using acme.sh package in pfsense and replacing dns_yandex.sh with the newer version fixed the problem (but you still need a longer DNS-Sleep, 20 minutes in my case 😨)
I've moved from Yandex DNS due to its inconsistency. dig can show that the record was added successfully, but acme.sh fails.
Steps to reproduce
I had a domain what was updated automatically for a long time. But recently I got message about certificate expiration so a I was going to check and found what certificates are not renewed
After brief investigation I discovered what script unable to check inserted DNS txt record while really such a record present. Strange what it checked it vis cloudflare-dns - may be cloudflare access to yandex restricted?
Debug log
Record on Yandex side
Debug = 2