search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.67k stars 4.91k forks source link

Incorrect TXT record for base + wildcard with Digital Ocean API #2632

Open dandv opened 4 years ago

dandv commented 4 years ago

I've just installed the script and got the error below with DigitalOcean. Detailed log attached.

# /root/.acme.sh/acme.sh --issue --dns dns_dgon -d cryptoclimate.io -d "*.cryptoclimate.io"
[Fri Dec 13 03:51:19 EST 2019] Multi domain='DNS:cryptoclimate.io,DNS:*.cryptoclimate.io'
[Fri Dec 13 03:51:19 EST 2019] Getting domain auth token for each domain
[Fri Dec 13 03:51:20 EST 2019] Getting webroot for domain='cryptoclimate.io'
[Fri Dec 13 03:51:20 EST 2019] Getting webroot for domain='*.cryptoclimate.io'
[Fri Dec 13 03:51:20 EST 2019] Adding txt value: DhxmA5BNdWAibUdo2zFhYEedJszcmBRMjFmixw4V1UA for domain:  _acme-challenge.cryptoclimate.io
[Fri Dec 13 03:51:20 EST 2019] Using digitalocean dns validation - add record
[Fri Dec 13 03:51:21 EST 2019] The txt record is added: Success.
[Fri Dec 13 03:51:21 EST 2019] Adding txt value: 4Xtnf8ZHGCzky7SzhyjcpkyhjIiU1rg-nK35Pndx-cc for domain:  _acme-challenge.cryptoclimate.io
[Fri Dec 13 03:51:21 EST 2019] Using digitalocean dns validation - add record
[Fri Dec 13 03:51:22 EST 2019] The txt record is added: Success.
[Fri Dec 13 03:51:22 EST 2019] Let's check each dns records now. Sleep 20 seconds first.
[Fri Dec 13 03:51:43 EST 2019] Checking cryptoclimate.io for _acme-challenge.cryptoclimate.io
[Fri Dec 13 03:51:44 EST 2019] Domain cryptoclimate.io '_acme-challenge.cryptoclimate.io' success.
[Fri Dec 13 03:51:44 EST 2019] Checking cryptoclimate.io for _acme-challenge.cryptoclimate.io
[Fri Dec 13 03:51:44 EST 2019] Domain cryptoclimate.io '_acme-challenge.cryptoclimate.io' success.
[Fri Dec 13 03:51:44 EST 2019] All success, let's return
[Fri Dec 13 03:51:44 EST 2019] Verifying: cryptoclimate.io
[Fri Dec 13 03:51:47 EST 2019] cryptoclimate.io:Verify error:Incorrect TXT record 
[Fri Dec 13 03:51:47 EST 2019] Removing DNS records.
[Fri Dec 13 03:51:47 EST 2019] Removing txt: DhxmA5BNdWAibUdo2zFhYEedJszcmBRMjFmixw4V1UA for domain: _acme-challenge.cryptoclimate.io
[Fri Dec 13 03:51:47 EST 2019] Using digitalocean dns validation - remove record
[Fri Dec 13 03:51:48 EST 2019] Removed: Success
[Fri Dec 13 03:51:48 EST 2019] Removing txt: 4Xtnf8ZHGCzky7SzhyjcpkyhjIiU1rg-nK35Pndx-cc for domain: _acme-challenge.cryptoclimate.io
[Fri Dec 13 03:51:48 EST 2019] Using digitalocean dns validation - remove record
[Fri Dec 13 03:51:50 EST 2019] Removed: Success
[Fri Dec 13 03:51:50 EST 2019] Please add '--debug' or '--log' to check more details.
[Fri Dec 13 03:51:50 EST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

acme-incorrect-TXT-record.log

rayzilt commented 4 years ago

Seperate those two requests, run acme for each one.

And technically you don't need the first cryptoclimate.io as you are requesting a wildcard for that domain.

RifeWang commented 4 years ago

Same with me. sometimes I get just only one TXT record for the base and wildcard domains , and it works well , but sometimes I get two TXT records for the same one _acme-challenge host and it will fail .

RifeWang commented 4 years ago

@Rayzilt Can not seperate to two requests , and the base domain is needed , because we want to use the same one cert file for base and wild domain .

RifeWang commented 4 years ago

First issue it failed , try again it will success.

karmicdude commented 3 years ago

The same issue with yandex_dns

JMC-PK commented 2 years ago

I spent about 4 hours troubleshooting this with the dns_gd API. Turns out the issue isn't the same TXT record with 2 entries. It is actually the DNS record cache on the LetsEncrypt challenge verification servers.

I even went so far as to specify a challenge alias for the wildcard domain so they wouldn't share the same record and I was still getting this error.

-d example.com --challenge-alias no --dns dns_gd -d *.example.com --challenge-alias wildcard-challenge-alias.example.com --dns dns_gd

[Fri Jun 3 02:41:35 PM EDT 2022] Verifying: example.com [Fri Jun 3 02:41:35 PM EDT 2022] Pending, The CA is processing your order, please just wait. (1/30) [Fri Jun 3 02:41:38 PM EDT 2022] example.com:Verify error:Incorrect TXT record

I even removed the wildcard domain to run it with just the base domain and found I was still getting this error, so it COULDN'T be tied to the wildcard part.

That's when I stumbled on someone else mentioning they had to set the time out to 500s to stop the error and it made me think of the DNS TTL. Acme.sh sets the TXT TTL to 600s. So I set the dnssleep to 1200s to be safe, and it worked.

[Fri Jun 3 02:44:14 PM EDT 2022] Sleep 1200 seconds for the txt records to take effect [Fri Jun 3 03:04:18 PM EDT 2022] Verifying: example.com [Fri Jun 3 03:04:18 PM EDT 2022] Pending, The CA is processing your order, please just wait. (1/30) [Fri Jun 3 03:04:21 PM EDT 2022] Pending, The CA is processing your order, please just wait. (2/30) [Fri Jun 3 03:04:25 PM EDT 2022] Pending, The CA is processing your order, please just wait. (3/30) [Fri Jun 3 03:04:28 PM EDT 2022] Pending, The CA is processing your order, please just wait. (4/30) [Fri Jun 3 03:04:31 PM EDT 2022] Success

So try throwing "--dnssleep 1200" into your --issue command. You might be able to bring that down to 600s, this was just to verify this was the actual issue.