search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
39.59k stars 4.99k forks source link

Report bugs to All-Inkl.com DNS API #2715

Open Marco4223 opened 4 years ago

Marco4223 commented 4 years ago

Please report any bugs with the All-Inkl.com dns api here.

Thanks!

frostieDE commented 2 years ago

Today I realized, that all-inkl has changed their API endpoint from https://kasapi.kasserver.com/dokumentation/formular.php to https://test-account.com/formular.php

I get the following response from the KAS API which makes certificate renewal improssible (without manually patching the dns_kas.sh file:

<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   <style type="text/css">
      th {
         background-color:#E0ECFF;
      }
      .fehler {
         color: #E2003D;
         background: #F9C9D6;
                 padding: 1em 3em;
      }
          .soap {
         color: #2200FF;
         background: #FFE016;
                 padding: 1em 3em;
      }
      .erfolg {
         color: #008822;
         background:#CCFFD9;
                 padding: 1em 3em;
      }
   </style>
</head>
<body>
        project discontinued, use <a href='https://test-account.com/formular.php?ref=kasapi.kasserver.com'>https://test-account.com/formular.php</a> instead
</body>

After a quick test, it seems changing the endpoint URL here should fix the issue.

Marco4223 commented 2 years ago

Hi frostieDE, I will double check this tomorrow with all-inkl.com. I got the information that the URL has changed but didn’t get the confirmation that this will now be the final URL. This can only confirmed by Developers and they are currently not working. Cheers

frostieDE commented 2 years ago

Thank you very much - in the meantime, people can patch the URL by hand as mentioned above :)

Marco4223 commented 2 years ago

Not only the URL has changed. They also changed the interface to soap. This change will take some time.

Marco4223 commented 2 years ago

Hi frostieDE, can you please check if this is working on you side? https://github.com/Marco4223/acme.sh/blob/master/dnsapi/dns_kas.sh

frostieDE commented 2 years ago

It does not seem to work (on my school's pfsense):

[Thu Aug  4 17:32:18 CEST 2022] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Thu Aug  4 17:32:19 CEST 2022] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory
[Thu Aug  4 17:32:20 CEST 2022] Already registered
[Thu Aug  4 17:32:20 CEST 2022] ACCOUNT_THUMBPRINT='****'
[Thu Aug  4 17:32:20 CEST 2022] Multi domain='DNS:mydomain.com,DNS:*.mydomain.com'
[Thu Aug  4 17:32:20 CEST 2022] Getting domain auth token for each domain
[Thu Aug  4 17:32:22 CEST 2022] Getting webroot for domain='mydomain.com'
[Thu Aug  4 17:32:22 CEST 2022] Getting webroot for domain='*.mydomain.com'
[Thu Aug  4 17:32:22 CEST 2022] Adding txt value: **** for domain:  _acme-challenge.mydomain.com
[Thu Aug  4 17:32:22 CEST 2022] ### -> Using DNS-01 All-inkl/Kasserver hook
[Thu Aug  4 17:32:22 CEST 2022] ### -> Adding _acme-challenge.mydomain.com DNS TXT entry on All-inkl/Kasserver
[Thu Aug  4 17:32:22 CEST 2022] ### -> Retriving Credential Token
[Thu Aug  4 17:32:32 CEST 2022] ### -> Check and Save Props
[Thu Aug  4 17:32:32 CEST 2022] ### -> Checking Zone and Record_Name
[Thu Aug  4 17:32:42 CEST 2022] ### -> Checking for existing Record entries
[Thu Aug  4 17:32:52 CEST 2022] No record found.
[Thu Aug  4 17:32:52 CEST 2022] ### -> Creating TXT DNS record
[Thu Aug  4 17:33:03 CEST 2022] An unkown error occurred, please check manually.
[Thu Aug  4 17:33:03 CEST 2022] Error add txt for domain:_acme-challenge.mydomain.com
[Thu Aug  4 17:33:03 CEST 2022] Please check log file for more details: /tmp/acme/mydomain.com-TESTING/acme_issuecert.log
frostieDE commented 2 years ago

wait a sec... turns out the password was misconfigured. works perfectly :)

Marco4223 commented 2 years ago

Happy to help

alxwolf commented 2 years ago

Great you fixed it, and it worked on another machine for me... but now it fails on me again. Credentials are correct (tested on the KAS web API), and Auth_Type sha1 still works contrary to what they write on their website.

# acme.sh --renew --domain <edited> --dns dns_kas --debug 
[Sa 27 Aug 2022 01:38:13 CEST] Lets find script dir.
[Sa 27 Aug 2022 01:38:13 CEST] _SCRIPT_='/<edited>/.acme.sh/acme.sh'
[Sa 27 Aug 2022 01:38:13 CEST] _script='/<edited>/.acme.sh/acme.sh'
[Sa 27 Aug 2022 01:38:13 CEST] _script_home='/<edited>/.acme.sh'
[Sa 27 Aug 2022 01:38:13 CEST] Using config home:/<edited>/.acme.sh
https://github.com/acmesh-official/acme.sh
v3.0.5
[Sa 27 Aug 2022 01:38:13 CEST] Running cmd: renew
[Sa 27 Aug 2022 01:38:13 CEST] _renewServer
[Sa 27 Aug 2022 01:38:13 CEST] Using config home:/<edited>/.acme.sh
[Sa 27 Aug 2022 01:38:13 CEST] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Sa 27 Aug 2022 01:38:13 CEST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sa 27 Aug 2022 01:38:13 CEST] DOMAIN_PATH='/<edited>'
[Sa 27 Aug 2022 01:38:13 CEST] Renew: '<edited>'
[Sa 27 Aug 2022 01:38:13 CEST] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Sa 27 Aug 2022 01:38:13 CEST] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sa 27 Aug 2022 01:38:13 CEST] Using config home:/<edited>/.acme.sh
[Sa 27 Aug 2022 01:38:13 CEST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sa 27 Aug 2022 01:38:13 CEST] _main_domain='<edited>'
[Sa 27 Aug 2022 01:38:13 CEST] _alt_domains='no'
[Sa 27 Aug 2022 01:38:13 CEST] Le_NextRenewTime='1661467024'
[Sa 27 Aug 2022 01:38:13 CEST] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Sa 27 Aug 2022 01:38:13 CEST] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Sa 27 Aug 2022 01:38:13 CEST] GET
[Sa 27 Aug 2022 01:38:13 CEST] url='https://acme-v02.api.letsencrypt.org/directory'
[Sa 27 Aug 2022 01:38:13 CEST] timeout=
[Sa 27 Aug 2022 01:38:13 CEST] _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L '
[Sa 27 Aug 2022 01:38:14 CEST] ret='0'
[Sa 27 Aug 2022 01:38:14 CEST] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Sa 27 Aug 2022 01:38:14 CEST] ACME_NEW_AUTHZ
[Sa 27 Aug 2022 01:38:14 CEST] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sa 27 Aug 2022 01:38:14 CEST] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Sa 27 Aug 2022 01:38:14 CEST] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Sa 27 Aug 2022 01:38:14 CEST] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017-w-v1.3-notice.pdf'
[Sa 27 Aug 2022 01:38:14 CEST] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sa 27 Aug 2022 01:38:14 CEST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sa 27 Aug 2022 01:38:14 CEST] _on_before_issue
[Sa 27 Aug 2022 01:38:14 CEST] _chk_main_domain='<edited>'
[Sa 27 Aug 2022 01:38:14 CEST] _chk_alt_domains
[Sa 27 Aug 2022 01:38:14 CEST] Le_LocalAddress
[Sa 27 Aug 2022 01:38:14 CEST] d='<edited>'
[Sa 27 Aug 2022 01:38:14 CEST] Check for domain='<edited>'
[Sa 27 Aug 2022 01:38:14 CEST] _currentRoot='dns_kas'
[Sa 27 Aug 2022 01:38:14 CEST] d
[Sa 27 Aug 2022 01:38:14 CEST] _saved_account_key_hash is not changed, skip register account.
[Sa 27 Aug 2022 01:38:14 CEST] Read key length:2048
[Sa 27 Aug 2022 01:38:14 CEST] _createcsr
[Sa 27 Aug 2022 01:38:14 CEST] Single domain='<edited>'
[Sa 27 Aug 2022 01:38:14 CEST] Getting domain auth token for each domain
[Sa 27 Aug 2022 01:38:14 CEST] d
[Sa 27 Aug 2022 01:38:14 CEST] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sa 27 Aug 2022 01:38:14 CEST] payload='{"identifiers": [{"type":"dns","value":"<edited>"}]}'
[Sa 27 Aug 2022 01:38:14 CEST] RSA key
[Sa 27 Aug 2022 01:38:14 CEST] HEAD
[Sa 27 Aug 2022 01:38:14 CEST] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sa 27 Aug 2022 01:38:15 CEST] _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L  -I  '
[Sa 27 Aug 2022 01:38:15 CEST] _ret='0'
[Sa 27 Aug 2022 01:38:15 CEST] POST
[Sa 27 Aug 2022 01:38:15 CEST] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sa 27 Aug 2022 01:38:15 CEST] _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L '
[Sa 27 Aug 2022 01:38:16 CEST] _ret='0'
[Sa 27 Aug 2022 01:38:16 CEST] code='201'
[Sa 27 Aug 2022 01:38:16 CEST] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/92907553/<edited>'
[Sa 27 Aug 2022 01:38:16 CEST] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/929553/<edited>'
[Sa 27 Aug 2022 01:38:16 CEST] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/<edited>'
[Sa 27 Aug 2022 01:38:16 CEST] payload
[Sa 27 Aug 2022 01:38:16 CEST] POST
[Sa 27 Aug 2022 01:38:16 CEST] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/<edited>'
[Sa 27 Aug 2022 01:38:16 CEST] _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L '
[Sa 27 Aug 2022 01:38:16 CEST] _ret='0'
[Sa 27 Aug 2022 01:38:16 CEST] code='200'
[Sa 27 Aug 2022 01:38:16 CEST] d='<edited>'
[Sa 27 Aug 2022 01:38:16 CEST] Getting webroot for domain='<edited>'
[Sa 27 Aug 2022 01:38:16 CEST] _w='dns_kas'
[Sa 27 Aug 2022 01:38:16 CEST] _currentRoot='dns_kas'
[Sa 27 Aug 2022 01:38:17 CEST] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/<edited>/<edited>","token":"<edited>"'
[Sa 27 Aug 2022 01:38:17 CEST] token='<edited>'
[Sa 27 Aug 2022 01:38:17 CEST] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/<edited>/<edited>'
[Sa 27 Aug 2022 01:38:17 CEST] keyauthorization='<edited>.<edited>-bZN-<edited>'
[Sa 27 Aug 2022 01:38:17 CEST] dvlist='<edited>#https://acme-v02.api.letsencrypt.org/acme/chall-v3/<edited>/QAruVw#dns-01#dns_kas'
[Sa 27 Aug 2022 01:38:17 CEST] d
[Sa 27 Aug 2022 01:38:17 CEST] vlist='<edited>#https://acme-v02.api.letsencrypt.org/acme/chall-v3/<edited>/QAruVw#dns-01#dns_kas,'
[Sa 27 Aug 2022 01:38:17 CEST] d='<edited>'
[Sa 27 Aug 2022 01:38:17 CEST] _d_alias
[Sa 27 Aug 2022 01:38:17 CEST] txtdomain='_acme-challenge.<edited>'
[Sa 27 Aug 2022 01:38:17 CEST] txt='<edited>-<edited>'
[Sa 27 Aug 2022 01:38:17 CEST] d_api='/<edited>/.acme.sh/dnsapi/dns_kas.sh'
[Sa 27 Aug 2022 01:38:17 CEST] Found domain api file: /<edited>/.acme.sh/dnsapi/dns_kas.sh
[Sa 27 Aug 2022 01:38:17 CEST] GET
[Sa 27 Aug 2022 01:38:17 CEST] url='https://kasapi.kasserver.com/soap/wsdl/KasApi.wsdl'
[Sa 27 Aug 2022 01:38:17 CEST] timeout=
[Sa 27 Aug 2022 01:38:17 CEST] _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L '
[Sa 27 Aug 2022 01:38:17 CEST] ret='0'
[Sa 27 Aug 2022 01:38:17 CEST] [KAS] -> API URL https://kasapi.kasserver.com/soap/KasApi.php
[Sa 27 Aug 2022 01:38:17 CEST] GET
[Sa 27 Aug 2022 01:38:17 CEST] url='https://kasapi.kasserver.com/soap/wsdl/KasAuth.wsdl'
[Sa 27 Aug 2022 01:38:17 CEST] timeout=
[Sa 27 Aug 2022 01:38:17 CEST] _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L '
[Sa 27 Aug 2022 01:38:17 CEST] ret='0'
[Sa 27 Aug 2022 01:38:17 CEST] [KAS] -> AUTH URL https://kasapi.kasserver.com/soap/KasAuth.php
[Sa 27 Aug 2022 01:38:17 CEST] Adding txt value: <edited>-<edited> for domain:  _acme-challenge.<edited>
[Sa 27 Aug 2022 01:38:17 CEST] [KAS] -> Using DNS-01 All-inkl/Kasserver hook
[Sa 27 Aug 2022 01:38:17 CEST] [KAS] -> Adding _acme-challenge.<edited> DNS TXT entry on all-inkl.com/Kasserver
[Sa 27 Aug 2022 01:38:17 CEST] [KAS] -> Retriving Credential Token
[Sa 27 Aug 2022 01:38:17 CEST] [KAS] -> Be friendly and wait 5 seconds by default before calling KAS API.
[Sa 27 Aug 2022 01:38:23 CEST] POST
[Sa 27 Aug 2022 01:38:23 CEST] _post_url='https://kasapi.kasserver.com/soap/KasAuth.php'
[Sa 27 Aug 2022 01:38:23 CEST] _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L '
[Sa 27 Aug 2022 01:38:23 CEST] _ret='0'

so far so good, and then it fails:

[Sa 27 Aug 2022 01:38:23 CEST] [KAS] -> Credential Token: ='<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>missing_parameter</faultstring><faultactor>KasAuth</faultactor></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> '

missing parameter??

[Sa 27 Aug 2022 01:38:23 CEST] [KAS] -> Check and Save Props
[Sa 27 Aug 2022 01:38:23 CEST] [KAS] -> Checking Zone and Record_Name
[Sa 27 Aug 2022 01:38:23 CEST] [KAS] -> Be friendly and wait 5 seconds by default before calling KAS API.
[Sa 27 Aug 2022 01:38:29 CEST] POST
[Sa 27 Aug 2022 01:38:29 CEST] _post_url='https://kasapi.kasserver.com/soap/KasApi.php'
[Sa 27 Aug 2022 01:38:29 CEST] _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L '
[Sa 27 Aug 2022 01:38:30 CEST] _ret='0'
[Sa 27 Aug 2022 01:38:30 CEST] [KAS] -> Either no domains were found or another error =>Bad Request<= occurred, please check manually.
[Sa 27 Aug 2022 01:38:30 CEST] [KAS] -> Checking for existing Record entries
[Sa 27 Aug 2022 01:38:30 CEST] [KAS] -> Be friendly and wait 5 seconds by default before calling KAS API.
[Sa 27 Aug 2022 01:38:36 CEST] POST
[Sa 27 Aug 2022 01:38:36 CEST] _post_url='https://kasapi.kasserver.com/soap/KasApi.php'
[Sa 27 Aug 2022 01:38:36 CEST] _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L '
[Sa 27 Aug 2022 01:38:36 CEST] _ret='0'
[Sa 27 Aug 2022 01:38:36 CEST] [KAS] -> Either no domains were found or another error =>Bad Request<= occurred, please check manually.
[Sa 27 Aug 2022 01:38:36 CEST] [KAS] -> No record found.
[Sa 27 Aug 2022 01:38:36 CEST] [KAS] -> Creating TXT DNS record
[Sa 27 Aug 2022 01:38:36 CEST] [KAS] -> Be friendly and wait 5 seconds by default before calling KAS API.
[Sa 27 Aug 2022 01:38:42 CEST] POST
[Sa 27 Aug 2022 01:38:42 CEST] _post_url='https://kasapi.kasserver.com/soap/KasApi.php'
[Sa 27 Aug 2022 01:38:42 CEST] _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L '
[Sa 27 Aug 2022 01:38:42 CEST] _ret='0'
[Sa 27 Aug 2022 01:38:42 CEST] [KAS] -> An error =>Bad Request<= occurred, please check manually.
[Sa 27 Aug 2022 01:38:42 CEST] Error add txt for domain:_acme-challenge.<edited>
[Sa 27 Aug 2022 01:38:42 CEST] _on_issue_err
[Sa 27 Aug 2022 01:38:42 CEST] Please check log file for more details: /<edited>/.acme.sh/acme.sh.log
[Sa 27 Aug 2022 01:38:42 CEST] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/<edited>/QAruVw'
[Sa 27 Aug 2022 01:38:42 CEST] payload='{}'
[Sa 27 Aug 2022 01:38:42 CEST] POST
[Sa 27 Aug 2022 01:38:42 CEST] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/<edited>/QAruVw'
[Sa 27 Aug 2022 01:38:42 CEST] _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L '
[Sa 27 Aug 2022 01:38:43 CEST] _ret='0'
[Sa 27 Aug 2022 01:38:43 CEST] code='200'
[Sa 27 Aug 2022 01:38:43 CEST] socat doesn't exist.
[Sa 27 Aug 2022 01:38:43 CEST] Diagnosis versions: 
openssl:openssl
LibreSSL 2.8.3
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
[Sa 27 Aug 2022 01:38:43 CEST] pid
[Sa 27 Aug 2022 01:38:43 CEST] No need to restore nginx, skip.
[Sa 27 Aug 2022 01:38:43 CEST] _clearupdns
[Sa 27 Aug 2022 01:38:43 CEST] dns_entries
[Sa 27 Aug 2022 01:38:43 CEST] skip dns.
Marco4223 commented 2 years ago

Hi, please send a log with —debug 2

alxwolf commented 2 years ago

Did some more analysis (now with --debug 2 or 3, which I was not aware of before).

Calling _check_and_save (login props) before calling _get_credential_token in both routines dns_kas_add() and dns_kas_rm() fixes the issue for me.

  _info "[KAS] -> Check and Save Props"
  _check_and_save

  _info "[KAS] -> Retrieving Credential Token"
  _get_credential_token

--debug 3 output (before fix):

[Sa 27 Aug 2022 10:17:56 CEST] [KAS] -> Using DNS-01 All-inkl/Kasserver hook
[Sa 27 Aug 2022 10:17:56 CEST] [KAS] -> Adding _acme-challenge.<edited> DNS TXT entry on all-inkl.com/Kasserver
[Sa 27 Aug 2022 10:17:56 CEST] [KAS] -> Retriving Credential Token
[Sa 27 Aug 2022 10:17:56 CEST] dnsapi/dns_kas.sh:_get_credential_token:234 [KAS] -> Be friendly and wait 5 seconds by default before calling KAS API.
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_post:1897                       POST
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_post:1898                       _post_url='https://kasapi.kasserver.com/soap/KasAuth.php'
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_post:1899                       body='<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:xmethodsKasApiAuthentication" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:KasAuth><Params xsi:type="xsd:string">**{"kas_login":"","kas_auth_type":"","kas_auth_data":""**,"session_lifetime":600,"session_update_lifetime":"Y"}</Params></ns1:KasAuth></SOAP-ENV:Body></SOAP-ENV:Envelope>'
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_post:1900                       _postContentType='text/xml'
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_inithttp:1834                   Http already initialized.
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_post:1912                       _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L  --trace-ascii /var/folders/02/0vfyzgpj4g33wtnnn22gfz1w0000gn/T/tmp.gQelXNH6 '
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_post:2007                       _ret='0'
[Sa 27 Aug 2022 10:18:02 CEST] dnsapi/dns_kas.sh:_get_credential_token:240 [KAS] -> Response='<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode>**<faultstring>missing_parameter</faultstring><faultactor>KasAuth</faultactor>**</SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>'
[Sa 27 Aug 2022 10:18:02 CEST] dnsapi/dns_kas.sh:_get_credential_token:243 [KAS] -> Credential Token: ='<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>missing_parameter</faultstring><faultactor>KasAuth</faultactor></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> '
[Sa 27 Aug 2022 10:18:02 CEST] [KAS] -> Check and Save Props
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_setopt:2244                     OK
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_setopt:2262                     11:SAVED_KAS_Login='w0<edited>'
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_setopt:2244                     OK
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_setopt:2262                     12:SAVED_KAS_Authtype='sha1'
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_setopt:2244                     OK
[Sa 27 Aug 2022 10:18:02 CEST] acme.sh:_setopt:2262                     13:SAVED_KAS_Authdata='<edited>'
[Sa 27 Aug 2022 10:18:02 CEST] [KAS] -> Checking Zone and Record_Name
[Sa 27 Aug 2022 10:18:02 CEST] dnsapi/dns_kas.sh:_callAPI:262           [KAS] -> Request='<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:xmethodsKasApi" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:KasApi><Params xsi:type="xsd:string">{"kas_login":"w0<edited>","kas_auth_type":"session","kas_auth_data":"<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>missing_parameter</faultstring><faultactor>KasAuth</faultactor></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> ","kas_action":"get_domains"}</Params></ns1:KasApi></SOAP-ENV:Body></SOAP-ENV:Envelope>'
[Sa 27 Aug 2022 10:18:02 CEST] dnsapi/dns_kas.sh:_callAPI:264           [KAS] -> Be friendly and wait 5 seconds by default before calling KAS API.
[Sa 27 Aug 2022 10:18:08 CEST] acme.sh:_post:1897                       POST
[Sa 27 Aug 2022 10:18:08 CEST] acme.sh:_post:1898                       _post_url='https://kasapi.kasserver.com/soap/KasApi.php'
[Sa 27 Aug 2022 10:18:08 CEST] acme.sh:_post:1899                       body='<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:xmethodsKasApi" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:KasApi><Params xsi:type="xsd:string">{"kas_login":"w0<edited>","kas_auth_type":"session","kas_auth_data":"<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>missing_parameter</faultstring><faultactor>KasAuth</faultactor></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> ","kas_action":"get_domains"}</Params></ns1:KasApi></SOAP-ENV:Body></SOAP-ENV:Envelope>'
[Sa 27 Aug 2022 10:18:08 CEST] acme.sh:_post:1900                       _postContentType='text/xml'
[Sa 27 Aug 2022 10:18:08 CEST] acme.sh:_inithttp:1834                   Http already initialized.
[Sa 27 Aug 2022 10:18:08 CEST] acme.sh:_post:1912                       _CURL='curl --silent --dump-header /<edited>/.acme.sh/http.header  -L  --trace-ascii /var/folders/02/0vfyzgpj4g33wtnnn22gfz1w0000gn/T/tmp.gQelXNH6 '
[Sa 27 Aug 2022 10:18:08 CEST] acme.sh:_post:2007                       _ret='0'
[Sa 27 Aug 2022 10:18:08 CEST] dnsapi/dns_kas.sh:_callAPI:270           [KAS] -> Response='<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>Bad Request</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>'
<?xml version="1.0" encoding="UTF-8"?>dns_kas.sh:_get_zone_and_record_name:171 [KAS] -> Response='
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>Bad Request</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>'
[Sa 27 Aug 2022 10:18:08 CEST] [KAS] -> Either no domains were found or another error =>Bad Request<= occurred, please check manually.
Marco4223 commented 2 years ago

Hi, I'm sorry but its not longer my code in the repo. Please contact @Hobby-Student

Hobby-Student commented 2 years ago

I try to wrap it up:

The URL with any sort of "formular" on it (e. g. https://test-account.com/formular.php) ist not the valid endpoint. I did speak with someone form all-inkl.com staff and he said that people are using (better: abusing) the test form in production queries which was never intended nor recommended. The right place for the API calls is the SOAP endpoint.

@Marco4223 and I did several changes to the dns_kas.sh. Now it's the right syntax with the right endpoint. Thx to @Marco4223 the code is using a session token. Upon merging those 2 versions something got mixed up and the _check_and_save wasn't called in the first place. Now everything is in place and the dev branch needs to be merged into the master branch.

@Neilpang You can assign me to the owner of this issue. Do you have a schedule when the changes in dev branch will get merged into master?

Neilpang commented 2 years ago

merged

alxwolf commented 2 years ago

btw @Hobby-Student and @Marco4223, thanks a ton for transferring this API to SOAP. Those complicated SOAP xml structures are way beyond me...

alxwolf commented 2 years ago

@Neilpang could we please fix the Wiki for all-inkl.com.

Their API does not accept sha1 any longer, so it should say

# export KAS_Login=<ACCOUNTID> 
# export KAS_Authdata=<PLAINTEXTPASSWORD>
# export KAS_Authtype=plain
alxwolf commented 2 years ago

And @Neilpang, the current release does not include the fixed dns_kas.sh (using SOAP access) - can we please include that as right now the release is just broken.

rhurling commented 2 years ago

This script doesn't seem to work with Wildcard certs or multiple certs using dns alias since it always deletes existing txt entries in dns_kas_add, regardless whether these were only just created 10 seconds earlier in the same command.

I copied the command to a custom file and commented out the Lines 47-55 and now my issue command works.

Hobby-Student commented 2 years ago

This script doesn't seem to work with Wildcard certs or multiple certs using dns alias since it always deletes existing txt entries in dns_kas_add, regardless whether these were only just created 10 seconds earlier in the same command.

I copied the command to a custom file and commented out the Lines 47-55 and now my issue command works.

In my first commits I also didn't clean the DNS entries before generating the ones for the current request. Somewhere in the process I merged my idea with Marco4223's and this is the result. Perhaps you are right and the script should not clean before adding entries, just at the end of the cert request. Give me some days to test and I'll come back.

Hobby-Student commented 1 year ago

@rhurling I didn't come up with a scenario where skipping deletion before cert request is a problem. I did test it and had no problems for now. I'll edit the source accordingly.

Hobby-Student commented 1 year ago

@Marco4223 what's your oppinion on this? Do you have any scenario where NOT deleting all _acme TXT entries before issuing a new cert could cause problems?

Marco4223 commented 1 year ago

@Hobby-Student This was a leftover to clean only the generated token. The problem is that you generate many tokens on your dns server when you are in debug mode and not deleting them. But when you have multiple instances running (like one on a NAS, second one on a Router etc) at the same time you get a problem with race conditions because of one instance delete the token from the other one. So yes, it's a good idea to delete only the one you had generated. The used record value is stored in _txtvalue in the dns_kas_rm. So you only have to change a few lines.

Hobby-Student commented 1 year ago

So yes, it's a good idea to delete only the one you had generated. The used record value is stored in _txtvalue in the dns_kas_rm. So you only have to change a few lines.

Thanks. I thought nearly the same. The deletion of entries after a success can lead to a race condition, too.

@rhurling I'll try to optimize dns_kas_rm _get_record_id as soon as possible and just delete the entry of the current request.

Hobby-Student commented 1 year ago

This script doesn't seem to work with Wildcard certs or multiple certs using dns alias since it always deletes existing txt entries in dns_kas_add, regardless whether these were only just created 10 seconds earlier in the same command.

I copied the command to a custom file and commented out the Lines 47-55 and now my issue command works.

@rhurling I modified the deletion of records. Could you please try this version https://github.com/Hobby-Student/acme.sh/blob/540d4180d2cc258433442df2e14faf8f0c3f9169/dnsapi/dns_kas.sh

OnkelM commented 1 year ago

script is not working and running infinite checks on the same domain

image

image

Hobby-Student commented 1 year ago

script is not working and running infinite checks on the same domain

do you have some details on how you invoke acme.sh? I did some tests while modifying and I repeated a multi domain request few minutes ago. On my system it's working. Every TXT for all 3 domains (in 1 cert) is added and deleted accordingly afterwards.

OnkelM commented 1 year ago

i use this command to run acme.sh

./acme.sh --home ./ --config-home ./ --certhome ./certs --set-default-ca --server letsencrypt --log ./acme.log --keylength 3072 --issue --dns dns_kas -d DOMAIN.TLD --dns dns_kas -d *.DOMAIN.TLD --webroot /LOCALPATH/WEBROOT -d xxx.myfritz.net

and this fails

i solved it by simply running acme.sh two times. first with only the default Domain, and second with all others.

./acme.sh --home ./ --config-home ./ --certhome ./certs --set-default-ca --server letsencrypt --log ./acme.log --keylength 3072 --issue --dns dns_kas -d DOMAIN.TLD
./acme.sh --home ./ --config-home ./ --certhome ./certs --set-default-ca --server letsencrypt --log ./acme.log --keylength 3072 --issue --dns dns_kas -d DOMAIN.TLD --dns dns_kas -d *.DOMAIN.TLD --webroot /LOCALPATH/WEBROOT -d xxx.myfritz.net

it seems it struggles with the wildcard domain if the default domain is not yet successfully created. by doing the issueing two times the first one finishes and is being skipped on the second run.

Hobby-Student commented 1 year ago

it seems it struggles with the wildcard domain if the default domain is not yet successfully created. by doing the issueing two times the first one finishes and is being skipped on the second run.

thx for the information. Unfortunately, I can't reproduce this issue. For me it's working as intended.

2023-02-09T09:12:38 acme.sh [Thu Feb 9 09:12:38 CET 2023] Cert success.
2023-02-09T09:12:38 acme.sh [Thu Feb 9 09:12:38 CET 2023] REMOVED
2023-02-09T09:12:37 acme.sh [Thu Feb 9 09:12:37 CET 2023] Downloading cert.
2023-02-09T09:12:36 acme.sh [Thu Feb 9 09:12:36 CET 2023] REMOVED
2023-02-09T09:12:36 acme.sh [Thu Feb 9 09:12:36 CET 2023] Lets finalize the order.
2023-02-09T09:12:36 acme.sh [Thu Feb 9 09:12:36 CET 2023] Verify finished, start to sign.
2023-02-09T09:12:36 acme.sh [Thu Feb 9 09:12:36 CET 2023] Removed: Success
2023-02-09T09:12:31 acme.sh [Thu Feb 9 09:12:31 CET 2023] [KAS] -> Removing entries with ID: ID02
2023-02-09T09:12:26 acme.sh [Thu Feb 9 09:12:26 CET 2023] [KAS] -> Getting Record ID
2023-02-09T09:12:21 acme.sh [Thu Feb 9 09:12:20 CET 2023] [KAS] -> Checking Zone and Record_Name
2023-02-09T09:12:15 acme.sh [Thu Feb 9 09:12:15 CET 2023] [KAS] -> Retriving Credential Token
2023-02-09T09:12:15 acme.sh [Thu Feb 9 09:12:15 CET 2023] [KAS] -> Removing _acme-challenge.test-07.DOMAIN.TLD DNS TXT entry on All-inkl/Kasserver
2023-02-09T09:12:15 acme.sh [Thu Feb 9 09:12:15 CET 2023] [KAS] -> Cleaning up after All-inkl/Kasserver hook
2023-02-09T09:12:15 acme.sh [Thu Feb 9 09:12:15 CET 2023] [KAS] -> Check and Save Props
2023-02-09T09:12:15 acme.sh [Thu Feb 9 09:12:15 CET 2023] [KAS] -> Using DNS-01 All-inkl/Kasserver hook
2023-02-09T09:12:15 acme.sh [Thu Feb 9 09:12:15 CET 2023] Removing txt: VALUE02 for domain: _acme-challenge.test-07.DOMAIN.TLD
2023-02-09T09:12:15 acme.sh [Thu Feb 9 09:12:15 CET 2023] [KAS] -> AUTH URL https://kasapi.kasserver.com/soap/KasAuth.php
2023-02-09T09:12:15 acme.sh [Thu Feb 9 09:12:15 CET 2023] [KAS] -> API URL https://kasapi.kasserver.com/soap/KasApi.php
2023-02-09T09:12:14 acme.sh [Thu Feb 9 09:12:14 CET 2023] Removed: Success
2023-02-09T09:12:09 acme.sh [Thu Feb 9 09:12:09 CET 2023] [KAS] -> Removing entries with ID: ID01
2023-02-09T09:12:04 acme.sh [Thu Feb 9 09:12:04 CET 2023] [KAS] -> Getting Record ID
2023-02-09T09:11:57 acme.sh [Thu Feb 9 09:11:57 CET 2023] [KAS] -> Checking Zone and Record_Name
2023-02-09T09:11:52 acme.sh [Thu Feb 9 09:11:52 CET 2023] [KAS] -> Retriving Credential Token
2023-02-09T09:11:52 acme.sh [Thu Feb 9 09:11:52 CET 2023] [KAS] -> Removing _acme-challenge.test-07.DOMAIN.TLD DNS TXT entry on All-inkl/Kasserver
2023-02-09T09:11:52 acme.sh [Thu Feb 9 09:11:52 CET 2023] [KAS] -> Cleaning up after All-inkl/Kasserver hook
2023-02-09T09:11:52 acme.sh [Thu Feb 9 09:11:52 CET 2023] [KAS] -> Check and Save Props
2023-02-09T09:11:52 acme.sh [Thu Feb 9 09:11:52 CET 2023] [KAS] -> Using DNS-01 All-inkl/Kasserver hook
2023-02-09T09:11:52 acme.sh [Thu Feb 9 09:11:52 CET 2023] Removing txt: VALUE01 for domain: _acme-challenge.test-07.DOMAIN.TLD
2023-02-09T09:11:52 acme.sh [Thu Feb 9 09:11:52 CET 2023] [KAS] -> AUTH URL https://kasapi.kasserver.com/soap/KasAuth.php
2023-02-09T09:11:51 acme.sh [Thu Feb 9 09:11:51 CET 2023] [KAS] -> API URL https://kasapi.kasserver.com/soap/KasApi.php
2023-02-09T09:11:51 acme.sh [Thu Feb 9 09:11:51 CET 2023] Removing DNS records.
2023-02-09T09:11:51 acme.sh [Thu Feb 9 09:11:51 CET 2023] Success
2023-02-09T09:11:48 acme.sh [Thu Feb 9 09:11:48 CET 2023] Pending, The CA is processing your order, please just wait. (1/30)
2023-02-09T09:11:47 acme.sh [Thu Feb 9 09:11:47 CET 2023] Verifying: *.test-07.DOMAIN.TLD
2023-02-09T09:11:47 acme.sh [Thu Feb 9 09:11:47 CET 2023] Success
2023-02-09T09:11:45 acme.sh [Thu Feb 9 09:11:45 CET 2023] Pending, The CA is processing your order, please just wait. (1/30)
2023-02-09T09:11:44 acme.sh [Thu Feb 9 09:11:44 CET 2023] Verifying: test-07.DOMAIN.TLD
2023-02-09T09:11:34 acme.sh [Thu Feb 9 09:11:34 CET 2023] Sleep 10 seconds for the txt records to take effect
2023-02-09T09:11:34 acme.sh [Thu Feb 9 09:11:34 CET 2023] The txt record is added: Success.
2023-02-09T09:11:28 acme.sh [Thu Feb 9 09:11:28 CET 2023] [KAS] -> Creating TXT DNS record
2023-02-09T09:11:28 acme.sh [Thu Feb 9 09:11:28 CET 2023] [KAS] -> No record found.
2023-02-09T09:11:23 acme.sh [Thu Feb 9 09:11:23 CET 2023] [KAS] -> Checking for existing Record entries
2023-02-09T09:11:18 acme.sh [Thu Feb 9 09:11:18 CET 2023] [KAS] -> Checking Zone and Record_Name
2023-02-09T09:11:12 acme.sh [Thu Feb 9 09:11:12 CET 2023] [KAS] -> Retriving Credential Token
2023-02-09T09:11:12 acme.sh [Thu Feb 9 09:11:12 CET 2023] [KAS] -> Adding _acme-challenge.test-07.DOMAIN.TLD DNS TXT entry on all-inkl.com/Kasserver
2023-02-09T09:11:12 acme.sh [Thu Feb 9 09:11:12 CET 2023] [KAS] -> Check and Save Props
2023-02-09T09:11:12 acme.sh [Thu Feb 9 09:11:12 CET 2023] [KAS] -> Using DNS-01 All-inkl/Kasserver hook
2023-02-09T09:11:12 acme.sh [Thu Feb 9 09:11:12 CET 2023] Adding txt value: VALUE02 for domain: _acme-challenge.test-07.DOMAIN.TLD
2023-02-09T09:11:12 acme.sh [Thu Feb 9 09:11:12 CET 2023] [KAS] -> AUTH URL https://kasapi.kasserver.com/soap/KasAuth.php
2023-02-09T09:11:12 acme.sh [Thu Feb 9 09:11:12 CET 2023] [KAS] -> API URL https://kasapi.kasserver.com/soap/KasApi.php
2023-02-09T09:11:12 acme.sh [Thu Feb 9 09:11:12 CET 2023] The txt record is added: Success.
2023-02-09T09:11:06 acme.sh [Thu Feb 9 09:11:06 CET 2023] [KAS] -> Creating TXT DNS record
2023-02-09T09:11:06 acme.sh [Thu Feb 9 09:11:06 CET 2023] [KAS] -> No record found.
2023-02-09T09:11:01 acme.sh [Thu Feb 9 09:11:01 CET 2023] [KAS] -> Checking for existing Record entries
2023-02-09T09:10:55 acme.sh [Thu Feb 9 09:10:55 CET 2023] [KAS] -> Checking Zone and Record_Name
2023-02-09T09:10:50 acme.sh [Thu Feb 9 09:10:50 CET 2023] [KAS] -> Retriving Credential Token
2023-02-09T09:10:50 acme.sh [Thu Feb 9 09:10:50 CET 2023] [KAS] -> Adding _acme-challenge.test-07.DOMAIN.TLD DNS TXT entry on all-inkl.com/Kasserver
2023-02-09T09:10:50 acme.sh [Thu Feb 9 09:10:50 CET 2023] [KAS] -> Check and Save Props
2023-02-09T09:10:50 acme.sh [Thu Feb 9 09:10:50 CET 2023] [KAS] -> Using DNS-01 All-inkl/Kasserver hook
2023-02-09T09:10:50 acme.sh [Thu Feb 9 09:10:50 CET 2023] Adding txt value: VALUE01 for domain: _acme-challenge.test-07.DOMAIN.TLD
2023-02-09T09:10:50 acme.sh [Thu Feb 9 09:10:50 CET 2023] [KAS] -> AUTH URL https://kasapi.kasserver.com/soap/KasAuth.php
2023-02-09T09:10:50 acme.sh [Thu Feb 9 09:10:50 CET 2023] [KAS] -> API URL https://kasapi.kasserver.com/soap/KasApi.php
2023-02-09T09:10:49 acme.sh [Thu Feb 9 09:10:49 CET 2023] Getting webroot for domain='*.test-07.DOMAIN.TLD'
2023-02-09T09:10:49 acme.sh [Thu Feb 9 09:10:49 CET 2023] Getting webroot for domain='test-07.DOMAIN.TLD'
2023-02-09T09:10:43 acme.sh [Thu Feb 9 09:10:43 CET 2023] Getting domain auth token for each domain
2023-02-09T09:10:43 acme.sh [Thu Feb 9 09:10:43 CET 2023] Multi domain='DNS:test-07.DOMAIN.TLD,DNS:*.test-07.DOMAIN.TLD'
2023-02-09T09:10:43 acme.sh [Thu Feb 9 09:10:43 CET 2023] The domain key is here: /var/etc/acme-client/home/test-07.DOMAIN.TLD/test-07.DOMAIN.TLD.key
2023-02-09T09:10:39 acme.sh [Thu Feb 9 09:10:39 CET 2023] Creating domain key
2023-02-09T09:10:39 acme.sh [Thu Feb 9 09:10:39 CET 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
Hobby-Student commented 1 year ago 
./acme.sh --home ./ --config-home ./ --certhome ./certs --set-default-ca --server letsencrypt --log ./acme.log --keylength 3072 --issue --dns dns_kas -d DOMAIN.TLD --dns dns_kas -d *.DOMAIN.TLD --webroot /LOCALPATH/WEBROOT -d xxx.myfritz.net

second thought: are you sure you need --dns dns_kas twice? what about:

./acme.sh --home ./ --config-home ./ --certhome ./certs --set-default-ca --server letsencrypt --log ./acme.log --keylength 3072 --issue \
--dns dns_kas -d DOMAIN.TLD -d *.DOMAIN.TLD \
--webroot /LOCALPATH/WEBROOT -d xxx.myfritz.net

see: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert#3-multiple-domains-san-mode--hybrid-mode

alxwolf commented 1 year ago

@OnkelM using dns_kas once is enough and I'd be surprised if you could issue LE certificates for a myfritz.net domain.

Unless you work for AVM and are in charge of that domain...

If you leave those two items out - does it work without complaining?

Hobby-Student commented 1 year ago

@OnkelM using dns_kas once is enough and I'd be surprised if you could issue LE certificates for a myfritz.net domain.

isn't myfritz.net a dyndns service for customers of AVM? If true, the approach with using webroot seems right to me.

OnkelM commented 1 year ago

@OnkelM using dns_kas once is enough and I'd be surprised if you could issue LE certificates for a myfritz.net domain.

Unless you work for AVM and are in charge of that domain...

If you leave those two items out - does it work without complaining?

@OnkelM using dns_kas once is enough and I'd be surprised if you could issue LE certificates for a myfritz.net domain.

isn't myfritz.net a dyndns service for customers of AVM? If true, the approach with using webroot seems right to me.

@alxwolf using dns_kas once might be enough if all the issues would be the same type and provider, this is how acme.sh works. if i want to issue a cert for DOMAIN.TLD with DNS, and .DOMAIN.TLD with DNS, and .myfritz.net with WEBROOT, then acme.sh will treat only the first entry as DNS, and every other as WEBROOT, hence the command will fail with the error message The supported validation types are: dns-01, but you specified: http-01

The only way to overcome this is by specifying the type on every entry, thats why i am adding --dns dns_kas to the second entry too.

@Hobby-Student thanks, the myfritz.net is a DDNS service the router uses, i can issue a cert for this by going with the webroot type and pointing to a local webserver

the issue itself it seems is the added TXT record in DNS acme writes one TXT for each issue, one for DOMAIN.TLD, one for .DOMAIN.TLD The First TXT for DOMAIN.TLD is somehow or overwritten when the second one for .DOMAIN.TLD is generated.

i have removed the 3'rd myfritz.net domain from the issue command, i am now only testing with the two DOMAIN.TLD and *.DOMAIN.TLS

This are the results:

see this picture image

and this is the current DNS entry on the domain image

only the second TXT record is left

see also the lines Adding txt value: xxx for domain: _acme-challenge.DOMAIN.TLD it is the same for both issues, the main and the wildcard, i think the first one is getting overwritten here.

and now after acme has put 2 txt entrys (at least the logic says this), the next step is to validate those entrys. and this is not happening because it expects the 1'st txt entry but only the 2'nd is left behind...

thats my opinion at least

Hobby-Student commented 1 year ago

@OnkelM are you sure you are using https://github.com/Hobby-Student/acme.sh/blob/540d4180d2cc258433442df2e14faf8f0c3f9169/dnsapi/dns_kas.sh ? In all my tests, acme.sh is adding multiple TXT entrys and they are deleted AFTER every specified domain and wildcard certificate is succesfully created.

OnkelM commented 1 year ago

@OnkelM are you sure you are using https://github.com/Hobby-Student/acme.sh/blob/540d4180d2cc258433442df2e14faf8f0c3f9169/dnsapi/dns_kas.sh ? In all my tests, acme.sh is adding multiple TXT entrys and they are deleted AFTER every specified domain and wildcard certificate is succesfully created.

since there is no version info in the header i can only assume that i's the same, i also did a update before testing this again.

also this is the files md5 on my drive c423e1a51a2bb7c97e60449f9592a2b2 file date is february 6th which also indicates that its the same

i can send you the logs in private, what i see (also on screenshots) the script first writes the TXT to domain, validates if the TXT has been written, and only later on in the ca creation process it validates against the TXT record again with the challenge. And since the first one is overwritten as it can be seen on the screenshots this leads to an infinite 'not ready' loop validating the first domain because the script expects to see the first TXT and cannot find it.

Hobby-Student commented 1 year ago

i can send you the logs in private, what i see (also on screenshots) the script first writes the TXT to domain, validates if the TXT has been written, and only later on in the ca creation process it validates against the TXT record again with the challenge. And since the first one is overwritten as it can be seen on the screenshots this leads to an infinite 'not ready' loop validating the first domain because the script expects to see the first TXT and cannot find it.

I'll add (hopefully tomorrow) some logging and see which TXT entry is deleted and when it's deleted.

OnkelM commented 1 year ago

i found a bug report for the main app acme.sh which describes my issue, it maybe is not (or not entirely) the fault of dns_kas.sh at all.. https://github.com/acmesh-official/acme.sh/issues/3036

mihifh commented 7 months ago

Hello,

I'm trying to use the (integrated) ACME-script on my local proxmox-server to generate certificates for my domain, which is hosted at all-inkl. My account at all-inkl is protected via 2FA. Can you explain how to use the ACME-script (in proxmox) for this setup? I just entered the 3 variables

KAS_Login="myaccount" KAS_Authdata="mypassword" KAS_Authtype="plain"

in the ACME DNS Plugin, but it does not work.

Or is there a place (link) where the use of the script (in proxmox) including ths kas dns plugin is described in more detail then here?

alxwolf commented 7 months ago

To my knowledge - you can't use 2FA with this script.

mihifh commented 7 months ago

Is it possible to prepare a seperate account in kas (with disabled 2fa) for only this purpose? I tried to, but couldn't assign my domain to another account. The support of all-inkl hasn't answered my question concerning this yet.

OnkelM commented 7 months ago

Is it possible to prepare a seperate account in kas (with disabled 2fa) for only this purpose? I tried to, but couldn't assign my domain to another account. The support of all-inkl hasn't answered my question concerning this yet.

you should ask all-inkl about this kas API only provides two options to interact plain or session (soap) 2fa is nowhere mentioned

use the test page from all-inkl to test your credentials, if they work there it should also work with acme

KAS API Test page

lichtbringer667 commented 3 months ago

Hi,

I hope someone can help me with this.

I added the dns_kas plugin to my local Proxmox server to generate certificates for my domain hosted at all-inkl.

I'm not sure if I'm doing something wrong when setting it up.

This is what is in my plugin ACME DNS Plugin Plugin ID: ALLINKL

Validation delay: 600

DNS API: kas

API data: KAS_Login="myaccount" KAS_Authdata="mypassword" KAS_Authtype="plain"

Then I want to request a certificate for pve.sub.domain.example

I get this message: Loading ACME account details Placing ACME order Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxxxxx/xxxxxxxxxx

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/XXXXXXXXXXXX' The validation for host.domain.example is pending! [Thu Aug 15 11:20:27 CEST 2024] [KAS] -> API URL https://kasapi.kasserver.com/soap/KasApi.php [Thu Aug 15 11:20:28 CEST 2024] [KAS] -> AUTH URL https://kasapi.kasserver.com/soap/KasAuth.php [Thu Aug 15 11:20:28 CEST 2024] [KAS] -> Using DNS-01 All-inkl/Kasserver hook [Thu Aug 15 11:20:28 CEST 2024] [KAS] -> Check and Save Props [Thu Aug 15 11:20:28 CEST 2024] [KAS] -> Adding _acme-challenge.host.sub.domain.example DNS TXT entry on all-inkl.com/Kasserver [Thu Aug 15 11:20:28 CEST 2024] [KAS] -> Retriving Credential Token [Thu Aug 15 11:20:33 CEST 2024] [KAS] -> Could not retrieve login token or antoher error =>session_lifetime_syntax_incorrect:{<= occurred, please check manually. [Thu Aug 15 11:20:33 CEST 2024] [KAS] -> Checking Zone and Record_Name [Thu Aug 15 11:20:38 CEST 2024] [KAS] -> Either no domains were found or another error =>no_auth<= occurred, please check manually. [Thu Aug 15 11:20:38 CEST 2024] [KAS] -> Checking for existing Record entries [Thu Aug 15 11:20:43 CEST 2024] [KAS] -> Either no domains were found or another error =>no_auth<= occurred, please check manually. [Thu Aug 15 11:20:43 CEST 2024] [KAS] -> No record found. [Thu Aug 15 11:20:43 CEST 2024] [KAS] -> Creating TXT DNS record [Thu Aug 15 11:20:48 CEST 2024] [KAS] -> An error =>no_auth<= occurred, please check manually. [Thu Aug 15 11:20:48 CEST 2024] Error add txt for domain: TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup kas host.sub.domain.example' failed: exit code 1

OnkelM commented 3 months ago

Hi,

I hope someone can help me with this.

I added the dns_kas plugin to my local Proxmox server to generate certificates for my domain hosted at all-inkl.

I'm not sure if I'm doing something wrong when setting it up.

This is what is in my plugin ACME DNS Plugin Plugin ID: ALLINKL

Validation delay: 600

DNS API: kas

API data: KAS_Login="myaccount" KAS_Authdata="mypassword" KAS_Authtype="plain"

Then I want to request a certificate for pve.sub.domain.example

I get this message: Loading ACME account details Placing ACME order Order URL: https://acme-v02.api.letsencrypt.org/acme/order/xxxxxxxxx/xxxxxxxxxx

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/XXXXXXXXXXXX' The validation for host.domain.example is pending! [Thu Aug 15 11:20:27 CEST 2024] [KAS] -> API URL https://kasapi.kasserver.com/soap/KasApi.php [Thu Aug 15 11:20:28 CEST 2024] [KAS] -> AUTH URL https://kasapi.kasserver.com/soap/KasAuth.php [Thu Aug 15 11:20:28 CEST 2024] [KAS] -> Using DNS-01 All-inkl/Kasserver hook [Thu Aug 15 11:20:28 CEST 2024] [KAS] -> Check and Save Props [Thu Aug 15 11:20:28 CEST 2024] [KAS] -> Adding _acme-challenge.host.sub.domain.example DNS TXT entry on all-inkl.com/Kasserver [Thu Aug 15 11:20:28 CEST 2024] [KAS] -> Retriving Credential Token [Thu Aug 15 11:20:33 CEST 2024] [KAS] -> Could not retrieve login token or antoher error =>session_lifetime_syntax_incorrect:{<= occurred, please check manually. [Thu Aug 15 11:20:33 CEST 2024] [KAS] -> Checking Zone and Record_Name [Thu Aug 15 11:20:38 CEST 2024] [KAS] -> Either no domains were found or another error =>no_auth<= occurred, please check manually. [Thu Aug 15 11:20:38 CEST 2024] [KAS] -> Checking for existing Record entries [Thu Aug 15 11:20:43 CEST 2024] [KAS] -> Either no domains were found or another error =>no_auth<= occurred, please check manually. [Thu Aug 15 11:20:43 CEST 2024] [KAS] -> No record found. [Thu Aug 15 11:20:43 CEST 2024] [KAS] -> Creating TXT DNS record [Thu Aug 15 11:20:48 CEST 2024] [KAS] -> An error =>no_auth<= occurred, please check manually. [Thu Aug 15 11:20:48 CEST 2024] Error add txt for domain: TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup kas host.sub.domain.example' failed: exit code 1

nothing wrong here with acme.sh and dns_kas your error is no_auth check your kas username and password that it is correct

Hobby-Student commented 3 months ago

@lichtbringer667 for me it's working on different systems, but no proxmox VE. I would also suggest, that you check your credentials again.

lichtbringer667 commented 3 months ago

IIt works. Thanks for the help. It was because of the quotation marks! API data: KAS_Login=myaccount KAS_Authdata=mypassword KAS_Authtype=plain

Sometimes you can't do without them and sometimes they have to go....