Unexpected behavior with adding TXT records to DynuDNS

[NickMagpie]

I have a Linux system running Debian 9.12 (Stretch) with Apache/2.4.25 (Debian) that is used as proxy server for several applications. I also have domain name and additional sub-domains in .org zone registered through DynuDNS for which I want to install SSL certificates provided by Let's Encrypt.

Let's Encrypt documentation points to acme.sh as ACME client for DynuDNS, therefore I have installed latest version from GitHub using advanced method. Installation has been completed but existing installation of Apache HTTPD server was not detected.

After acme.sh installation I've executed it to issue certificates for domain and 2 sub-domains in test mode but I've discovered that at some point of execution script had switched from DynuDNS to Cloudflare to validate one of sub-domains. Because Cloudflare has no information about sub-domain script enters loop and I've cancelled script execution. Execution log with obfuscated data is attached.

I've checked content of DNS records kept on the DynuDNS database and have discovered the following (that seems to me suspicious):

1. 'A' records for domain with two 'TXT' records with acme challenge information:

   • 'A' record for my-domain.org
   • 'A' record for *.my-domain.org
   • 'TXT' record with key _'acme-challenge.my-domain.org'
   • 'TXT' record with key _'acme-challenge.subb.my-domain.org'

2. 'A' record for sub-domain with one 'TXT' records with acme challenge information:

   • 'A' record for *.suba.my-domain.org
   • 'TXT' record with key _'acme-challenge.sub.my-domain.org'

3. 'A' record for sub-domain with no 'TXT' records

   • 'A' record for subb.my-domain.org
   • 'A' record for *.subb.my-domain.org

'TXT' records mentioned by acme.sh documentation were created and inserted into DynuDNS database. In relation to described above I have following questions:

1. What caused script acme.sh to switch to cloudflare-dns.com for checks? Is it an intended action or caused by a bug?
2. What changes need to be applied to DNS database to repair the content before script re-run?
3. How acme.sh check the presence of the Apache HTTPD server? What is the version of the Apache HTTPD server supported by acme.sh?
4. Is socat required for acme.sh operation/execution?

Regards, Nick Sorokin acme.issue.dynudns.mydomain.log

[Neilpang]

What caused script acme.sh to switch to cloudflare-dns.com for checks? Is it an intended action or caused by a bug?

No, it just uses cloudflare to check whether the txt records have propagated.

What changes need to be applied to DNS database to repair the content before script re-run?

if there is a bug, please provide log with --debug 2

How acme.sh check the presence of the Apache HTTPD server?

it uses apachectl or apache2ctl

Is socat required for acme.sh operation/execution?

No, it's only used for standalone mode.

[NickMagpie]

Hi Neil,

Thank you for your time spent looking into my problem and explanation of acme.sh logic. I definitely will re-run script with --debug 2 option but before that I would like to clear the mess the DynuDNS database and also check the Let's Encrypt relevant data. My question - is there a way to check content of Let's Encrypt database with Let's Encrypt UI or acme.sh commands?

Regards, Nick

[Neilpang]

is there a way to check content of Let's Encrypt database with Let's Encrypt UI or acme.sh commands?

No.