Could not issue certificates to an IDN domain using dns_ali challenge.

capric98 commented 4 years ago

Steps to reproduce

root@Debian ~ # ~/.acme.sh/acme.sh --issue -d 闻香识.live -d *.闻香识.live --dns dns_ali -k ec-384 --debug 2 --output-insecure

Most relevant log

[Wed 01 Apr 2020 07:00:42 PM CST] d='闻香识.live'
[Wed 01 Apr 2020 07:00:42 PM CST] _d_alias
[Wed 01 Apr 2020 07:00:42 PM CST] txtdomain='_acme-challenge.闻香识.live'
[Wed 01 Apr 2020 07:00:42 PM CST] txt='NuUloyjxXSZbuKwuIqSgsmxPWSTEndV3OMg_eGyMufc'
[Wed 01 Apr 2020 07:00:42 PM CST] d_api='/root/.acme.sh/dnsapi/dns_ali.sh'
[Wed 01 Apr 2020 07:00:42 PM CST] dns_entry='闻香识.live,_acme-challenge.闻香识.live,,dns_ali,NuUloyjxXSZbuKwuIqSgsmxPWSTEndV3OMg_eGyMufc,/root/.acme.sh/dnsapi/dns_ali.sh'
[Wed 01 Apr 2020 07:00:42 PM CST] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Wed 01 Apr 2020 07:00:42 PM CST] Adding txt value: NuUloyjxXSZbuKwuIqSgsmxPWSTEndV3OMg_eGyMufc for domain:  _acme-challenge.闻香识.live
[Wed 01 Apr 2020 07:00:42 PM CST] First detect the root zone
[Wed 01 Apr 2020 07:00:43 PM CST] GET
[Wed 01 Apr 2020 07:00:43 PM CST] url='https://alidns.aliyuncs.com/?AccessKeyId=********************&Action=DescribeDomainRecords&DomainName=闻香识.live&Format=json&SignatureMethod=HMAC-SHA1&SignatureNonce=1585738842919016726&SignatureVersion=1.0&Timestamp=2020-04-01T11%3A00%3A42Z&Version=2015-01-09&Signature=Z2FqfIqVTVKuyXRvDqjwSXFNW%2F0%3D'
[Wed 01 Apr 2020 07:00:43 PM CST] timeout=
[Wed 01 Apr 2020 07:00:43 PM CST] Http already initialized.
[Wed 01 Apr 2020 07:00:43 PM CST] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.92YDK5ArZw  -g '
[Wed 01 Apr 2020 07:00:44 PM CST] ret='0'
[Wed 01 Apr 2020 07:00:44 PM CST] response='{"RequestId":"1DABD2B4-72A7-45B5-B946-A6645C57EC15","Message":"Specified signature is not matched with our calculation. server string to sign is:GET&%2F&AccessKeyId%3D********************%26Action%3DDescribeDomainRecords%26DomainName%3D%25E9%2597%25BB%25E9%25A6%2599%25E8%25AF%2586.live%26Format%3Djson%26SignatureMethod%3DHMAC-SHA1%26SignatureNonce%3D1585738842919016726%26SignatureVersion%3D1.0%26Timestamp%3D2020-04-01T11%253A00%253A42Z%26Version%3D2015-01-09","Recommend":"https://error-center.aliyun.com/status/search?Keyword=SignatureDoesNotMatch&source=PopGw","HostId":"alidns.aliyuncs.com","Code":"SignatureDoesNotMatch"}'
[Wed 01 Apr 2020 07:00:45 PM CST] GET
[Wed 01 Apr 2020 07:00:45 PM CST] url='https://alidns.aliyuncs.com/?AccessKeyId=********************&Action=DescribeDomainRecords&DomainName=live&Format=json&SignatureMethod=HMAC-SHA1&SignatureNonce=1585738844523233993&SignatureVersion=1.0&Timestamp=2020-04-01T11%3A00%3A44Z&Version=2015-01-09&Signature=u3Jdq%2FWpUrELR%2BLh9aUVJe3%2Fef0%3D'
[Wed 01 Apr 2020 07:00:45 PM CST] timeout=
[Wed 01 Apr 2020 07:00:45 PM CST] Http already initialized.
[Wed 01 Apr 2020 07:00:45 PM CST] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.92YDK5ArZw  -g '
[Wed 01 Apr 2020 07:00:45 PM CST] ret='0'
[Wed 01 Apr 2020 07:00:45 PM CST] response='{"RequestId":"2D50E155-0D99-4A15-BA98-A89C434F4D2D","HostId":"alidns.aliyuncs.com","Code":"InvalidDomainName.Format","Message":"Invalid domain name."}'
[Wed 01 Apr 2020 07:00:45 PM CST] Error add txt for domain:_acme-challenge.闻香识.live
[Wed 01 Apr 2020 07:00:45 PM CST] _on_issue_err
[Wed 01 Apr 2020 07:00:45 PM CST] Please add '--debug' or '--log' to check more details.

Full Debug log

capric98 commented 4 years ago

_(:з)∠)_ I have succeeded to issue the wildcard certificate using manual dns challenge.

Neilpang commented 4 years ago

貌似跟这个 pr 是同一个问题.

请关注这个 pr: https://github.com/acmesh-official/acme.sh/pull/2772

acmesh-official / acme.sh

Could not issue certificates to an IDN domain using dns_ali challenge. #2825

Full Debug log