search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.89k stars 4.93k forks source link

Report bugs to DNS.Services dns api #4152

Open bbruun opened 2 years ago

bbruun commented 2 years ago

This is a bug report issue DNS.Services dns api implemetation

If you experience problems with the plugin then report your bugs here

./acme --issue --dns dns_dnsservices ...
yajrendrag commented 2 years ago

evidently, my renewal has not been working (domain my.domain.com is a sanitized placeholder). it started trying to renew 4 weeks ago - here's what is recorded via my logging - the dns txt record looks to be written successfully (and the certificate was originally created successfully at end of march), but then it fails - the order status request returns {"type":"urn:ietf:params:acme:error:malformed","status":405,"detail":"The request message was malformed"}:

[Mon 27 Jun 2022 08:20:57 AM MDT] ===Starting cron=== [Mon 27 Jun 2022 08:20:57 AM MDT] Renew: 'my.domain.com' [Mon 27 Jun 2022 08:20:57 AM MDT] Renew to Le_API=https://acme.zerossl.com/v2/DV90 [Mon 27 Jun 2022 08:21:06 AM MDT] Using CA: https://acme.zerossl.com/v2/DV90 [Mon 27 Jun 2022 08:21:06 AM MDT] Single domain='my.domain.com' [Mon 27 Jun 2022 08:21:06 AM MDT] Getting domain auth token for each domain [Mon 27 Jun 2022 08:21:30 AM MDT] Getting webroot for domain='my.domain.com' [Mon 27 Jun 2022 08:21:30 AM MDT] Adding txt value: ZFUFGZXFtFh2PD-jGs2L_RimKLO3jISmNLNWsjBhwmQ for domain: _acme-challenge.my.domain.com [Mon 27 Jun 2022 08:21:35 AM MDT] Adding record [Mon 27 Jun 2022 08:21:38 AM MDT] Added, OK [Mon 27 Jun 2022 08:21:38 AM MDT] The txt record is added: Success. [Mon 27 Jun 2022 08:21:38 AM MDT] Let's check each DNS record now. Sleep 20 seconds first. [Mon 27 Jun 2022 08:21:58 AM MDT] You can use '--dnssleep' to disable public dns checks. [Mon 27 Jun 2022 08:21:58 AM MDT] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck [Mon 27 Jun 2022 08:21:58 AM MDT] Checking my.domain.com for _acme-challenge.my.domain.com [Mon 27 Jun 2022 08:21:58 AM MDT] Domain my.domain.com '_acme-challenge.my.domain.com' success. [Mon 27 Jun 2022 08:21:58 AM MDT] All success, let's return [Mon 27 Jun 2022 08:21:58 AM MDT] Verifying: my.domain.com [Mon 27 Jun 2022 08:22:05 AM MDT] Processing, The CA is processing your order, please just wait. (1/30) [Mon 27 Jun 2022 08:22:13 AM MDT] Success [Mon 27 Jun 2022 08:22:13 AM MDT] Removing DNS records. [Mon 27 Jun 2022 08:22:13 AM MDT] Removing txt: ZFUFGZXFtFh2PD-jGs2L_RimKLO3jISmNLNWsjBhwmQ for domain: _acme-challenge.my.domain.com [Mon 27 Jun 2022 08:22:20 AM MDT] Removed: Success [Mon 27 Jun 2022 08:22:20 AM MDT] Verify finished, start to sign. [Mon 27 Jun 2022 08:22:20 AM MDT] Lets finalize the order. [Mon 27 Jun 2022 08:22:20 AM MDT] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A/finalize' [Mon 27 Jun 2022 08:22:26 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:22:26 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:22:41 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:22:47 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:22:47 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:23:02 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:23:12 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:23:12 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:23:27 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:23:34 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:23:34 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:23:49 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:23:56 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:23:56 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:24:11 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:24:19 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:24:19 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:24:34 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:24:41 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:24:41 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:24:56 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:25:04 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:25:04 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:25:19 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:25:27 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:25:27 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:25:42 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:25:49 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:25:49 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:26:04 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:26:12 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:26:12 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:26:27 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:26:33 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:26:33 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:26:48 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:26:54 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:26:54 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:27:09 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:27:15 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:27:15 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:27:30 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:27:36 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:27:36 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:27:51 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:27:58 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:27:58 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:28:13 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:28:13 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:28:13 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:28:28 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:28:34 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:28:34 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:28:49 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:28:56 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:28:56 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:29:11 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:29:17 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:29:17 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:29:32 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:29:38 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:29:38 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:29:53 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:29:59 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:29:59 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:30:14 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:30:20 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:30:20 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:30:35 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:30:43 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:30:43 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:30:58 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:31:05 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:31:05 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:31:20 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:31:28 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:31:28 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:31:43 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:31:51 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:31:51 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:32:06 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:32:15 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:32:15 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:32:30 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:32:39 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:32:39 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:32:54 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:33:04 AM MDT] Order status is processing, lets sleep and retry. [Mon 27 Jun 2022 08:33:04 AM MDT] Retry after: 15 [Mon 27 Jun 2022 08:33:19 AM MDT] Polling order status: https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A [Mon 27 Jun 2022 08:33:27 AM MDT] Sign failed, can not get Le_LinkCert, retry time limit. [Mon 27 Jun 2022 08:33:27 AM MDT] {"status":"processing","expires":"2022-09-25T14:21:22Z","identifiers":[{"type":"dns","value":"my.domain.com"}],"authorizations":["https://acme.zerossl.com/v2/DV90/authz/mB1KhBZTS-6-EGUC9s3fgQ"],"finalize":"https://acme.zerossl.com/v2/DV90/order/nTBhEzUKLFgi7Egbdcar0A/finalize"} [Mon 27 Jun 2022 08:33:27 AM MDT] Please add '--debug' or '--log' to check more details. [Mon 27 Jun 2022 08:33:27 AM MDT] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh [Mon 27 Jun 2022 08:33:27 AM MDT] Error renew my.domain.com. [Mon 27 Jun 2022 08:33:27 AM MDT] ===End cron===

I will add --debug and see if anything else is added that could provide more detail

yajrendrag commented 2 years ago

here's result with --debug & --dnssleep added: log

full command line: /root/.acme.sh/acme.sh --cron --debug --home /root/.acme.sh --dnssleep >> /root/.acme.sh/acme.logger 2>&1

domain sanitized to subdomain.my.domain.com csr text sanitized to my my-csr-text

EDIT - note that i fixed the --dnssleep option to specifiy a time, but it didn't make any difference - renew still fails.

yajrendrag commented 2 years ago

ok, this is apparently not a dns api issue - i changed the --server option to letsencrypt and issued a new cert - and it works fine... something must be up with zerossl

bbruun commented 2 years ago

Hi @yajrendrag This isn't for the DNS provider plugin dns_dnsservices so I'm at a loss to help/assit you. This DNS plugin hasn't been merged yet by Neilpang yet (https://github.com/acmesh-official/acme.sh/pull/4151).

I would suggest to run the acme.sh --renew --dns dns_ZYX --log --dnssleep 300 with the --log parameter and --dnssleep 300 parameter as from the log it seems to be set to 15 seconds which might not be enough for your DNS provider to propergate the DNS update when issuing/renewing (aka a change at your DNS provider) and then create a ticket for the appropiate DNS provider or if that does not work or you do suspect from the --log output that it is zerossl that has issues with the FQDN(s) for the certificate then a new general acme.sh issue.

yajrendrag commented 2 years ago

I see, apologies for my misunderstanding of the purpose of this thread, and thanks for your reply/suggestions.

bbruun commented 2 years ago

No problem at all @yajrendrag - the --dnssleep parameter needs an integer for the number of seconds to wait to check the DNS TXT record settings

from acme.sh --help

  --dnssleep <seconds>              The time in seconds to wait for all the txt records to propagate in dns api mode.
                                    It's not necessary to use this by default, acme.sh polls dns status by DOH automatically.

Hope you get it fixed or that the --dnssleep fixes the problem as it seems (from the above logs) that it is a DNS propagation issue and not a ZeroSSL issue as such as --server works.

frenzeldk commented 2 years ago

I'm trying to create a certificate for two domains, that both have their primary DNS at dns.services. When running

acme.sh --issue -d domainA.tld -d domainB.tld -d '*.domainA.tld' -d '*.domainB.tld' --server letsencrypt --dns dns_dnsservices

I'm getting the following entries on dns.services for Domain A and no entries for Domain B, and as such validation for Domain B fails. image

bbruun commented 2 years ago

Hi @frenzeldk

I've not come across multiple TLD's in one cert via --dns <provider> before, only via the http method and webroot option.

I'll get back to you (I need to buy another domain to test it out).

If you are in a rush and happen to be running your own Linux box to host your service (and SSL offloading) then you can install and use HAProxy - it is capable of handling multiple TLDs in individual .pem files (with the full chain in them). PM me for info/help on that if you are in dire need now. Other wise the dns_dnsservices only support one domain.

frenzeldk commented 2 years ago

@bbruun thanks for looking into it! I have taken care of my immediate needs by using manual DNS validation.

And thanks for your offer of help - luckily I'm pretty well versed in the workings of nginx (which is my reverse proxy provider of choice) :)

bbruun commented 2 years ago

@frenzeldk I've had some issues with the pull commit actions that need to pass on Solaris (#4287 but it seems to have been fixed now.

The update will handle multiple zones in the API correctly, so it will be merged to the Dev branch tonight and have to re-pass the pull commit actions again and then have Nielpang merge Dev into Master before you can get it the correct way. But it is comming.

Pull request https://github.com/acmesh-official/acme.sh/pull/4293

bbruun commented 2 years ago

@frenzeldk - the fix has been merged into master so you can update acme.sh now and use --dns dns_dnsservices with multiple TLD's without problems.

frenzeldk commented 1 year ago

@bbruun I didn't have the need to try it out before now, but it worked like a charm! Thank you very much :)

hehoe20 commented 1 year ago

@bbruun it seems like the _acme-challenge.domainX.com TXT records are not removed on some of my domains although the acme.sh scripts says the records are removed they still exist on some of my domains (2 out of 3 tested).

[Thu Feb 16 18:32:03 CET 2023] Removing txt: [challenge_was_here]for domain: _acme-challenge.domainY.com [Thu Feb 16 18:32:03 CET 2023] Using dns.services to remove DNS record _acme-challenge.domainY.com TXT [challenge_was_here] [Thu Feb 16 18:32:05 CET 2023] Removed: Success

[Thu Feb 16 18:33:43 CET 2023] Removing txt: [challenge_was_here] for domain: _acme-challenge.domainX.com [Thu Feb 16 18:33:43 CET 2023] Using dns.services to remove DNS record _acme-challenge.domainX.com TXT [challenge_was_here] [Thu Feb 16 18:33:47 CET 2023] Removed: Success

calling script like: ./acme.sh --issue -d domainY.com -d *.domainY.com --dns dns_dnsservices --server letsencrypt --dnssleep 60 ./acme.sh --issue -d domainX.com -d *.domainX.com --dns dns_dnsservices --server letsencrypt --dnssleep 60

I've just tried on 3 of my domains - on two of them the TXT records are not removed, and I have to do this manually.

bbruun commented 1 year ago

@hehoe20 I'm sorry for the long wait - I've been moved to another section in at work so my workload had increased for a period, but I'm back.

I've been using the script extensively since I made it and I do not have any leftover _acme-challenge domains lingering - both for acme.sh or my cert-manager-webhook-dns-services operator for k8s.

There is a API limit to the DNS Services API so if you have been running a few tests or tried to create a few domains too fast after each other then the DNS Services API will not work as it has a max number of API requests pr 5min (IIRC) and the error isn't caught by the acme.sh script, but the curl if you run the acme.sh script with --log --debug 2 will give you a curl or two that you can try, if you observe one or more TXT records lingering afterwards. The curl's will give you a 429 error and an explanation about too many requests. That I cannot fix - for that you need to ask DNS Services for the API request limit to be increased. I've hit this a few (read a lot) during creating and testing the script.

sorenjacobjensen commented 1 year ago

@hehoe20, please submit a support ticket with domain and approx timestamps for when you ran the script, if possible, and we can try check the logs. The limitations are 25 LOGIN requests per 5 minutes and all other requests are 1000 per 5 minutes.

hehoe20 commented 1 year ago

@bbruun - I've just ran an renew of all my certs (7 domains). The first domain that is renew'ed is dhcgurus.com All TXT records at that domains are left (and I've not removed them manually for now) - I did not do any other API requests before running the commands below. Also the TXT records for some of my other domains, is still persistent - I did not enable any other logging than the default. Unfortunately.

The renewCerts.sh contains:

#!/bin/sh
/mnt/drive/acme.sh/acme.sh --cron --home "/mnt/drive/acme.sh" --config-home "/mnt/drive/acme.sh/data"
/opt/etc/init.d/S80nginx reload
user@gateway:/tmp/mnt/drive/acme.sh# ./renewCerts.sh
[Thu Apr 27 20:32:36 CEST 2023] ===Starting cron===
[Thu Apr 27 20:32:36 CEST 2023] Renew: 'dhcgurus.com'
[Thu Apr 27 20:32:36 CEST 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Thu Apr 27 20:32:39 CEST 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Apr 27 20:32:39 CEST 2023] Multi domain='DNS:dhcgurus.com,DNS:*.dhcgurus.com'
[Thu Apr 27 20:32:39 CEST 2023] Getting domain auth token for each domain
[Thu Apr 27 20:32:45 CEST 2023] Getting webroot for domain='dhcgurus.com'
[Thu Apr 27 20:32:45 CEST 2023] Getting webroot for domain='*.dhcgurus.com'
[Thu Apr 27 20:32:46 CEST 2023] Adding txt value: Jw-QZRghKgo9MISNzCd0eSCxgMy-b8rjNt19sqe2T2A for domain:  _acme-challenge.dhcgurus.com
[Thu Apr 27 20:32:46 CEST 2023] Using dns.services to create ACME DNS challenge
[Thu Apr 27 20:32:47 CEST 2023] Record "_acme-challenge.dhcgurus.com TXT Jw-QZRghKgo9MISNzCd0eSCxgMy-b8rjNt19sqe2T2A" has been created
[Thu Apr 27 20:32:47 CEST 2023] The txt record is added: Success.
[Thu Apr 27 20:32:48 CEST 2023] Adding txt value: dms1bLD94fu3b2bUBT7hhSXsvwvmQIROX21tfoezi9s for domain:  _acme-challenge.dhcgurus.com
[Thu Apr 27 20:32:48 CEST 2023] Using dns.services to create ACME DNS challenge
[Thu Apr 27 20:32:50 CEST 2023] Record "_acme-challenge.dhcgurus.com TXT dms1bLD94fu3b2bUBT7hhSXsvwvmQIROX21tfoezi9s" has been created
[Thu Apr 27 20:32:50 CEST 2023] The txt record is added: Success.
[Thu Apr 27 20:32:50 CEST 2023] Sleep 60 seconds for the txt records to take effect
[Thu Apr 27 20:33:52 CEST 2023] Verifying: dhcgurus.com
[Thu Apr 27 20:33:54 CEST 2023] Pending, The CA is processing your order, please just wait. (1/30)
[Thu Apr 27 20:33:58 CEST 2023] Pending, The CA is processing your order, please just wait. (2/30)
[Thu Apr 27 20:34:02 CEST 2023] Pending, The CA is processing your order, please just wait. (3/30)
[Thu Apr 27 20:34:07 CEST 2023] Success
[Thu Apr 27 20:34:07 CEST 2023] Verifying: *.dhcgurus.com
[Thu Apr 27 20:34:08 CEST 2023] Pending, The CA is processing your order, please just wait. (1/30)
[Thu Apr 27 20:34:12 CEST 2023] Success
[Thu Apr 27 20:34:13 CEST 2023] Removing DNS records.
[Thu Apr 27 20:34:13 CEST 2023] Removing txt: Jw-QZRghKgo9MISNzCd0eSCxgMy-b8rjNt19sqe2T2A for domain: _acme-challenge.dhcgurus.com
[Thu Apr 27 20:34:13 CEST 2023] Using dns.services to remove DNS record _acme-challenge.dhcgurus.com TXT Jw-QZRghKgo9MISNzCd0eSCxgMy-b8rjNt19sqe2T2A
[Thu Apr 27 20:34:16 CEST 2023] Removed: Success
[Thu Apr 27 20:34:16 CEST 2023] Removing txt: dms1bLD94fu3b2bUBT7hhSXsvwvmQIROX21tfoezi9s for domain: _acme-challenge.dhcgurus.com
[Thu Apr 27 20:34:16 CEST 2023] Using dns.services to remove DNS record _acme-challenge.dhcgurus.com TXT dms1bLD94fu3b2bUBT7hhSXsvwvmQIROX21tfoezi9s
[Thu Apr 27 20:34:20 CEST 2023] Removed: Success
[Thu Apr 27 20:34:20 CEST 2023] Verify finished, start to sign.
[Thu Apr 27 20:34:21 CEST 2023] Lets finalize the order.
[Thu Apr 27 20:34:21 CEST 2023] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/966756326/178755585807'
[Thu Apr 27 20:34:22 CEST 2023] Downloading cert.
[Thu Apr 27 20:34:22 CEST 2023] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03b8ef0b6f6f719d561cd3e9a539bc9d31e1'
[Thu Apr 27 20:34:24 CEST 2023] Cert success.
bbruun commented 1 year ago

Hi @hehoe20

There is an API limit on the dns.services API that the script cannot accommodate as each certificate you renew is a new run.

For next renewal I would recommend you add --dns-sleep 120 to the renew script to avoid hitting the throttle as it will leave some of the TXT records after updates as per the usage description https://dns.services/knowledgebase/article/38/acme-sh-acme-protokol-support-til-certifikatudstedelse/

It is unfortunately not something I can do anything about except to take your time to renew the certificates or spread out the renewal of multiple certificates by ~5-10min per certificate eg by a cronjob.

hehoe20 commented 1 year ago

Hi @bbruun - I'm aware of that but I still think it's weird, because this was the first run, and dhcgurus.com domain is the first request. And @sorenjacobjensen mention that the limitations is 25 LOGIN requests per 5 minutes and all other requests are 1000 per 5 minutes. But @sorenjacobjensen might look into the log files at dns.services - the timestamps for the first request is in my post above.

bbruun commented 1 year ago

Hi @hehoe20 When I renew 2 certs I hit the API limit, you state you've renewed 7, so that is the most likely cause. I've raised a ticket for DNS.Services so we can hopefully get a solution to the problem. The ideal would be no API limits but that is what we have.

hehoe20 commented 1 year ago

@bbruun you're right, and thank you! - And yes, I renewed 7 domains - but the first domain that is renewed is dhcgurus.com (the other 6 is renewed aftwerwards) - and no other request have been made. So I think the TXT records should at least have been removed for that domain.