github-actions[bot]
commented
1 year ago Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.
Hi All,
I'll keep this as sort as possible :-)
All software used is the latest from the Rocky 9.1 Repos and/or downloaded from Github, etc.
The Setup
box1 is running acme.sh box2 is running bind9 with dnssec, rndc, etc box 1 had permissions, keys, etc, to update the zone file on box2 LE certs are requested with the commands:
Everything works; the _acme-challenge TXT record is placed in the zone file, the certificate is correctly ordered and delivered, etc, etc, etc - everything is AOK!
HOWEVER, the above statement is only true when an _acme-challenge TXT record already exists in the zone file - if an _acme-challenge TXT record does not exist, then, although acme.sh reports that it SUCCESSFULLY places a TXT record, in actuality it does not, and so acme.sh (& LE) then sits there trying to confirm the dns ownership until it times out.
So our workaround (up to now) has been to add a "dummy" TXT record with a blank (ie "") string whenever we want to issue (or renew) a cert.
As acme.sh, on the completion of a successful run, removes all _acme-challenge TXT records, when issuing a new cert or when renewing an existing cert, because there isn't an existing TXT record the issue/renew fails (hence our workaround).
However, this "adding a dummy TXT record" is becoming a real PITA as it means that our LE certs are now not automatically renewed, but instead we have this manual workaround every 60-90 days.
So, is this an issue with acme.sh (which it appears to be), or is it an issue with bind9 that is manifesting as an acme.sh issue, and, much more importantly, what is the solution?
Please note that using any other form of "domain confirmation" (ie --standalone, -w, --alpn, etc) is not a viable option for us.
Thanks in advance
Dulux-Oz