Consumer key invalid with acme.sh + OVH DNS challenge + OpnSense plugin

quanticworld commented 10 months ago

Hi!

I can't use DNS challenge with OVH provider, using acme.sh via OpnSense plugin, getting the following error message from OVH :

The consumer key is invalid: xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Checking account.conf, I can see two OVH specific keys : SAVED_OVH_AK and SAVED_OVH_AS, well filled. My OpnSense configuration is ok, and I even made a python script to test my OVH credentials, that are ok on all API endpoints needed for acme.sh to do the DNS challenge.

Steps to reproduce : I don't know, because the OpnSense plugin handles acme.sh for me.

Please, how can I test directly acme.sh commands with OVH ? The verbose logs do not seem to be sufficient :/

Does any one has already used acme.sh with OVH + OpnSense plugin ?

Many thanks in advance, I've been debugging this for 2 days with no success.

Debug log

2023-11-26T09:57:07 acme.sh [Sun Nov 26 09:57:07 UTC 2023] skip dns.
2023-11-26T09:57:07 acme.sh [Sun Nov 26 09:57:07 UTC 2023] dns_entries
2023-11-26T09:57:07 acme.sh [Sun Nov 26 09:57:07 UTC 2023] _clearupdns
2023-11-26T09:57:07 acme.sh [Sun Nov 26 09:57:07 UTC 2023] No need to restore nginx, skip.
2023-11-26T09:57:07 acme.sh [Sun Nov 26 09:57:07 UTC 2023] pid
        #define WITH_MSGLEVEL 0 /*debug*/
        #define WITH_RETRY 1
        #define WITH_FILAN 1
        #define WITH_SYCLS 1
        #define WITH_LIBWRAP 1
        #undef WITH_FIPS
        #define WITH_OPENSSL 1
        #define WITH_PTY 1
        #undef WITH_TUN
        #undef WITH_READLINE
        #define WITH_EXEC 1
        #define WITH_SYSTEM 1
        #define WITH_PROXY 1
        #undef WITH_VSOCK
        #define WITH_SOCKS4A 1
        #define WITH_SOCKS4 1
        #define WITH_LISTEN 1
        #define WITH_SCTP 1
        #define WITH_UDP 1
        #define WITH_TCP 1
        #undef WITH_INTERFACE
        #define WITH_GENERICSOCKET 1
        #define WITH_RAWIP 1
        #define WITH_IP6 1
        #define WITH_IP4 1
        #undef WITH_ABSTRACT_UNIXSOCKET
        #define WITH_UNIX 1
        #define WITH_PIPE 1
        #define WITH_TERMIOS 1
        #define WITH_GOPEN 1
        #define WITH_CREAT 1
        #define WITH_FILE 1
        #define WITH_FDNUM 1
        #define WITH_STDIO 1
        features:
        running on FreeBSD version FreeBSD 13.2-RELEASE-p5 stable/23.7-n254837-8806e8fefb1 SMP, release 13.2-RELEASE-p5, machine amd64
        socat version 1.7.4.4 on Nov 8 2023 10:47:20
        socat by Gerhard Rieger and contributors - see www.dest-unreach.org
        socat:
        nginx doesn't exist.
        nginx:
        apache doesn't exist.
        apache:
        OpenSSL 1.1.1t-freebsd 7 Feb 2023
        openssl:openssl
2023-11-26T09:57:07 acme.sh [Sun Nov 26 09:57:07 UTC 2023] Diagnosis versions:
2023-11-26T09:57:07 acme.sh [Sun Nov 26 09:57:07 UTC 2023] code='200'
2023-11-26T09:57:07 acme.sh [Sun Nov 26 09:57:07 UTC 2023] _ret='0'
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.1HsSFqdF -g '
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361864/cq2QHg'
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] POST
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] payload='{}'
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361864/cq2QHg'
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] =======Begin Send Signed Request=======
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] code='200'
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] _ret='0'
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.1HsSFqdF -g '
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361854/mdz7hA'
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] POST
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] payload='{}'
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361854/mdz7hA'
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] =======Begin Send Signed Request=======
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] Please add '--debug' or '--log' to check more details.
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] _on_issue_err
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] Error add txt for domain:_acme-challenge.lilalop.fr
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] Please retry to create a new one.
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] The consumer key is invalid: xxxxxxxxxxxxxxxxxxxx
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] error
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] ret='7'
        == Info: Closing connection
        == Info: Failed to connect to eu.api.ovh.com port 443 after 24 ms: Couldn't connect to server
        == Info: Immediate connect fail for 141.95.186.223: Permission denied
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] == Info: Trying 141.95.186.223:443...
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] Here is the curl dump log:
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.1HsSFqdF -g '
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] timeout=
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] url='https://eu.api.ovh.com/1.0/domain'
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] GET
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] _ovh_p='[hidden](please add '--output-insecure' to see this value)'
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] ret='7'
        == Info: Closing connection
        == Info: Failed to connect to eu.api.ovh.com port 443 after 29 ms: Couldn't connect to server
        == Info: Immediate connect fail for 141.95.186.223: Permission denied
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] == Info: Trying 141.95.186.223:443...
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] Here is the curl dump log:
2023-11-26T09:57:06 acme.sh [Sun Nov 26 09:57:06 UTC 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.1HsSFqdF -g --connect-timeout 30'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] timeout=30
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] url='https://eu.api.ovh.com/1.0/auth/time'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] GET
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] domain
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] Checking authentication
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] OVH_API='https://eu.api.ovh.com/1.0'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] Using OVH endpoint: ovh-eu
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] Adding txt value: MOEg_mSCCMEErfvyldQRT7JRIwyHqK7B2NTitIMU4ng for domain: _acme-challenge.lilalop.fr
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_ovh.sh
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ovh.sh'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] txt='MOEg_mSCCMEErfvyldQRT7JRIwyHqK7B2NTitIMU4ng'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] txtdomain='_acme-challenge.lilalop.fr'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _d_alias
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] d='*.lilalop.fr'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] vlist='*.lilalop.fr#x2LamjivSKQ_g3UsObJHXBkkZ07J4sEEAXEHtIKCj34.HE_wXl0hO27VkHihdxC4YusrdFwAiOrXzrKtbH-UEmk#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361854/mdz7hA#dns-01#dns_ovh#https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9695361854,lilalop.fr#4cZFXfEFx6PtM2Fm6CosGJNaSVEL6qCmO1ZXVFo-FGg.HE_wXl0hO27VkHihdxC4YusrdFwAiOrXzrKtbH-UEmk#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361864/cq2QHg#dns-01#dns_ovh#https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9695361864,'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] d
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] dvlist='lilalop.fr#4cZFXfEFx6PtM2Fm6CosGJNaSVEL6qCmO1ZXVFo-FGg.HE_wXl0hO27VkHihdxC4YusrdFwAiOrXzrKtbH-UEmk#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361864/cq2QHg#dns-01#dns_ovh#https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9695361864'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] keyauthorization='4cZFXfEFx6PtM2Fm6CosGJNaSVEL6qCmO1ZXVFo-FGg.HE_wXl0hO27VkHihdxC4YusrdFwAiOrXzrKtbH-UEmk'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] uri='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361864/cq2QHg'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] token='4cZFXfEFx6PtM2Fm6CosGJNaSVEL6qCmO1ZXVFo-FGg'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] entry='"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361864/cq2QHg","token":"4cZFXfEFx6PtM2Fm6CosGJNaSVEL6qCmO1ZXVFo-FGg"'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _authz_url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9695361864'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _currentRoot='dns_ovh'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _w='dns_ovh'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] Getting webroot for domain='lilalop.fr'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] d='lilalop.fr'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] dvlist='*.lilalop.fr#x2LamjivSKQ_g3UsObJHXBkkZ07J4sEEAXEHtIKCj34.HE_wXl0hO27VkHihdxC4YusrdFwAiOrXzrKtbH-UEmk#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361854/mdz7hA#dns-01#dns_ovh#https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9695361854'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] keyauthorization='x2LamjivSKQ_g3UsObJHXBkkZ07J4sEEAXEHtIKCj34.HE_wXl0hO27VkHihdxC4YusrdFwAiOrXzrKtbH-UEmk'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] uri='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361854/mdz7hA'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] token='x2LamjivSKQ_g3UsObJHXBkkZ07J4sEEAXEHtIKCj34'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] entry='"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9695361854/mdz7hA","token":"x2LamjivSKQ_g3UsObJHXBkkZ07J4sEEAXEHtIKCj34"'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _authz_url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9695361854'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _currentRoot='dns_ovh'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _w='dns_ovh'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] Getting webroot for domain='*.lilalop.fr'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] d='*.lilalop.fr'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] code='200'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _ret='0'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.1HsSFqdF -g '
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9695361864'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] POST
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] payload
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9695361864'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] =======Begin Send Signed Request=======
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] code='200'
2023-11-26T09:57:05 acme.sh [Sun Nov 26 09:57:05 UTC 2023] _ret='0'
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.1HsSFqdF -g '
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9695361854'
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] POST
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] payload
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9695361854'
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] =======Begin Send Signed Request=======
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/126317524/12547212544'
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] Le_LinkOrder='https://acme-staging-v02.api.letsencrypt.org/acme/order/126317524/12547212544'
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] code='201'
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] _ret='0'
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.1HsSFqdF -g '
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] POST
2023-11-26T09:57:04 acme.sh [Sun Nov 26 09:57:04 UTC 2023] _ret='0'
2023-11-26T09:57:03 acme.sh [Sun Nov 26 09:57:03 UTC 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.1HsSFqdF -g -I '
2023-11-26T09:57:03 acme.sh [Sun Nov 26 09:57:03 UTC 2023] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
2023-11-26T09:57:03 acme.sh [Sun Nov 26 09:57:03 UTC 2023] HEAD
2023-11-26T09:57:03 acme.sh [Sun Nov 26 09:57:03 UTC 2023] RSA key
2023-11-26T09:57:03 acme.sh [Sun Nov 26 09:57:03 UTC 2023] payload='{"identifiers": [{"type":"dns","value":"*.lilalop.fr"},{"type":"dns","value":"lilalop.fr"}]}'
2023-11-26T09:57:03 acme.sh [Sun Nov 26 09:57:03 UTC 2023] url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
2023-11-26T09:57:03 acme.sh [Sun Nov 26 09:57:03 UTC 2023] =======Begin Send Signed Request=======
2023-11-26T09:57:03 acme.sh [Sun Nov 26 09:57:03 UTC 2023] d
2023-11-26T09:57:03 acme.sh [Sun Nov 26 09:57:03 UTC 2023] d='lilalop.fr'
2023-11-26T09:57:03 acme.sh [Sun Nov 26 09:57:03 UTC 2023] Getting domain auth token for each domain
2023-11-26T09:57:03 acme.sh [Sun Nov 26 09:57:03 UTC 2023] Multi domain='DNS:*.lilalop.fr,DNS:lilalop.fr'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] _createcsr
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] Read key length:4096
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] _saved_account_key_hash is not changed, skip register account.
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] d
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] _currentRoot='dns_ovh'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] Check for domain='lilalop.fr'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] d='lilalop.fr'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] _currentRoot='dns_ovh'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] Check for domain='*.lilalop.fr'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] d='*.lilalop.fr'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] Le_LocalAddress
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] _chk_alt_domains='lilalop.fr'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] _chk_main_domain='*.lilalop.fr'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] _on_before_issue
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] ACME_NEW_NONCE='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] ACME_REVOKE_CERT='https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] ACME_NEW_ACCOUNT='https://acme-staging-v02.api.letsencrypt.org/acme/new-acct'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] ACME_NEW_ORDER='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] ACME_NEW_AUTHZ
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] ACME_KEY_CHANGE='https://acme-staging-v02.api.letsencrypt.org/acme/key-change'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] ret='0'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.PCbiwJPi -g '
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] timeout=
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] url='https://acme-staging-v02.api.letsencrypt.org/directory'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] GET
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] _init api for server: https://acme-staging-v02.api.letsencrypt.org/directory
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] Le_NextRenewTime
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] DOMAIN_PATH='/var/etc/acme-client/home/*.lilalop.fr'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] Using config home:/var/etc/acme-client/home
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] _alt_domains='lilalop.fr'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] _main_domain='*.lilalop.fr'
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] Running cmd: issue
2023-11-26T09:57:02 acme.sh [Sun Nov 26 09:57:02 UTC 2023] Using server: https://acme-staging-v02.api.letsencrypt.org/directory

github-actions[bot] commented 10 months ago

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

quanticworld commented 10 months ago

The last 3.0.7 version is already installed, I still have the error, sorry.

I'm looking into the code on my end 🔎, I'll let you know if I find the cause, by any chance.

quanticworld commented 10 months ago

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

Note: logs are already at level debug 2.

quanticworld commented 10 months ago

Oh important detail ==> I can't have an A entry on my DNS server because my provider forbids ipv4 NAT, I have to set a AAAA for my hostname.domain.fr.

It may be the cause of curl failing, then acme fail. I look into this.

quanticworld commented 9 months ago

Ok I dig into the issue, actually I have to provide the acme challenge DNS TXT entry manually, in order to make acme.sh work (without the opnsense plugin).

I suspect the cause may be the unique AAAA entry for my wildcard domain. I can't have a A entry because I can't have any static ipv4 with my provider.

Do you know if acme.sh is compatible with ipv6 only ?

acmesh-official / acme.sh

Consumer key invalid with acme.sh + OVH DNS challenge + OpnSense plugin #4883

Debug log