Open LexaNz opened 7 months ago
Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade
If it's still not working, please provide the log with --debug 2
, otherwise, nobody can help you.
Find DIG output below
DIG from external server on internet
dig _acme-challenge.smtp.mydomain.net. TXT Mon 12 Feb 2024 14:38:03
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> _acme-challenge.smtp.mydomain.net. TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3445
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.smtp.mydomain.net. IN TXT
;; ANSWER SECTION:
_acme-challenge.smtp.mydomain.net. 59 IN CNAME _acme-challenge.mydomain.net.
_acme-challenge.mydomain.net. 59 IN TXT "yDdGck6WoazAUp-jCHdYD8DQw9_dECLrG8P8qhUeHxo"
_acme-challenge.mydomain.net. 59 IN TXT "XR9CQd-1xddTBKdT8J5bxinmeX26tkcAaEslk3eOpsI"
;; Query time: 432 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Feb 12 14:38:04 NZDT 2024
;; MSG SIZE rcvd: 204
~
dig _acme-challenge.calcifer.mydomain.net. TXT 459ms Mon 12 Feb 2024 14:38:04
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> _acme-challenge.calcifer.mydomain.net. TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61512
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.calcifer.mydomain.net. IN TXT
;; ANSWER SECTION:
_acme-challenge.calcifer.mydomain.net. 60 IN CNAME _acme-challenge.mydomain.net.
_acme-challenge.mydomain.net. 43 IN TXT "XR9CQd-1xddTBKdT8J5bxinmeX26tkcAaEslk3eOpsI"
_acme-challenge.mydomain.net. 43 IN TXT "yDdGck6WoazAUp-jCHdYD8DQw9_dECLrG8P8qhUeHxo"
;; Query time: 228 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Feb 12 14:38:21 NZDT 2024
;; MSG SIZE rcvd: 208
DIG from same server where acme.sh is launched
dig _acme-challenge.calcifer.mydomain.net. TXT Mon 12 Feb 2024 14:32:36
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> _acme-challenge.calcifer.mydomain.net. TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3777
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 6d54cb6c958c2e900100000065c9769be666e5875b22dbcc (good)
;; QUESTION SECTION:
;_acme-challenge.calcifer.mydomain.net. IN TXT
;; ANSWER SECTION:
_acme-challenge.calcifer.mydomain.net. 60 IN CNAME _acme-challenge.mydomain.net.
_acme-challenge.mydomain.net. 60 IN TXT "XR9CQd-1xddTBKdT8J5bxinmeX26tkcAaEslk3eOpsI"
_acme-challenge.mydomain.net. 60 IN TXT "yDdGck6WoazAUp-jCHdYD8DQw9_dECLrG8P8qhUeHxo"
;; Query time: 0 msec
;; SERVER: 172.23.0.1#53(172.23.0.1) (UDP)
;; WHEN: Mon Feb 12 14:38:35 NZDT 2024
;; MSG SIZE rcvd: 248
dig _acme-challenge.smtp.mydomain.net. TXT Mon 12 Feb 2024 14:38:35
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> _acme-challenge.smtp.mydomain.net. TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61261
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: c2d7cf5cca40ca170100000065c976a4b8549e034f5df0fa (good)
;; QUESTION SECTION:
;_acme-challenge.smtp.mydomain.net. IN TXT
;; ANSWER SECTION:
_acme-challenge.smtp.mydomain.net. 60 IN CNAME _acme-challenge.mydomain.net.
_acme-challenge.mydomain.net. 60 IN TXT "yDdGck6WoazAUp-jCHdYD8DQw9_dECLrG8P8qhUeHxo"
_acme-challenge.mydomain.net. 60 IN TXT "XR9CQd-1xddTBKdT8J5bxinmeX26tkcAaEslk3eOpsI"
;; Query time: 0 msec
;; SERVER: 172.23.0.1#53(172.23.0.1) (UDP)
;; WHEN: Mon Feb 12 14:38:44 NZDT 2024
;; MSG SIZE rcvd: 244
I can successfully issue single domain certificate, but when I need 2 SANs then the verification failed.
I got no issue with single domain, but only with ZeroSSL and this edit - https://github.com/acmesh-official/acme.sh/pull/4973/files
Not the case in this issue, using the latest version the let's encrypt server (see the upgrade before the issue)
DNS backend is BIND, with two views, internal and external. CNAME and TXT records are all correct - please see DIG output in the next comment.
real domain obfuscated by 'mydomain.net'
Steps to reproduce
See acme-.sh cmd in the log provided ( BIND DNS backend )
Debug log