search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.61k stars 4.91k forks source link

During secondary validation: Incorrect TXT record #5106

Open DesireWithin opened 4 months ago

DesireWithin commented 4 months ago

Steps to reproduce

I can't renew my certs, I guess there are 12 txt record of "_acme-challenge.gtjaqh.net" in aliyun(include 2 add by this operation and then remove because validation failed), but acme(or maybe letsencrypt, I'm not sure) only query the first eight of them.

Commands

/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt    # run first time
/root/.acme.sh/acme.sh --renew --force --dns dns_ali -d 'gtjaqh.net' -d '*.gtjaqh.net' --home /root/.acme.sh --keylength 2048 --debug

Debug log

[Tue Apr 23 17:15:32 CST 2024] d='gtjaqh.net'
[Tue Apr 23 17:15:32 CST 2024] _d_alias
[Tue Apr 23 17:15:32 CST 2024] txtdomain='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:32 CST 2024] txt='fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU'
[Tue Apr 23 17:15:32 CST 2024] d_api='/root/.acme.sh/dnsapi/dns_ali.sh'
[Tue Apr 23 17:15:32 CST 2024] dns_entry='gtjaqh.net,_acme-challenge.gtjaqh.net,,dns_ali,fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU,/root/.acme.sh/dnsapi/dns_ali.sh'
[Tue Apr 23 17:15:32 CST 2024] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Tue Apr 23 17:15:32 CST 2024] Adding txt value: fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU for domain:  _acme-challenge.gtjaqh.net
[Tue Apr 23 17:15:32 CST 2024] First detect the root zone
[Tue Apr 23 17:15:32 CST 2024] GET
[Tue Apr 23 17:15:32 CST 2024] url='https://alidns.aliyuncs.com/?AccessKeyId=...'
[Tue Apr 23 17:15:32 CST 2024] timeout=
[Tue Apr 23 17:15:32 CST 2024] Http already initialized.
[Tue Apr 23 17:15:32 CST 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.Tp5rRofsL0  -g '
[Tue Apr 23 17:15:33 CST 2024] ret='0'
[Tue Apr 23 17:15:33 CST 2024] response='{"TotalCount":741,"PageSize":20,"RequestId":"...","DomainRecords":...,"PageNumber":1}'
[Tue Apr 23 17:15:33 CST 2024] _sub_domain='_acme-challenge'
[Tue Apr 23 17:15:33 CST 2024] _domain='gtjaqh.net'
[Tue Apr 23 17:15:33 CST 2024] Add record
[Tue Apr 23 17:15:34 CST 2024] GET
[Tue Apr 23 17:15:34 CST 2024] url='https://alidns.aliyuncs.com/?AccessKeyId=...'
[Tue Apr 23 17:15:34 CST 2024] timeout=
[Tue Apr 23 17:15:34 CST 2024] Http already initialized.
[Tue Apr 23 17:15:34 CST 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.Tp5rRofsL0  -g '
[Tue Apr 23 17:15:34 CST 2024] ret='0'
[Tue Apr 23 17:15:34 CST 2024] response='{"RequestId":"...","RecordId":"..."}'
[Tue Apr 23 17:15:34 CST 2024] The txt record is added: Success.
[Tue Apr 23 17:15:34 CST 2024] gtjaqh.net,_acme-challenge.gtjaqh.net,,dns_ali,fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU,/root/.acme.sh/dnsapi/dns_ali.sh

(added Successful for d='*.gtjaqh.net')
...
[Tue Apr 23 17:15:36 CST 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Tue Apr 23 17:15:57 CST 2024] You can use '--dnssleep' to disable public dns checks.
[Tue Apr 23 17:15:57 CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Tue Apr 23 17:15:57 CST 2024] _is_idn_d='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] _idn_temp
[Tue Apr 23 17:15:57 CST 2024] _is_idn_d='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] _idn_temp
[Tue Apr 23 17:15:57 CST 2024] d='gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] txtdomain='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] aliasDomain='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] txt='fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU'
[Tue Apr 23 17:15:57 CST 2024] d_api='/root/.acme.sh/dnsapi/dns_ali.sh'
[Tue Apr 23 17:15:57 CST 2024] Checking gtjaqh.net for _acme-challenge.gtjaqh.net
[Tue Apr 23 17:15:57 CST 2024] _c_txtdomain='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] _c_aliasdomain='_acme-challenge.gtjaqh.net'
[Tue Apr 23 17:15:57 CST 2024] _c_txt='fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU'
[Tue Apr 23 17:15:57 CST 2024] Detect dns server first.
...
[Tue Apr 23 17:16:08 CST 2024] _answers='"Answer":[
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"pUpttbpk-LKoqw8Ai51ah-Srt8sY4QjWpN0H5TrS99E\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"Ewf-MW4igSMpMKpO0Ym0vkylTbjBwF9jhsluPKmUdU4\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"yjIffHTg3F8UDyXRmoutToO8Ed_uxSo4ZIej4SWok6g\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"l3Dy8BeZsZoz97kbw3AEZyB4trllQI3K8CMSWuLjUO4\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"5GlkBuChYGOWhXMkcDmFRmNxoW09qcAd4pOIBxTeKLE\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"fyWkFwj4i1XQe1k8g11AXxVhyz6Ogfmhn8Wri5oBIjU\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"RSFhUuyZJ3XFhU-RZFNSLOV23umzv2D59836gDX11O8\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"rpBuC-0qIPD1d_1YU63kbUODx_CgamTyGTy2c3zFglA\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"TYPZNVAUMZUkTc8VPd5sFN7p-IXjfl8pe0Uo0iQODvU\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"EA6OFwSJntP7zSuSoZwb-iZI5JBKQ6lSU16mHTzDD0U\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"AVLhrVK15qyqlZdYOmnqTpeNOc9YFiSrhHeBDX6P5aQ\"",
"name":"_acme-challenge.gtjaqh.net.","TTL":600,"type":16,"data":"\"gNngisNxiJg99Ee6SsQC-WPsriLMINHGCwOIY9bF0eE\""]'
[Tue Apr 23 17:16:08 CST 2024] Domain gtjaqh.net '_acme-challenge.gtjaqh.net' success.

(also successful for d='*.gtjaqh.net')
...

But during secondary validation, I notice that the response body said it only find 8 txt records:

[Tue Apr 23 17:16:09 CST 2024] Pending, The CA is processing your order, please just wait. (1/30)
[Tue Apr 23 17:16:09 CST 2024] sleep 2 secs to verify again
[Tue Apr 23 17:16:12 CST 2024] checking
....
[Tue Apr 23 17:16:14 CST 2024] responseHeaders='HTTP/1.1 200 OK
Server: nginx
Date: Tue, 23 Apr 2024 09:16:13 GMT
Content-Type: application/json
Content-Length: 847
Connection: keep-alive
Boulder-Requester: 1306814826
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: ....
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
'
[Tue Apr 23 17:16:14 CST 2024] code='200'
[Tue Apr 23 17:16:14 CST 2024] original='{
  "identifier": {
    "type": "dns",
    "value": "gtjaqh.net"
  },
  "status": "invalid",
  "expires": "2024-04-30T09:15:29Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "During secondary validation: Incorrect TXT record \"gNngisNxiJg99Ee6SsQC-WPsriLMINHGCwOIY9bF0eE\" (and 7 more) found at _acme-challenge.gtjaqh.net",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/.....",
      "token": ".....",
      "validationRecord": [
        {
          "hostname": "gtjaqh.net",
          "resolverAddrs": [
            "....."
          ]
        }
      ],
      "validated": "2024-04-23T09:16:09Z"
    }
  ]
}'
github-actions[bot] commented 4 months ago

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.