FernandoMiguel
commented
7 years ago That is the correct behaviour. You add the DNS entries and then rerun with renew. It will validate the DNS entries and generate the certificate
Closed thangamani-arun closed 7 years ago
FernandoMiguel
commented
7 years ago That is the correct behaviour. You add the DNS entries and then rerun with renew. It will validate the DNS entries and generate the certificate
thangamani-arun
commented
7 years ago @FernandoMiguel Thanks for your quick clarification . The documentation, wasn't clear for this scenario.
What is the expiry time for the DNS challenge token ? Is it 120 seconds (default) ?
If I use --dnssleep 86400 (24 hrs), then I can add and verify TXT record within 24 hrs and re-run with --renew -d
Neilpang
commented
7 years ago @thangamani-arun Please read and follow this section carefully: https://github.com/Neilpang/acme.sh#8-use-dns-mode
FernandoMiguel
commented
7 years ago @Neilpang may i purpose an improvement? either state after "Please add those txt records to the domains. Waiting for the dns to take effect." that the user needs to run acme.sh --renew -d example.com
or, set a timer waiting for a long time (say 5/10 min?) and then run renew automatically. if it fails, ask the user to finish updating the DNS entries manually and run renew again when done.
thangamani-arun
commented
7 years ago @Neilpang @FernandoMiguel Thanks for your quick support. It works within 2 minutes and I confirmed for m2.silverlining.systems domain.
But, When I tried with --dns and with --dnssleep 86400 options after 23:38hrs, It gives error for renewal,
Part-2: SSL request with --dns --dnssleep 86400 for m4.silverlining.systems
root@benchmark:~# /root/.acme.sh/acme.sh --issue --accountemail arun@silverliningsys.com --dns --dnssleep 86400 -d m4.silverlining.systems [Mon Mar 27 18:01:24 SGT 2017] Creating domain key [Mon Mar 27 18:01:24 SGT 2017] Single domain='m4.silverlining.systems' [Mon Mar 27 18:01:24 SGT 2017] Getting domain auth token for each domain [Mon Mar 27 18:01:24 SGT 2017] Getting webroot for domain='m4.silverlining.systems' [Mon Mar 27 18:01:24 SGT 2017] Getting new-authz for domain='m4.silverlining.systems' [Mon Mar 27 18:01:27 SGT 2017] The new-authz request is ok. [Mon Mar 27 18:01:27 SGT 2017] Add the following TXT record: [Mon Mar 27 18:01:27 SGT 2017] Domain: '_acme-challenge.m4.silverlining.systems' [Mon Mar 27 18:01:27 SGT 2017] TXT value: 'Ah3LvktUH-UsLs75cdJL4nQXI3lLJwyjiweBvVOtTno' [Mon Mar 27 18:01:27 SGT 2017] Please be aware that you prepend _acme-challenge. before your domain [Mon Mar 27 18:01:27 SGT 2017] so the resulting subdomain will be: _acme-challenge.m4.silverlining.systems [Mon Mar 27 18:01:27 SGT 2017] Please add the TXT records to the domains, and retry again. [Mon Mar 27 18:01:27 SGT 2017] Please add '--debug' or '--log' to check more details. [Mon Mar 27 18:01:27 SGT 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
DNS TXT Record: ;; ANSWER SECTION: _acme-challenge.m4.silverlining.systems. 599 IN TXT "Ah3LvktUH-UsLs75cdJL4nQXI3lLJwyjiweBvVOtTno"
Renew: root@benchmark:~# /root/.acme.sh/acme.sh --renew -d m4.silverlining.systems [Tue Mar 28 17:38:12 SGT 2017] Renew: 'm4.silverlining.systems' [Tue Mar 28 17:38:12 SGT 2017] Single domain='m4.silverlining.systems' [Tue Mar 28 17:38:12 SGT 2017] Getting domain auth token for each domain [Tue Mar 28 17:38:12 SGT 2017] Verifying:m4.silverlining.systems [Tue Mar 28 17:38:15 SGT 2017] m4.silverlining.systems:Challenge error: {"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: Response does not complete challenge","status": 400} [Tue Mar 28 17:38:15 SGT 2017] Please add '--debug' or '--log' to check more details. [Tue Mar 28 17:38:15 SGT 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acm
Help me to resolve understand, why am I getting error
Neilpang
commented
7 years ago @thangamani-arun Do not use --dns anymore. Please use webroot mode or dns api mode instead.
@FernandoMiguel I don't think it's necessary. The manually dns mode can not work for auto-renewal. It's just for test. Maybe I will remove it in future. I think the readme doc is clear enough, if the user doesn't read the readme before using, that's not our responsibility. Leave him.
thangamani-arun
commented
7 years ago @Neilpang What am I testing is real Use-case. We have shared hosting for many customers and domains were owned different customers and they want smooth migration.
I can not use webroot method since customer domain are not mapped to my server IP until SSL installed. So I have to use DNS challenge method. Only problem is that the DNS key/token got expired in a short time.
Is there a way to achieve SSL with DNS method by adding TXT for a given DNS challenge key ?
FernandoMiguel
commented
7 years ago @Neilpang thanks for clearing that up. I've heard LE is going to reduce the validity time window for DNS entries.
x-Felix
commented
7 years ago I have the need to use manual DNS as Namecheap DNS api mode is not supported. I do not want to move NS server to Cloudflare as I need some feature from namechap. Follow the readme with DNS manual challenge. Created TXT on Namecheap. Run the renew after couple minutes. But got the same error message. 'Challenge error: {"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: Response does not complete challenge","status": 400}' In another reported issue, it is recommended to use DNS api for the renew. However, I cannot use DNS api that's why I have to use DNS manual mode but it does not work. Please assist. Thanks.
Neilpang
commented
7 years ago @florid2
Please wait enough time, and check the txt record by yourself before your use --renew again.
you can use dig, nslookup or many online website to check the txt record of your domain.
acme.sh is not able to know how long it should wait.
x-Felix
commented
7 years ago @Neilpang Apologize, it works now. As a little bit confusing in the DNS manual guide, it generated two challenge code. The DNS TXT records messed up. Today, all clear now. I am using Synology with DNS manual process. Followed the guide https://github.com/Neilpang/acme.sh/wiki/Synology-NAS-Guide ./acme.sh --issue -d YOURDOMAIN.TLD --dns --certpath /usr/syno/etc/certificate/system/default/cert.pem --keypath /usr/syno/etc/certificate/system/default/privkey.pem --fullchainpath /usr/syno/etc/certificate/system/default/fullchain.pem --dnssleep 300 After I added TXT record, ./acme.sh --renew -d YOURDOMAIN.TLD But the --certpath and --keypath not works. It stored private key, cert and inter ca under ~/.acme.sh/ folder with .cer, .key format. I need to copy them out, then use the Synology DSM webgui to import to the system. Not sure if I can append --certpath and --keypath with --renew in the next 60 days. It will save some time of the manual process. Thanks again for this wonderful tool!
FernandoMiguel
commented
7 years ago I'm the author of that guide. Feel free to improve on it with your discovery. I've updated it recently to simplify the instructions a bit, but I always welcome further input.
In your case I guess you would need to run acme.sh --install-cert and those paths.
SnakeSocks
commented
6 years ago Readme here needs to be updated: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
It didn't mention that --renew was required.
ProBackup-nl
commented
6 years ago The script output itself needs an improvement. Current unclear language:
Please add the TXT records to the domains, and retry again.
Better to understand advice:
Add the TXT records to the domain(s), and --renew instead of --install.
FernandoMiguel
commented
6 years ago @ProBackup-nl it should always use dns api instead of just DNS01 mode... dns01 without api is mostly for testing mode, as it will not auto renew
ProBackup-nl
commented
6 years ago When doing testing it is still cumbersome to need to read a manual. That dns01 without api will not auto renew is explained later on in the --renew process:
It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
CMD: /root/.acme.sh/acme.sh --issue --dns -d m2.silverlining.systems --debug 6 Problem: It does not wait for DNS challenge verification for TXT record to be created. If I add "TXT" record with given challenge token, it is not taking and its RE-GENerating the token again.
Reproduce Steps: ./acme.sh --issue --dns -d --debug 6
How to get rid of this issue ?