search

andyzhshg / syno-acme

通过acme协议更新群晖HTTPS泛域名证书的自动脚本
MIT License
739 stars 259 forks source link

[ERR] fail to generateCrt #52

Open AxisRay opened 4 years ago

AxisRay commented 4 years ago

Model : DS918+ DSM Version : DSM 6.2.2-24922 Update 6 syno-acme-0.2.1-dnspod Log:

begin updating default cert by acme.sh tool
[Wed Jul 15 01:03:38 CST 2020] Multi domain='DNS:------,DNS:*.------'
[Wed Jul 15 01:03:38 CST 2020] Getting domain auth token for each domain
[Wed Jul 15 01:03:53 CST 2020] Getting webroot for domain='-----'
[Wed Jul 15 01:03:53 CST 2020] Getting webroot for domain='*.------'
[Wed Jul 15 01:03:53 CST 2020] Adding txt value: *** for domain:  _acme-challenge.------
[Wed Jul 15 01:03:54 CST 2020] Adding record
[Wed Jul 15 01:03:54 CST 2020] The txt record is added: Success.
[Wed Jul 15 01:03:54 CST 2020] Sleep 120 seconds for the txt records to take effect
[Wed Jul 15 01:05:54 CST 2020] ------ is already verified, skip dns-01.
[Wed Jul 15 01:05:54 CST 2020] Verifying: *.------
[Wed Jul 15 01:05:58 CST 2020] *.------:Verify error:CAA record for *.------ prevents issuance
[Wed Jul 15 01:05:58 CST 2020] Removing DNS records.
[Wed Jul 15 01:05:58 CST 2020] Removing txt: **** for domain: _acme-challenge.------
[Wed Jul 15 01:06:04 CST 2020] Removed: Success
[Wed Jul 15 01:06:04 CST 2020] Please check log file for more details: /volume1/DATA/Script/syno-acme/acme.sh/acme.sh.log
[Wed Jul 15 01:06:12 CST 2020] Installing cert to:/usr/syno/etc/certificate/_archive/4VEbo0/cert.pem
cat: /volume1/DATA/Script/syno-acme/acme.sh/------/------.cer: No such file or directory
[ERR] fail to generateCrt
begin revert
begin revertCrt
/volume1/DATA/Script/syno-acme/backup/20200715010320/certificate /usr/syno/etc/certificate
/volume1/DATA/Script/syno-acme/backup/20200715010320/package_cert /usr/local/etc/certificate
begin reloadWebService
reloading new cert...
alias-register stop/waiting
relading Apache 2.2
stop: Unknown job: pkg-apache22
start: Unknown job: pkg-apache22
reload: Unknown job: pkg-apache22
done reloadWebService
done revertCrt

acme.sh.log

[Wed Jul 15 01:05:59 CST 2020] Record.Remove
[Wed Jul 15 01:05:59 CST 2020] url='https://dnsapi.cn/Record.Remove'
[Wed Jul 15 01:05:59 CST 2020] POST
[Wed Jul 15 01:05:59 CST 2020] _post_url='https://dnsapi.cn/Record.Remove'
[Wed Jul 15 01:05:59 CST 2020] _CURL='curl -L --silent --dump-header /volume1/DATA/Script/syno-acme/acme.sh/http.header  -g '
[Wed Jul 15 01:06:04 CST 2020] _ret='0'
[Wed Jul 15 01:06:04 CST 2020] Removed: Success
[Wed Jul 15 01:06:04 CST 2020] _on_issue_err
[Wed Jul 15 01:06:04 CST 2020] Please check log file for more details: /volume1/DATA/Script/syno-acme/acme.sh/acme.sh.log
[Wed Jul 15 01:06:04 CST 2020] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/5879336498/rN3fww'
[Wed Jul 15 01:06:04 CST 2020] payload='{}'
[Wed Jul 15 01:06:04 CST 2020] POST
[Wed Jul 15 01:06:04 CST 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/5879336498/rN3fww'
[Wed Jul 15 01:06:04 CST 2020] _CURL='curl -L --silent --dump-header /volume1/DATA/Script/syno-acme/acme.sh/http.header  -g '
[Wed Jul 15 01:06:09 CST 2020] _ret='0'
[Wed Jul 15 01:06:09 CST 2020] code='200'
[Wed Jul 15 01:06:09 CST 2020] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/5879475662/4m2KcA'
[Wed Jul 15 01:06:09 CST 2020] payload='{}'
[Wed Jul 15 01:06:09 CST 2020] POST
[Wed Jul 15 01:06:09 CST 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/5879475662/4m2KcA'
[Wed Jul 15 01:06:09 CST 2020] _CURL='curl -L --silent --dump-header /volume1/DATA/Script/syno-acme/acme.sh/http.header  -g '
[Wed Jul 15 01:06:11 CST 2020] _ret='0'
[Wed Jul 15 01:06:11 CST 2020] code='400'
[Wed Jul 15 01:06:12 CST 2020] Running cmd: installcert
jxmlingyun commented 3 years ago

遇到了同样的问题

cy0131 commented 3 years ago

遇到了同样的问题

mao13820 commented 3 years ago

同样问题,大约从一个月前无法自动更新。

mao13820 commented 3 years ago

我搞定了,原因是采用的dnspod的解析服务,同时把@主域名cname到别的地方去了,同时申请的是*泛域名证书。dnspod的caa记录并不支持对主域名cname出去的情况。所以,要么去掉@主域名的cname,要么不要申请泛域名,要么不要用dnspod,反正这三个条件任意去掉一个就行。

AxisRay commented 3 years ago

我搞定了,原因是采用的dnspod的解析服务,同时把@主域名cname到别的地方去了,同时申请的是*泛域名证书。dnspod的caa记录并不支持对主域名cname出去的情况。所以,要么去掉@主域名的cname,要么不要申请泛域名,要么不要用dnspod,反正这三个条件任意去掉一个就行。

如何不申请泛域名,脚本默认是申请泛域名的

AxisRay commented 3 years ago

我搞定了,原因是采用的dnspod的解析服务,同时把@主域名cname到别的地方去了,同时申请的是*泛域名证书。dnspod的caa记录并不支持对主域名cname出去的情况。所以,要么去掉@主域名的cname,要么不要申请泛域名,要么不要用dnspod,反正这三个条件任意去掉一个就行。

搞定了,修改脚本即可

#${ACME_BIN_PATH}/acme.sh --force --log --issue --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}"
#${ACME_BIN_PATH}/acme.sh --force --installcert -d ${DOMAIN} -d *.${DOMAIN} \
${ACME_BIN_PATH}/acme.sh --force --log --issue --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}"
${ACME_BIN_PATH}/acme.sh --force --installcert -d ${DOMAIN} \`