Issues with DNS challenge

[JustinWebDev]

First, see issue #62. Second, how do you get out the DNS record Host and value into variables for use in another program? This makes it hard to automate. Third, the hint of "Wait for DNS to update by checking it with the command: nslookup -q=TXT _acme-challenge.mydomain.com" is incorrect, gives an error as there is no such domain. Shouldn't it read nslookup -q=txt mydomain.com?

Fourth, I can't get Let's Encrypt to succeed, I always get: (tested only on LE test server, did not use -live param) _You can now delete 'acme-challenge.mydomain.com' DNS record Domain mydomain.com has failed verification (status code 200). All verifications failed

Using GoDaddy DNS.

[do-know]

I will see if the #62 is reproducible, but it may need a log output (produced with --debug --debug) to pinpoint the problem potentially. Regarding the host/value - depends on what you mean by "use in another program", but generally there are 2 ways to pass that data to some other program or code:

• use the plugin (similar to the example in the repository), which can receive all the details regarding the challenge and completion and trigger any arbitrary action.
• use the log configuration (as shown here) to just log the necessary details into a file (or some other output) watched by another program.

Regarding the DNS check command - the one given by the application is correct and should reflect the record that needs to be created.

[JustinWebDev]

I've learned something since I logged this issue and got a cert.

The problem was that LE64 would report: _Challenge for 'mydomain.com' requires the following DNS record to be created: Host: _acme-challenge.mydomain.com, type: TXT, value: UAN10wo91ZDl38RkfqTpwdAIhN2E-EdwSxVEr4zyxxE._ So, I created records using the host value exactly as stated, and that doesn't work. I then tested with creating the record with host = _acme-challenge.@ and that worked!

For the nslookup comment, you are correct. After I created the DNS record using @ instead of domain_name, I could then use the cmd as stated and see my record. Also, I didn't test this until a day later since my cert worked.

I'm using the Windows EXE, so the logging example is not useful to me. Is there another way?

[do-know]

OK, so this must be specifics of GoDaddy UI, because something like NameSilo for example has split-inputs and there are variations with other registrars and DNS hosters. Regarding the logging - that should work regardless of the platform (same with custom plugins - they are supported on Windows as well, with no additional installations). Have you tried to use the config given as the example and run the client with --log-config parameter pointing to it?

[JustinWebDev]

I wouldn't know how to implement "Log::Log4perl module" and I don't use le.pl. Is there a way to access the log interface with the Windows EXE?

[do-know]

As I said previously, the features of the plugins and logging (in fact all the features of le.pl) are supported by the Windows app without any additional installation. So for example you would be able to use the DNS.pm module I have referenced before and you can just as well use logging. To give you a simplified example - create a configuration file with a text editor (it does not matter what the extension would be, you can even call it log.txt) containing the example configuration:

 log4perl.rootLogger=DEBUG, File, Screen
 log4perl.appender.File = Log::Log4perl::Appender::File
 log4perl.appender.File.filename = le.log
 log4perl.appender.File.mode = append
 log4perl.appender.File.layout = PatternLayout
 log4perl.appender.File.layout.ConversionPattern = %d [%p] %m%n
 log4perl.appender.File.utf8 = 1
 log4perl.appender.Screen = Log::Log4perl::Appender::Screen
 log4perl.appender.Screen.layout = PatternLayout
 log4perl.appender.Screen.layout.ConversionPattern = %d [%p] %m%n
 log4perl.appender.Screen.utf8 = 1

Save it to the same directory where the app is. Then run le64.exe (or le32.exe, depending on which one you are using) with the additional parameter of --log-config - for example, if you run it like shown below, it will just exit saying that account key file name should be specified, and you will also find the same messages as shown on screen in the created le.log file:

le64.exe --log-config log.txt

I hope that helps.

[JustinWebDev]

Yes, that did help. Thank you. I thought I had to use native Perl to do this. I'm not able to do a full test because the cmd just finishes with "The job is done, enjoy your certificate!" and doesn't do the pause for DNS record creation. Is this because the previously created cert is so new?

le64.exe -email "email@email.com" -key account.key -csr domain.csr -csr-key domain.key -crt domain.crt -domains "mydomain.com" -generate-missing -handle-as dns -export-pfx "secret" -debug --log-config log.txt

Is there any documentation of the methods and properties and any other logging details, or is the above example you show all the options available? Of course, the goal would be to isolate the DNS record info from the output (even w/o the logging timestamp).

I get the feeling I'm still missing something :-) I'm still trying to digest what the DNS plugin does for me.

[do-know]

You are correct - if you have just issued a certificate, there will be some validity period when the challenges are not requested and the new certificate is issued without asking for those as long as the set of the domains is the same.

Regarding the logging, there are quite a few options, documented for example at:

https://metacpan.org/pod/Log::Log4perl::Config https://metacpan.org/pod/Log::Log4perl::Layout::PatternLayout https://metacpan.org/dist/Log-Log4perl

You can also try --delayed option, which causes the application to stop after requesting the necessary challenges and showing them to you (and without waiting for Enter to be pressed). As shown in the app help (when --help option is used):

If you want to run the process in two steps (accept a challenge and then
continue after running some other process), you can use --delayed flag.
That flag interrupts the process once the challenge is received and
appropriate information about what is required is printed or logged.

Once you have fulfilled the requirements (by either creating a verification
file or a DNS record), you can re-run the process without --delayed
option.

[JustinWebDev]

Thank you much!