search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
7.44k stars 987 forks source link

easydns: fix zone detection #2121

Closed ldez closed 4 months ago

ldez commented 4 months ago

Fixes #1466

thadius83 commented 4 months ago

Perfect. Will try it out tomorrow and provide feedback. Much appreciated.

ldez commented 4 months ago

@thadius83 any news?

thadius83 commented 4 months ago

@thadius83 any news?

No go unfortunately. Same results.

Fresh build using - git clone git@github.com:ldez/lego.git

when I use the the incorrect key I'm able to get error logs from easydns control panel which shows that it's not breaking the domain up correctly

O:8:"stdClass":6:{s:6:"domain";s:5:"id.au";s:4:"host";s:23:"_acme-challenge.test.XX";s:3:"ttl";s:3:"120";s:4:"prio";s:1:"0";s:4:"type";s:3:"TXT";s:5:"rdata";s:43:"randomkeydataforverification";}

Note my domain is 2 letters.

When using the correct credentials, there is nothing recorded in the log file on the easydns side

I suspect due to a parsing error, it's attempting to modify "id.au" rather than "XX.id.au"

A successful log from them using acme.sh looks like this.

03:05 attempt is lego
03:33 is acme.sh

In the put command at 03:33:16, the content is 

O:8:"stdClass":2:{s:4:"host";s:20:"_acme-challenge.test";s:5:"rdata";s:43:"jgqKt2KhgjeykQTEpVM1j4p5P2ZkEMusOfX7mh2fask";}

But it's submitting that put against zones/records/add/XX.id.au/TXT Rather than "zones/records/add/id.au/TXT which Lego is doing.

![image](https://github.com/go-acme/lego/assets/59833021/c906206a-1938-41d3-96aa-d97ffa0bee2a)
ldez commented 4 months ago

Fresh build using - git clone git@github.com:ldez/lego.git

Do you have checkout the branch (fix/easydns) of my PR?

I suspect due to a parsing error, it's attempting to modify "id.au" rather than "XX.id.au"

My PR doesn't contain parsing: I replace the previous algorithm (based on split) by DNS calls.

ldez commented 4 months ago

Can you try this call:

https://sandbox.rest.easydns.net:3001/#/read/listZone

with domain:

  1. _acme-challenge.test.XX.id.au
  2. test.XX.id.au

and give me JSON answers?

thadius83 commented 4 months ago

Fresh build using - git clone git@github.com:ldez/lego.git

Do you have checkout the branch (fix/easydns) of my PR?

# git branch -l
* fix/easydns

lego version b7f0ca141a0443bd8745dc1bd241daa6384e721c linux/amd64

I believe it's the correct version?

ldez commented 4 months ago

OK, I just wanted to be sure because your message was ambiguous.

Can you answer to this comment? https://github.com/go-acme/lego/pull/2121#issuecomment-1970398881

thadius83 commented 4 months ago

Can you try this call:

https://sandbox.rest.easydns.net:3001/#/read/listZone

with domain:

  1. _acme-challenge.test.XX.id.au
  2. test.XX.id.au

and give me JSON answers?

I suspect I'm doing something wrong, the API under read doesn't have listZone

image

Have tested the sandbox credentials and able to pull data via other commands?

ldez commented 4 months ago

it's /zones/records/all/{domain}

Screenshot 2024-02-29 at 07-26-15 easyDNS REST API - Swagger UI

thadius83 commented 4 months ago

https://sandbox.rest.easydns.net/zones/records/all/test.xx.id.au

{
  "error": {
    "code": 403,
    "message": "Access to resource denied due to permissions"
  }
}

If I execute it on the parent domain it works, and dumps out the entire zone file. I've removed the other sub domains and parent domain info,

curl -X 'GET' \
  'https://sandbox.rest.easydns.net/zones/records/all/XX.id.au' \
  -H 'accept: application/json' \
  -H 'Authorization: Basic dxxxxxxxxxxxxxxxxxxxxxxxmFwaTY1ZTAxZTEwODljNTA3Ljg0MzU5MTI2'

{
  "tm": 1709190001,
  "data": [
    {
      "id": "134249771",
      "domain": "xx.id.au",
      "host": "test",
      "ttl": "300",
      "prio": "0",
      "type": "A",
      "rdata": "10.0.1.100",
      "geozone_id": "0",
      "last_mod": "2024-02-28 06:36:41"
    },
  ],
  "count": 43,
  "total": 43,
  "start": 0,
  "max": 1000,
  "status": 200
}
thadius83 commented 4 months ago

Have tried the last two commits you've made with no luck.. varying errors

most recent

2024/02/29 07:08:17 [INFO] [test.xx.id.au] acme: Preparing to solve DNS-01
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0xf699c7]

goroutine 1 [running]:
github.com/go-acme/lego/v4/providers/dns/easydns.(*DNSProvider).Present(0xc0013921a0, {0xc001322cb0, 0xd}, {0xedd7b5ee1?, 0x0?}, {0xc0011cb320?, 0x3?})
        github.com/go-acme/lego/v4/providers/dns/easydns/easydns.go:127 +0x1a7
github.com/go-acme/lego/v4/challenge/dns01.(*Challenge).PreSolve(0xc00138e0c0, {{0xc001322cc0, 0x7}, {0x0, 0xedd7b5ee1, 0x0}, {{0xc001322ca8, 0x3}, {0xc001322cb0, 0xd}}, ...})
        github.com/go-acme/lego/v4/challenge/dns01/dns_challenge.go:95 +0x27a
github.com/go-acme/lego/v4/challenge/resolver.sequentialSolve({0xc00011b550, 0x1, 0x0?}, 0xc0013198f0)
        github.com/go-acme/lego/v4/challenge/resolver/prober.go:102 +0x1d8
github.com/go-acme/lego/v4/challenge/resolver.(*Prober).Solve(0xc000de2370, {0xc000afe460, 0x1, 0x14?})
        github.com/go-acme/lego/v4/challenge/resolver/prober.go:86 +0x535
github.com/go-acme/lego/v4/certificate.(*Certifier).Obtain(0xc001388390, {{0xc000bbe030, 0x1, 0x1}, {0x0, 0x0}, 0x0, {0x0, 0x0, 0x0}, ...})
        github.com/go-acme/lego/v4/certificate/certificates.go:143 +0x3e2
github.com/go-acme/lego/v4/cmd.obtainCertificate(0xc000c4e440, 0xc001392060)
        github.com/go-acme/lego/v4/cmd/cmd_run.go:202 +0x23c
github.com/go-acme/lego/v4/cmd.run(0xc000c4e440)
        github.com/go-acme/lego/v4/cmd/cmd_run.go:105 +0x257
github.com/urfave/cli/v2.(*Command).Run(0xc000b1d340, 0xc000c4e440, {0xc000aa8d10, 0x1, 0x1})
        github.com/urfave/cli/v2@v2.27.1/command.go:279 +0x97d
github.com/urfave/cli/v2.(*Command).Run(0xc000b1db80, 0xc000b91880, {0xc00013a000, 0x8, 0x8})
        github.com/urfave/cli/v2@v2.27.1/command.go:272 +0xbb7
github.com/urfave/cli/v2.(*App).RunContext(0xc000e8c400, {0x3563b08, 0x54b5900}, {0xc00013a000, 0x8, 0x8})
        github.com/urfave/cli/v2@v2.27.1/app.go:337 +0x58b
github.com/urfave/cli/v2.(*App).Run(...)
        github.com/urfave/cli/v2@v2.27.1/app.go:311
main.main()
        github.com/go-acme/lego/v4/cmd/lego/main.go:42 +0x1c7

lego version f5edd675dbd259f45c529df83adb8145c0243119 linux/amd64

ldez commented 4 months ago

@thadius83 can you try with my new fix?

thadius83 commented 4 months ago

@thadius83 can you try with my new fix?

Worked first time! Output in the easydns logs match the achme.sh shell script.

Mind if I ask what the issue was, and are there any other tests or logs you want?

I did test initially with the wrong credentials, and it returned the following - rather than the usual unauthorised message

2024/03/03 12:46:17 [INFO] [test.XX.id.au] acme: Obtaining bundled SAN certificate
2024/03/03 12:46:17 [INFO] [test.XX.id.au] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/321xxxxxx
2024/03/03 12:46:17 [INFO] [test.XX.id.au] acme: Could not find solver for: tls-alpn-01
2024/03/03 12:46:17 [INFO] [test.XX.id.au] acme: Could not find solver for: http-01
2024/03/03 12:46:17 [INFO] [test.XX.id.au] acme: use dns-01 solver
2024/03/03 12:46:17 [INFO] [test.XX.id.au] acme: Preparing to solve DNS-01
2024/03/03 12:46:19 [INFO] [test.XX.id.au] acme: Cleaning DNS-01 challenge
2024/03/03 12:46:19 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/32196xxxxxxxxx
2024/03/03 12:46:20 Could not obtain certificates:
        error: one or more domains had a problem:
[test.XX.id.au] [test.XX.id.au] acme: error presenting token: easydns: no subdomain because the domain and the zone are identical: _acme-challenge.test.XX.id.au.
ldez commented 4 months ago

With my latest commit, when using an invalid token you will have the API response:

easydns: code 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR you did NOT provide any credentials with your request!

Their messages are not clear, but it's not my fault :smile:

thadius83 commented 4 months ago

With my latest commit, when using an invalid token you will have the API response:

easydns: code 420: Enhance Your Calm. Rate limit exceeded (too many requests) OR you did NOT provide any credentials with your request!

Their messages are not clear, but it's not my fault 😄

haha no worries. I figured you might want to fix that just to be pedantic and avoid people like me questioning it! Thanks for the great work!

tsg1992 commented 3 months ago

Hi sorry to be the party pooper not sure how all this works inside out but I did 

# snap install lego (on my Ubuntu server)
lego v4.16.1 from El Dez (ldez) installed

and still getting:

CERTIFICATE: *.juliamiles.co.uk; STATUS: Generating a new certificate ...
2024/03/25 18:21:45 [INFO] [*.juliamiles.co.uk, juliamiles.co.uk] acme: Obtaining SAN certificate
2024/03/25 18:21:46 [INFO] [*.juliamiles.co.uk] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/330668204327
2024/03/25 18:21:46 [INFO] [juliamiles.co.uk] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/330668204337
2024/03/25 18:21:46 [INFO] [*.juliamiles.co.uk] acme: use dns-01 solver
2024/03/25 18:21:46 [INFO] [juliamiles.co.uk] acme: Could not find solver for: tls-alpn-01
2024/03/25 18:21:46 [INFO] [juliamiles.co.uk] acme: Could not find solver for: http-01
2024/03/25 18:21:46 [INFO] [juliamiles.co.uk] acme: use dns-01 solver
2024/03/25 18:21:46 [INFO] [*.juliamiles.co.uk] acme: Preparing to solve DNS-01
2024/03/25 18:21:48 [INFO] [*.juliamiles.co.uk] acme: Cleaning DNS-01 challenge
2024/03/25 18:21:48 [INFO] [juliamiles.co.uk] acme: Preparing to solve DNS-01
2024/03/25 18:21:49 [INFO] [juliamiles.co.uk] acme: Cleaning DNS-01 challenge
2024/03/25 18:21:49 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/330668204327
2024/03/25 18:21:49 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/330668204337
2024/03/25 18:21:49 Could not obtain certificates:
    error: one or more domains had a problem:
[*.juliamiles.co.uk] [*.juliamiles.co.uk] acme: error presenting token: easydns: error adding zone record: 403: request failed: {"error":{"code":403,"message":"Access to resource denied due to permissions"}}
[juliamiles.co.uk] [juliamiles.co.uk] acme: error presenting token: easydns: error adding zone record: 403: request failed: {"error":{"code":403,"message":"Access to resource denied due to permissions"}}

What am I doing wrong?

Cheers! -AL

ldez commented 3 months ago

403: request failed: {"error":{"code":403,"message":"Access to resource denied due to permissions"}}

The new implementation does a new call to get the zone, based on your log I think it's because your token doesn't have enough rights.

ldez commented 3 months ago

@tsg1992 Can you open a new dedicated issue if the problem is not related to rights/permissions?

In this new issue, can you provide the output of your lego with the env var LEGO_DEBUG_CLIENT_VERBOSE_ERROR to true?

tsg1992 commented 3 months ago

Sure thanks for the quick reply @ldez . I'll open a new dedicated thread. It's not permission related, as I can create/renew other certificates wihtout issues.