Add DNS provider for Lima-City

ldez commented 2 months ago

[x] adds a description to your PR
[x] have a homogeneous design with the other providers
[x] add tests (units)
[x] add tests ("live")
[x] add a provider descriptor
[x] generate CLI help, documentation, and readme.

[x] be able to do: (and put the output of this command to a comment)

make build
rm -rf .lego

LIMACITY_API_KEY=yyyy \
./dist/lego -m your@email.com --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run

Note the wildcard domain is important.

[x] pass the linter
[x] do go mod tidy

Ping @feroxib, can you run the command (with your domain, email, and credentials)?

-> https://github.com/go-acme/lego/pull/2248?notification_referrer_id=NT_kwDOAFaWm7MxMjEyOTYwOTE0Nzo1Njc0NjUx#issuecomment-2319212961

Closes #2247

feroxib commented 2 months ago

Ping @ldez have a bit of trouble here

steps: cloned https://github.com/ldez/lego.git

cd ./lego
make build
rm -rf .lego
LIMACITY_API_KEY=yyyy \
./dist/lego -m your@email.com --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run

and got

2024/08/27 14:17:56 No key found for account my@email.com. Generating a P256 key.
2024/08/27 14:17:56 Saved key to /home/me/Downloads/lego/.lego/accounts/acme-staging-v02.api.letsencrypt.org/my@email.com/keys/my@email.com.key
2024/08/27 14:17:57 unrecognized DNS provider: limacity

please let me know if i did something wrong because i dont see it xD

feroxib commented 2 months ago

also double checked the api key and its registered as dns.admin, domain.admin

ldez commented 2 months ago

Do you check out my branch?

git switch feat/lima-city

feroxib commented 2 months ago

oh wow yeah i kinda never realized that taking the clone url on github doesnt actually give you the branch youre checking out in the browser... sorry for that

feroxib commented 2 months ago

``` LIMACITY_API_KEY= ./dist/lego -m my@email.com --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run 2024/08/27 14:34:09 No key found for account my@email.com. Generating a P256 key. 2024/08/27 14:34:09 Saved key to /home/me/Documents/git/lego/.lego/accounts/acme-staging-v02.api.letsencrypt.org/my@email.com/keys/my@email.com.key 2024/08/27 14:34:10 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf Do you accept the TOS? Y/n y 2024/08/27 14:34:12 [INFO] acme: Registering account for my@email.com !!!! HEADS UP !!!! Your account credentials have been saved in your Let's Encrypt configuration directory at "/home/me/Documents/git/lego/.lego/accounts". You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained from Let's Encrypt so making regular backups of this folder is ideal. 2024/08/27 14:34:13 [INFO] [*.example.com, example.com] acme: Obtaining bundled SAN certificate 2024/08/27 14:34:15 [INFO] [*.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13756805883 2024/08/27 14:34:15 [INFO] [example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13756805893 2024/08/27 14:34:15 [INFO] [*.example.com] acme: use dns-01 solver 2024/08/27 14:34:15 [INFO] [example.com] acme: Could not find solver for: tls-alpn-01 2024/08/27 14:34:15 [INFO] [example.com] acme: Could not find solver for: http-01 2024/08/27 14:34:15 [INFO] [example.com] acme: use dns-01 solver 2024/08/27 14:34:15 [INFO] [*.example.com] acme: Preparing to solve DNS-01 2024/08/27 14:34:15 [INFO] [example.com] acme: Preparing to solve DNS-01 2024/08/27 14:34:15 [INFO] [*.example.com] acme: Cleaning DNS-01 challenge 2024/08/27 14:34:15 [WARN] [*.example.com] acme: cleaning up failed: liara: unknown domain ID for '_acme-challenge.example.com.' '7xxxxxx-Fxxxxxxxxxxxxxxxx_zxxxxxxxxxxxxxxx' 2024/08/27 14:34:15 [INFO] [example.com] acme: Cleaning DNS-01 challenge 2024/08/27 14:34:15 [WARN] [example.com] acme: cleaning up failed: liara: unknown domain ID for '_acme-challenge.example.com.' 'exxxxxxxxxxxx-x-xx_gxxxxxxxxxxxxxxx-Rxxxxxxxxxx' 2024/08/27 14:34:16 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13756805883 2024/08/27 14:34:17 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13756805893 2024/08/27 14:34:17 Could not obtain certificates: error: one or more domains had a problem: [*.example.com] [*.example.com] acme: error presenting token: limacity: get domains: unable to unmarshal response: [status code: 200] body: {"domains":[{"id":2****,"mode":"CREATE","tld":"com","domain":"example","in_subscription":false,"auto_renew":false,"status":"ok","unicode_fqdn":"example.com","registered_at":"1970-01-01T00:00:00+00:00","registered_until":"2000-01-01T00:00:00+00:00","renew_price":00.01}]} error: json: cannot unmarshal number into Go struct field Domain.domains.id of type string [example.com] [example.com] acme: error presenting token: limacity: get domains: unable to unmarshal response: [status code: 200] body: {"domains":[{"id":2****,"mode":"CREATE","tld":"com","domain":"example","in_subscription":false,"auto_renew":false,"status":"ok","unicode_fqdn":"example.com","registered_at":"1970-01-01T00:00:00+00:00","registered_until":"2000-01-01T00:00:00+00:00","renew_price":00.01}]} error: json: cannot unmarshal number into Go struct field Domain.domains.id of type string ```

feroxib commented 2 months ago

idk what this error unable to unmarshal response exactly means but it looks like the json error cannot unmarshal number into go struct field is the underlying one right?

to clarify the values that i redacted

id: some integer in the range of the 20000
mode: string
tld: string
domain: string
in_subscription: bool
auto_renew: bool
status: string?
unicode_fqdn: string
registered at: date
registered until: date
renew_price: float

hope that helps

ldez commented 2 months ago

I fixed the problem, can you try again?

feroxib commented 2 months ago

2024/08/27 15:07:38 Could not obtain certificates:
        error: one or more domains had a problem:
[*.example.com] [*.example.com] acme: error presenting token: limacity: add record: unexpected status code: [status code: 400] body: {"status":400,"error":"Bad Request"}
[example.com] [example.com] acme: error presenting token: limacity: add record: unexpected status code: [status code: 400] body: {"status":400,"error":"Bad Request"}

feroxib commented 2 months ago

whats the deal with error presenting token?

ldez commented 2 months ago

I fixed the problem, can you try again?

feroxib commented 2 months ago

almost got it xD

``` LIMACITY_API_KEY= ./dist/lego -m my@email.com --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run 2024/08/27 15:26:33 [INFO] [*.example.com, example.com] acme: Obtaining bundled SAN certificate 2024/08/27 15:26:35 [INFO] [*.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13757327693 2024/08/27 15:26:35 [INFO] [example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13757327703 2024/08/27 15:26:35 [INFO] [*.example.com] acme: use dns-01 solver 2024/08/27 15:26:35 [INFO] [example.com] acme: Could not find solver for: tls-alpn-01 2024/08/27 15:26:35 [INFO] [example.com] acme: Could not find solver for: http-01 2024/08/27 15:26:35 [INFO] [example.com] acme: use dns-01 solver 2024/08/27 15:26:35 [INFO] [*.example.com] acme: Preparing to solve DNS-01 2024/08/27 15:26:36 [INFO] [example.com] acme: Preparing to solve DNS-01 2024/08/27 15:26:36 [INFO] [*.example.com] acme: Trying to solve DNS-01 2024/08/27 15:26:36 [INFO] [*.example.com] acme: Checking DNS record propagation. [nameservers=127.0.0.53:53] 2024/08/27 15:26:38 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 2024/08/27 15:26:38 [INFO] [*.example.com] acme: Waiting for DNS record propagation. .......... 2024/08/27 15:27:37 [INFO] [*.example.com] acme: Waiting for DNS record propagation. 2024/08/27 15:27:39 [INFO] [example.com] acme: Trying to solve DNS-01 2024/08/27 15:27:39 [INFO] [example.com] acme: Checking DNS record propagation. [nameservers=127.0.0.53:53] 2024/08/27 15:27:41 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 2024/08/27 15:27:41 [INFO] [example.com] acme: Waiting for DNS record propagation. .......... 2024/08/27 15:28:40 [INFO] [example.com] acme: Waiting for DNS record propagation. 2024/08/27 15:28:42 [INFO] [*.example.com] acme: Cleaning DNS-01 challenge 2024/08/27 15:28:42 [WARN] [*.example.com] acme: cleaning up failed: limacity: get records: unable to unmarshal response: [status code: 200] body: {"records":[...............,{"id":2******,"name":"example.com","subdomain":false,"type":"TXT","content":"\"w**************\"","priority":null,"ttl":3600},{"id":2*****,"name":"example.com","subdomain":false,"type":"TXT","content":"\"1*****************\"","priority":null,"ttl":3600}]} error: json: cannot unmarshal number into Go struct field Record.records.id of type string 2024/08/27 15:28:42 [INFO] [example.com] acme: Cleaning DNS-01 challenge 2024/08/27 15:28:42 [WARN] [example.com] acme: cleaning up failed: limacity: get records: unable to unmarshal response: [status code: 200] body: {"records":[.................,{"id":2******,"name":"example.com","subdomain":false,"type":"TXT","content":"\"w**************\"","priority":null,"ttl":3600},{"id":2*****,"name":"example.com","subdomain":false,"type":"TXT","content":"\"1*****************\"","priority":null,"ttl":3600}]} error: json: cannot unmarshal number into Go struct field Record.records.id of type string 2024/08/27 15:28:43 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13757327693 2024/08/27 15:28:43 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13757327703 2024/08/27 15:28:43 Could not obtain certificates: error: one or more domains had a problem: [*.example.com] propagation: time limit exceeded: last error: NS ns3.lima-city.de. did not return the expected TXT record [fqdn: _acme-challenge.example.com., value: \"w**************]: none [example.com] propagation: time limit exceeded: last error: NS ns1.lima-city.de. did not return the expected TXT record [fqdn: _acme-challenge.example.com., value: \"1****************]: none ```

so what i checked in addition. the entries in the provider dashboard are txt records directly registered with example.com

but as i understand should be _acme-challenge.example.com

why idk tho...

feroxib commented 2 months ago

btw thank you for showing me that 3x ` creates code blocks

ldez commented 2 months ago

I think it's a propagation issue, can you try to add LIMACITY_PROPAGATION_TIMEOUT=120 (for 2 minutes)?

LIMACITY_PROPAGATION_TIMEOUT=120 LIMACITY_API_KEY=<api-key> ./dist/lego -m my@email.com --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run

ldez commented 2 months ago

Wait there is also a type error, I will fix that.

feroxib commented 2 months ago

shouldnt they be under _acme-challenge.example.com?

ldez commented 2 months ago

FYI I wrote the implementation only based on the API doc, which contains no explanation of what exactly is an endpoint, some endpoints are missing, and the schema can be wrong.

For example, the JSONSchema inside the API documentation says that:

```json { "required": ["errors", "status"], "type": "object", "properties": { "status": { "type": "string", "example": "invalid_resource", "isRequired": true }, "errors": { "type": "object", "description": "An object containing all validation errors. The parameter name is the key, the value is an array of strings", "example": {"name": ["muss ausgefüllt werden"]}, "isRequired": true } } } ```

status -> string
errors -> object

From your logs:

{"status":400,"error":"Bad Request"}

status -> integer
error -> string

Another example is the endpoint to get records:

```json { "required": ["records"], "type": "object", "properties": { "records": { "type": "array", "items": { "required": ["content", "id", "name", "subdomain", "ttl", "type"], "type": "object", "properties": { "id": {"type": "string", "example": "1234"}, "name": {"type": "string", "example": "example.com"}, "subdomain": {"type": "string"}, "type": {"type": "string", "example": "NS"}, "content": {"type": "string", "example": "ns1.lima-city.de"}, "ttl": {"type": "integer", "example": 3600} } } } } } ```

id -> string

From your logs:

```json {"records":[.................,{"id":2******,"name":"example.com","subdomain":false,"type":"TXT","content":"\"w**************\"","priority":null,"ttl":3600},{"id":2*****,"name":"example.com","subdomain":false,"type":"TXT","content":"\"1*****************\"","priority":null,"ttl":3600}]} ```

id -> int

I think that Lima City should improve its API and its documentation.

feroxib commented 2 months ago

fully agree xD

feroxib commented 2 months ago

thank you for doing all that work hope you like coffee ;)

ldez commented 2 months ago

I fixed all the ID types, let's go try again :smile:

ldez commented 2 months ago

Another example, with the endpoint to add records:

{
  "required": ["nameserver_record"],
  "type": "object",
  "properties": {
    "nameserver_record": {
      "required": ["content", "name", "subdomain", "ttl", "type"],
      "type": "object",
      "properties": {
        "name": {"type": "string", "example": "example.com"},
        "type": {"type": "string", "example": "NS"},
        "content": {"type": "string", "example": "ns1.lima-city.de"},
        "ttl": {"type": "integer", "example": 3600},
        "priority": {"type": "string", "example": "10"}
      }
    }
  }
}

required says "content", "name", "subdomain", "ttl", "type" but subdomain is not defined inside the properties...

I don't know if subdomain really exists, and how it works.

So I'm sorry to be forced to do this try-and-fix cycle.

ldez commented 2 months ago

WTF, from your logs:

{"records":[.................,{"id":2******,"name":"example.com","subdomain":false,"type":"TXT","content":"\"w**************\"","priority":null,"ttl":3600},{"id":2*****,"name":"example.com","subdomain":false,"type":"TXT","content":"\"1*****************\"","priority":null,"ttl":3600}]}

subdomain is a boolean???

feroxib commented 2 months ago

yes it looks like its a boolean

testing didnt work rn either.

i still get entries at lima-city registered under example.com not _acme-challenge.example.com as should be therefore the check for the txt value fails ig?

feroxib commented 2 months ago

in addition to that i tested editing the entry to _acme-challenge.example.com and kept the value the same. all while the script was in its wait interval but still no luck

ldez commented 2 months ago

I tried something to fix the subdomain, but I don't know if it's the right approach :shrug:

feroxib commented 2 months ago

still no certs ...

but we have a partial success...

i now get txt-records with _acme-challenge.example.com and the correct value as logged in terminal

logs to come

feroxib commented 2 months ago

``` LIMACITY_API_KEY=the-key ./dist/lego -m my@email.com --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run 2024/08/27 16:21:44 [INFO] [*.example.com, example.com] acme: Obtaining bundled SAN certificate 2024/08/27 16:21:46 [INFO] [*.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13757873233 2024/08/27 16:21:46 [INFO] [example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13757873243 2024/08/27 16:21:46 [INFO] [*.example.com] acme: use dns-01 solver 2024/08/27 16:21:46 [INFO] [example.com] acme: Could not find solver for: tls-alpn-01 2024/08/27 16:21:46 [INFO] [example.com] acme: Could not find solver for: http-01 2024/08/27 16:21:46 [INFO] [example.com] acme: use dns-01 solver 2024/08/27 16:21:46 [INFO] [*.example.com] acme: Preparing to solve DNS-01 2024/08/27 16:21:46 [INFO] [example.com] acme: Preparing to solve DNS-01 2024/08/27 16:21:46 [INFO] [*.example.com] acme: Trying to solve DNS-01 2024/08/27 16:21:46 [INFO] [*.example.com] acme: Checking DNS record propagation. [nameservers=127.0.0.53:53] 2024/08/27 16:21:48 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 2024/08/27 16:21:48 [INFO] [*.example.com] acme: Waiting for DNS record propagation. ................. 2024/08/27 16:22:47 [INFO] [*.example.com] acme: Waiting for DNS record propagation. 2024/08/27 16:22:49 [INFO] [example.com] acme: Trying to solve DNS-01 2024/08/27 16:22:49 [INFO] [example.com] acme: Checking DNS record propagation. [nameservers=127.0.0.53:53] 2024/08/27 16:22:51 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 2024/08/27 16:22:51 [INFO] [example.com] acme: Waiting for DNS record propagation. ................ 2024/08/27 16:23:51 [INFO] [example.com] acme: Waiting for DNS record propagation. 2024/08/27 16:23:53 [INFO] [*.example.com] acme: Cleaning DNS-01 challenge 2024/08/27 16:23:53 [WARN] [*.example.com] acme: cleaning up failed: limacity: get records: unable to unmarshal response: [status code: 200] body: {"records":[...........,{"id":29****,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"4C4F1p0SM3yNH7hfE6FmSpnH0MWHEEB6_57fI5KJLY0\"","priority":null,"ttl":3600},{"id":2951569,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"VqVgPrcjYiFI8vbuJ5AIrV6v1j2WZBYBw5QNst_lKvw\"","priority":null,"ttl":3600}]} error: json: cannot unmarshal string into Go struct field Record.records.subdomain of type bool 2024/08/27 16:23:53 [INFO] [example.com] acme: Cleaning DNS-01 challenge 2024/08/27 16:23:53 [WARN] [example.com] acme: cleaning up failed: limacity: get records: unable to unmarshal response: [status code: 200] body: {"records":[...........,{"id":29****,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"4C4F1p0SM3yNH7hfE6FmSpnH0MWHEEB6_57fI5KJLY0\"","priority":null,"ttl":3600},{"id":2951569,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"VqVgPrcjYiFI8vbuJ5AIrV6v1j2WZBYBw5QNst_lKvw\"","priority":null,"ttl":3600}]} error: json: cannot unmarshal string into Go struct field Record.records.subdomain of type bool 2024/08/27 16:23:53 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13757873233 2024/08/27 16:23:53 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13757873243 2024/08/27 16:23:53 Could not obtain certificates: error: one or more domains had a problem: [*.example.com] propagation: time limit exceeded: last error: NS ns2.lima-city.de. did not return the expected TXT record [fqdn: _acme-challenge.example.com., value: 4C4F1p0SM3yNH7hfE6FmSpnH0MWHEEB6_57fI5KJLY0]: [example.com] propagation: time limit exceeded: last error: NS ns1.lima-city.de. did not return the expected TXT record [fqdn: _acme-challenge.example.com., value: VqVgPrcjYiFI8vbuJ5AIrV6v1j2WZBYBw5QNst_lKvw]: ```

feroxib commented 2 months ago

so i guess subdomain is no bool... but if empty uses false instead of something more natural like null...

ldez commented 2 months ago

This is a classic with API created with dynamic language (I guess it's PHP): the typing is random and the schema is a fairytale.

ldez commented 2 months ago

I changed the type of subdomain once again

feroxib commented 2 months ago

``` LIMACITY_API_KEY=xxxx ./dist/lego -m my@email.com --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run 2024/08/27 16:42:48 [INFO] [*.example.com, example.com] acme: Obtaining bundled SAN certificate 2024/08/27 16:42:49 [INFO] [*.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758136513 2024/08/27 16:42:49 [INFO] [example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758136523 2024/08/27 16:42:49 [INFO] [*.example.com] acme: use dns-01 solver 2024/08/27 16:42:49 [INFO] [example.com] acme: Could not find solver for: tls-alpn-01 2024/08/27 16:42:49 [INFO] [example.com] acme: Could not find solver for: http-01 2024/08/27 16:42:49 [INFO] [example.com] acme: use dns-01 solver 2024/08/27 16:42:49 [INFO] [*.example.com] acme: Preparing to solve DNS-01 2024/08/27 16:42:49 [INFO] [example.com] acme: Preparing to solve DNS-01 2024/08/27 16:42:49 [INFO] [*.example.com] acme: Trying to solve DNS-01 2024/08/27 16:42:49 [INFO] [*.example.com] acme: Checking DNS record propagation. [nameservers=127.0.0.53:53] 2024/08/27 16:42:51 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 2024/08/27 16:42:51 [INFO] [*.example.com] acme: Waiting for DNS record propagation.............. 2024/08/27 16:43:50 [INFO] [*.example.com] acme: Waiting for DNS record propagation. 2024/08/27 16:43:52 [INFO] [example.com] acme: Trying to solve DNS-01 2024/08/27 16:43:52 [INFO] [example.com] acme: Checking DNS record propagation. [nameservers=127.0.0.53:53] 2024/08/27 16:43:54 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 2024/08/27 16:43:54 [INFO] [example.com] acme: Waiting for DNS record propagation.................... 2024/08/27 16:44:53 [INFO] [example.com] acme: Waiting for DNS record propagation. 2024/08/27 16:44:55 [INFO] [*.example.com] acme: Cleaning DNS-01 challenge 2024/08/27 16:44:55 [WARN] [*.example.com] acme: cleaning up failed: limacity: get records: unable to unmarshal response: [status code: 200] body: {"records":[..........,{"id":2951583,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"Mx6aKlgUluxUCwFz8QOj5u7SNuY0GrL0Uuo53lqxhN8\"","priority":null,"ttl":3600},{"id":2951584,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"KuisvE3j_0Fl_pBx_eqisZEKiavwuzyc-tvEIXsqhkE\"","priority":null,"ttl":3600}]} error: json: cannot unmarshal bool into Go struct field Record.records.subdomain of type string 2024/08/27 16:44:55 [INFO] [example.com] acme: Cleaning DNS-01 challenge 2024/08/27 16:44:55 [WARN] [example.com] acme: cleaning up failed: limacity: get records: unable to unmarshal response: [status code: 200] body: {"records":[........,{"id":2951583,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"Mx6aKlgUluxUCwFz8QOj5u7SNuY0GrL0Uuo53lqxhN8\"","priority":null,"ttl":3600},{"id":2951584,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"KuisvE3j_0Fl_pBx_eqisZEKiavwuzyc-tvEIXsqhkE\"","priority":null,"ttl":3600}]} error: json: cannot unmarshal bool into Go struct field Record.records.subdomain of type string 2024/08/27 16:44:56 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758136513 2024/08/27 16:44:57 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758136523 2024/08/27 16:44:57 Could not obtain certificates: error: one or more domains had a problem: [*.example.com] propagation: time limit exceeded: last error: NS ns2.lima-city.de. did not return the expected TXT record [fqdn: _acme-challenge.example.com., value: Mx6aKlgUluxUCwFz8QOj5u7SNuY0GrL0Uuo53lqxhN8]: VqVgPrcjYiFI8vbuJ5AIrV6v1j2WZBYBw5QNst_lKvw ,Tf3b09V3EPy7JijaJstBnmjeSh0n2bFeeDiaOlR2_r8 ,4C4F1p0SM3yNH7hfE6FmSpnH0MWHEEB6_57fI5KJLY0 ,Fp7h9OmbwFQuAbcYrV9vEM74cA3nZHLLaqMKDKrpKiU [example.com] propagation: time limit exceeded: last error: NS ns1.lima-city.de. did not return the expected TXT record [fqdn: _acme-challenge.example.com., value: KuisvE3j_0Fl_pBx_eqisZEKiavwuzyc-tvEIXsqhkE]: 4C4F1p0SM3yNH7hfE6FmSpnH0MWHEEB6_57fI5KJLY0 ,VqVgPrcjYiFI8vbuJ5AIrV6v1j2WZBYBw5QNst_lKvw user@user:~/Documents/git/lego$ dig _acme-challenge.example.com TXT ; <<>> DiG 9.18.28 <<>> _acme-challenge.example.com TXT ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40273 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;_acme-challenge.example.com. IN TXT ;; ANSWER SECTION: _acme-challenge.example.com. 2872 IN TXT "VqVgPrcjYiFI8vbuJ5AIrV6v1j2WZBYBw5QNst_lKvw" _acme-challenge.example.com. 2872 IN TXT "4C4F1p0SM3yNH7hfE6FmSpnH0MWHEEB6_57fI5KJLY0" ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Tue Aug 27 16:45:50 CEST 2024 ;; MSG SIZE rcvd: 165 ```

whats confusing is the multiple records. they indicate txt not being deleted correctly? and it seems only the old ones are being found so ill try with propagation delay of 120 too

i did a followup dig to get the txt records... and theyre the old ones from the test before...

feroxib commented 2 months ago

so what i just tested was

if there is multiple entries with name _acme-challenge.example.com and different txt values like

_acme-challenge.example.com "23454453" _acme-challenge.example.com "56544563" _acme-challenge.example.com "34578756"

dig will show all 3 of them lego will also get all 3 of them as part of the json response body

but will pick the first one instead of trying all 3 to find a match

ldez commented 2 months ago

dig will show all 3 of them lego will also get all 3 of them as part of the json response body

but will pick the first one instead of trying all 3 to find a match

If dig shows the 3 entries, Let's Encrypt and lego will show the 3 entries.

The problem here is more of a DNS propagation issue: Lima city seems very slow to propagate DNS changes to all the DNS.

The NS used by LE and different than your local resolvers, so the propagation problem can be hidden.

You can use some online tools to check that:

ldez commented 2 months ago

whats confusing is the multiple records. they indicate txt not being deleted correctly?

lego creates all the TXT records before all the challenges and deletes them at the end. So it's expected to have multiple records.

ldez commented 2 months ago

Can you try to add a custom resolver:

LIMACITY_API_KEY=xxxx --dns.resolvers="1.1.1.1:53" ./dist/lego -m my@email.com --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run

feroxib commented 2 months ago

Can you try to add a custom resolver:

LIMACITY_API_KEY=xxxx --dns.resolvers="1.1.1.1:53" ./dist/lego -m my@email.com --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run

im sorry but it tells me

--dns.resolvers=1.1.1.1:53: command not found

i checked ./dist/lego --help and found --dns.resolvers ???? what???

ldez commented 2 months ago

Sorry wrong copy-pasting:


LIMACITY_API_KEY=xxxx ./dist/lego -m my@email.com --dns.resolvers="1.1.1.1:53" --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run

feroxib commented 2 months ago

lol makes sense sorry xD

feroxib commented 2 months ago

thank you for helping me getting certs via api working... been waiting for years...

its really annoying without and sadly the price i bought the domain was to good to change provider... xD

ldez commented 2 months ago

I reduced the TTL, I hope this change + the custom resolver will fix the problem.

feroxib commented 2 months ago

``` LIMACITY_API_KEY=the-key ./dist/lego -m my@email.com --dns.resolvers="1.1.1.1:53" --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run 2024/08/27 17:31:51 No key found for account my@email.com. Generating a P256 key. 2024/08/27 17:31:51 Saved key to /home/feroxib/Documents/git/lego/.lego/accounts/acme-staging-v02.api.letsencrypt.org/my@email.com/keys/my@email.com.key 2024/08/27 17:31:52 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf Do you accept the TOS? Y/n y 2024/08/27 17:31:53 [INFO] acme: Registering account for my@email.com !!!! HEADS UP !!!! Your account credentials have been saved in your Let's Encrypt configuration directory at "/home/feroxib/Documents/git/lego/.lego/accounts". You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained from Let's Encrypt so making regular backups of this folder is ideal. 2024/08/27 17:31:53 [INFO] [*.example.com, example.com] acme: Obtaining bundled SAN certificate 2024/08/27 17:31:54 [INFO] [*.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758650693 2024/08/27 17:31:54 [INFO] [example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758650703 2024/08/27 17:31:54 [INFO] [*.example.com] acme: use dns-01 solver 2024/08/27 17:31:54 [INFO] [example.com] acme: Could not find solver for: tls-alpn-01 2024/08/27 17:31:54 [INFO] [example.com] acme: Could not find solver for: http-01 2024/08/27 17:31:54 [INFO] [example.com] acme: use dns-01 solver 2024/08/27 17:31:54 [INFO] [*.example.com] acme: Preparing to solve DNS-01 2024/08/27 17:31:54 [INFO] [example.com] acme: Preparing to solve DNS-01 2024/08/27 17:31:54 [INFO] [*.example.com] acme: Trying to solve DNS-01 2024/08/27 17:31:54 [INFO] [*.example.com] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53] 2024/08/27 17:31:56 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 2024/08/27 17:31:57 [INFO] [*.example.com] acme: Waiting for DNS record propagation. ......................... 2024/08/27 17:32:55 [INFO] [*.example.com] acme: Waiting for DNS record propagation. 2024/08/27 17:32:57 [INFO] [example.com] acme: Trying to solve DNS-01 2024/08/27 17:32:57 [INFO] [example.com] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53] 2024/08/27 17:32:59 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 2024/08/27 17:32:59 [INFO] [example.com] acme: Waiting for DNS record propagation. ....................... 2024/08/27 17:33:59 [INFO] [example.com] acme: Waiting for DNS record propagation. 2024/08/27 17:34:01 [INFO] [*.example.com] acme: Cleaning DNS-01 challenge 2024/08/27 17:34:01 [WARN] [*.example.com] acme: cleaning up failed: limacity: get records: unable to unmarshal response: [status code: 200] body: {"records":[.................,{"id":2951592,"name":"_acme-challenge.cloud.my.example.com","subdomain":"_acme-challenge.cloud.my","type":"TXT","content":"\"sDVJve7ohh6DY3iwWlMSe_mzE6iln-mUA3-3JR9nPeo\"","priority":null,"ttl":3600},{"id":2951595,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"eoYGntbIffR0n4MNpUMT4R5tB5ZlTIwdaJXZjPsGHZo\"","priority":null,"ttl":3600},{"id":2951596,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"z4ZKAwSHRZrDcETI-PCwQNS__5pF4UBU732OhQkdqCs\"","priority":null,"ttl":3600}]} error: json: cannot unmarshal bool into Go struct field Record.records.subdomain of type string 2024/08/27 17:34:01 [INFO] [example.com] acme: Cleaning DNS-01 challenge 2024/08/27 17:34:01 [WARN] [example.com] acme: cleaning up failed: limacity: get records: unable to unmarshal response: [status code: 200] body: {"records":[.................,{"id":2951592,"name":"_acme-challenge.cloud.my.example.com","subdomain":"_acme-challenge.cloud.my","type":"TXT","content":"\"sDVJve7ohh6DY3iwWlMSe_mzE6iln-mUA3-3JR9nPeo\"","priority":null,"ttl":3600},{"id":2951595,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"eoYGntbIffR0n4MNpUMT4R5tB5ZlTIwdaJXZjPsGHZo\"","priority":null,"ttl":3600},{"id":2951596,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"z4ZKAwSHRZrDcETI-PCwQNS__5pF4UBU732OhQkdqCs\"","priority":null,"ttl":3600}]} error: json: cannot unmarshal bool into Go struct field Record.records.subdomain of type string 2024/08/27 17:34:01 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758650693 2024/08/27 17:34:01 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758650703 2024/08/27 17:34:02 Could not obtain certificates: error: one or more domains had a problem: [*.example.com] propagation: time limit exceeded: last error: NS ns1.lima-city.de. did not return the expected TXT record [fqdn: _acme-challenge.example.com., value: eoYGntbIffR0n4MNpUMT4R5tB5ZlTIwdaJXZjPsGHZo]: 4C4F1p0SM3yNH7hfE6FmSpnH0MWHEEB6_57fI5KJLY0 ,VqVgPrcjYiFI8vbuJ5AIrV6v1j2WZBYBw5QNst_lKvw [example.com] propagation: time limit exceeded: last error: NS ns2.lima-city.de. did not return the expected TXT record [fqdn: _acme-challenge.example.com., value: z4ZKAwSHRZrDcETI-PCwQNS__5pF4UBU732OhQkdqCs]: VqVgPrcjYiFI8vbuJ5AIrV6v1j2WZBYBw5QNst_lKvw ,Tf3b09V3EPy7JijaJstBnmjeSh0n2bFeeDiaOlR2_r8 ,4C4F1p0SM3yNH7hfE6FmSpnH0MWHEEB6_57fI5KJLY0 ,Fp7h9OmbwFQuAbcYrV9vEM74cA3nZHLLaqMKDKrpKiU ```

log with the custom resolver but still old ttl

ldez commented 2 months ago

Can you try to also add LIMACITY_PROPAGATION_TIMEOUT=240

LIMACITY_PROPAGATION_TIMEOUT=240 LIMACITY_API_KEY=the-key ./dist/lego -m my@email.com --dns.resolvers="1.1.1.1:53" --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run

We can see in your log that the propagation is very slow.

ldez commented 2 months ago

:thinking: you send me the same logs as your previous comment (with a type error about subdomain and the same TXT records) but I removed the field subdomain.

feroxib commented 2 months ago

🤔 you send me the same logs as your previous comment (with a type error about subdomain and the same TXT records)

the old txt records dont get deleted. as i tried to say earlier.

when verifying the dns challenge lego picks up all the existing records. and doesnt "search" but seemingly simply take the 1. one available. an old value by then...

idk if that really is intended behaviour as i wouldnt expect that.

ldez commented 2 months ago

get records: unable to unmarshal response: [status code: 200] body: {"records":[.................,{"id":2951592,"name":"_acme-challenge.cloud.my.example.com","subdomain":"_acme-challenge.cloud.my","type":"TXT","content":"\"sDVJve7ohh6DY3iwWlMSe_mzE6iln-mUA3-3JR9nPeo\"","priority":null,"ttl":3600},{"id":2951595,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"eoYGntbIffR0n4MNpUMT4R5tB5ZlTIwdaJXZjPsGHZo\"","priority":null,"ttl":3600},{"id":2951596,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"z4ZKAwSHRZrDcETI-PCwQNS__5pF4UBU732OhQkdqCs\"","priority":null,"ttl":3600}]} error: json: cannot unmarshal bool into Go struct field Record.records.subdomain of type string

I removed the field subdomain so the error is impossible. Have you pulled my changes and compiled them?

feroxib commented 2 months ago

get records: unable to unmarshal response: [status code: 200] body: {"records":[.................,{"id":2951592,"name":"_acme-challenge.cloud.my.example.com","subdomain":"_acme-challenge.cloud.my","type":"TXT","content":"\"sDVJve7ohh6DY3iwWlMSe_mzE6iln-mUA3-3JR9nPeo\"","priority":null,"ttl":3600},{"id":2951595,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"eoYGntbIffR0n4MNpUMT4R5tB5ZlTIwdaJXZjPsGHZo\"","priority":null,"ttl":3600},{"id":2951596,"name":"_acme-challenge.example.com","subdomain":"_acme-challenge","type":"TXT","content":"\"z4ZKAwSHRZrDcETI-PCwQNS__5pF4UBU732OhQkdqCs\"","priority":null,"ttl":3600}]} error: json: cannot unmarshal bool into Go struct field Record.records.subdomain of type string

I removed the field subdomain so the error is impossible. Have you pulled my changes and compiled them?

i wouldve said so but i pulled again and tested while we were discussing this. now theyre gone. im sorry for that mistake

feroxib commented 2 months ago

 LIMACITY_PROPAGATION_TIMEOUT=240 LIMACITY_API_KEY=the-key ./dist/lego -m my@email.com --dns.resolvers="1.1.1.1:53" --dns limacity -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run
2024/08/27 17:53:24 [INFO] [*.example.com, example.com] acme: Obtaining bundled SAN certificate
2024/08/27 17:53:25 [INFO] [*.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758833383
2024/08/27 17:53:25 [INFO] [example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758833393
2024/08/27 17:53:25 [INFO] [*.example.com] acme: use dns-01 solver
2024/08/27 17:53:25 [INFO] [example.com] acme: Could not find solver for: tls-alpn-01
2024/08/27 17:53:25 [INFO] [example.com] acme: Could not find solver for: http-01
2024/08/27 17:53:25 [INFO] [example.com] acme: use dns-01 solver
2024/08/27 17:53:25 [INFO] [*.example.com] acme: Preparing to solve DNS-01
2024/08/27 17:53:25 [INFO] [example.com] acme: Preparing to solve DNS-01
2024/08/27 17:53:25 [INFO] [*.example.com] acme: Trying to solve DNS-01
2024/08/27 17:53:25 [INFO] [*.example.com] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53]
2024/08/27 17:53:27 [INFO] Wait for propagation [timeout: 4m0s, interval: 2s]
2024/08/27 17:53:27 [INFO] [*.example.com] acme: Waiting for DNS record propagation.
........................
2024/08/27 17:57:26 [INFO] [*.example.com] acme: Waiting for DNS record propagation.
2024/08/27 17:57:28 [INFO] [example.com] acme: Trying to solve DNS-01
2024/08/27 17:57:28 [INFO] [example.com] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53]
2024/08/27 17:57:30 [INFO] Wait for propagation [timeout: 4m0s, interval: 2s]
2024/08/27 17:57:30 [INFO] [example.com] acme: Waiting for DNS record propagation.
..........................
2024/08/27 18:01:29 [INFO] [example.com] acme: Waiting for DNS record propagation.
2024/08/27 18:01:31 [INFO] [*.example.com] acme: Cleaning DNS-01 challenge
2024/08/27 18:01:31 [WARN] [*.example.com] acme: cleaning up failed: limacity: TXT record not found 
2024/08/27 18:01:31 [INFO] [example.com] acme: Cleaning DNS-01 challenge
2024/08/27 18:01:32 [WARN] [example.com] acme: cleaning up failed: limacity: TXT record not found 
2024/08/27 18:01:33 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758833383
2024/08/27 18:01:33 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13758833393
2024/08/27 18:01:34 Could not obtain certificates:
        error: one or more domains had a problem:
[*.example.com] propagation: time limit exceeded: last error: NS ns2.lima-city.de. did not return the expected TXT record [fqdn: _acme-challenge.example.com., value: zN4C1IUu7xIlVDQxUR9DlwoWUzcrpem6H0IQTgW-ZNk]: eoYGntbIffR0n4MNpUMT4R5tB5ZlTIwdaJXZjPsGHZo ,z4ZKAwSHRZrDcETI-PCwQNS__5pF4UBU732OhQkdqCs
[example.com] propagation: time limit exceeded: last error: NS ns1.lima-city.de. did not return the expected TXT record [fqdn: _acme-challenge.example.com., value: bIqi02y0IBJUHjT0ftxbXDdEcV8JwCTtK2KloGY8nxQ]: eoYGntbIffR0n4MNpUMT4R5tB5ZlTIwdaJXZjPsGHZo ,z4ZKAwSHRZrDcETI-PCwQNS__5pF4UBU732OhQkdqCs

Edit: at this point there are these txt records listed:

_acme-challenge.example.com     TXT     "eoYGntbIffR0n4MNpUMT4R5tB5ZlTIwdaJXZjPsGHZo"       3600    
_acme-challenge.example.com     TXT     "z4ZKAwSHRZrDcETI-PCwQNS__5pF4UBU732OhQkdqCs"       3600    
_acme-challenge.example.com     TXT     "_UvhbeDmxqoK7IPWNSE-PtnP3W7aw4B6ZXlgQllojiI"       60  
_acme-challenge.example.com     TXT     "Op4Yrsf98RU_2Uh4s2OfkMEDVnvhCpCu-VKkR_hyd54"       60  
_acme-challenge.example.com     TXT     "zN4C1IUu7xIlVDQxUR9DlwoWUzcrpem6H0IQTgW-ZNk"       60  
_acme-challenge.example.com     TXT     "bIqi02y0IBJUHjT0ftxbXDdEcV8JwCTtK2KloGY8nxQ"       60  
_acme-challenge.example.com     TXT     "zN4C1IUu7xIlVDQxUR9DlwoWUzcrpem6H0IQTgW-ZNk"       60  
_acme-challenge.example.com     TXT     "bIqi02y0IBJUHjT0ftxbXDdEcV8JwCTtK2KloGY8nxQ"       60

ldez commented 2 months ago

Can you remove all the existing TXT records for _acme-challenge.example.com.?

ldez commented 2 months ago

I fixed a problem with the TXT record cleaning.

feroxib commented 2 months ago

all records deleted confirmed with dig and online dns checker pulled changes buid rm -rf ./dist/.lego and request started...

takes only about 8 mins again... xD

ldez commented 2 months ago

more than 8 minutes after your previous comment, I feel like it still doesn't work...

go-acme / lego

Add DNS provider for Lima-City #2248