Closed siga1975 closed 3 years ago
still trying to debug, I got exit code 120 from the failing gloud command, which I cannot understand what it means...
some more info in gcloud logs:
[root@myfw` ~/.config/gcloud/logs/2020.07.26]# cat 19.44.36.037317.log
2020-07-26 19:44:36,038 DEBUG root Loaded Command Group: ['gcloud', 'dns']
2020-07-26 19:44:36,040 DEBUG root Loaded Command Group: ['gcloud', 'dns', 'record_sets']
2020-07-26 19:44:36,053 DEBUG root Loaded Command Group: ['gcloud', 'dns', 'record-sets', 'transaction']
2020-07-26 19:44:36,056 DEBUG root Loaded Command Group: ['gcloud', 'dns', 'record-sets', 'transaction', 'start']
2020-07-26 19:44:36,059 DEBUG root Running [gcloud.dns.record-sets.transaction.start] with arguments: [--transaction-file: "/tmp/tmp.eURaR1AH/tr.yaml", --zone: "internal"]
2020-07-26 19:44:36,585 INFO ___FILE_ONLY___ Transaction started [/tmp/tmp.eURaR1AH/tr.yaml].
2020-07-26 19:44:36,585 DEBUG root [Errno 32] Broken pipe
Traceback (most recent call last):
File "/usr/local/google-cloud-sdk/lib/googlecloudsdk/calliope/cli.py", line 983, in Execute
resources = calliope_command.Run(cli=self, args=args)
File "/usr/local/google-cloud-sdk/lib/googlecloudsdk/calliope/backend.py", line 808, in Run
resources = command_instance.Run(args)
File "/usr/local/google-cloud-sdk/lib/surface/dns/record_sets/transaction/start.py", line 112, in Run
args.transaction_file))
File "/usr/local/google-cloud-sdk/lib/googlecloudsdk/core/log.py", line 205, in Print
self._Write(plain_text, styled_text)
File "/usr/local/google-cloud-sdk/lib/googlecloudsdk/core/log.py", line 234, in _Write
self.flush()
File "/usr/local/google-cloud-sdk/lib/googlecloudsdk/core/log.py", line 249, in flush
self.__stream_wrapper.stream.flush()
BrokenPipeError: [Errno 32] Broken pipe
all my certificates are expired, what can I do to speed up the process? I tried to debug the issue more in deep but with no success
@siga1975 Sorry to hear that your certificates have expired. :( Your gcloud logs show that the Google Cloud SDK produces an internal error. This does not look like something that can be fixed in OPNsense or os-acme-client. It is probably a bug in this SDK.
Have you since then upgraded to OPNsense 20.7.1 and could post more recent gcloud logs? IIRC a new version of Google Cloud SDK was also included.
thanks for your reply
the reason I think it's a plugin issue is that I can insert records manually using gcloud command line
I have indeed upgraded to 20.7.1 and confirm sdk was updated
Here the updated logs
[Thu Aug 27 09:06:34 CEST 2020] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Thu Aug 27 09:06:34 CEST 2020] DOMAIN_PATH='/var/etc/acme-client/home/time1.signorini.in'
[Thu Aug 27 09:06:34 CEST 2020] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Thu Aug 27 09:06:34 CEST 2020] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Thu Aug 27 09:06:34 CEST 2020] GET
[Thu Aug 27 09:06:34 CEST 2020] url='https://acme-v02.api.letsencrypt.org/directory'
[Thu Aug 27 09:06:34 CEST 2020] timeout=
[Thu Aug 27 09:06:34 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.r15tXQ31 -g '
[Thu Aug 27 09:06:35 CEST 2020] ret='0'
[Thu Aug 27 09:06:35 CEST 2020] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Thu Aug 27 09:06:35 CEST 2020] ACME_NEW_AUTHZ
[Thu Aug 27 09:06:35 CEST 2020] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Aug 27 09:06:35 CEST 2020] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Thu Aug 27 09:06:35 CEST 2020] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Thu Aug 27 09:06:35 CEST 2020] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Thu Aug 27 09:06:35 CEST 2020] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Aug 27 09:06:35 CEST 2020] ACME_VERSION='2'
[Thu Aug 27 09:06:35 CEST 2020] Le_NextRenewTime='1595000189'
[Thu Aug 27 09:06:35 CEST 2020] _on_before_issue
[Thu Aug 27 09:06:35 CEST 2020] _chk_main_domain='time1.signorini.in'
[Thu Aug 27 09:06:35 CEST 2020] _chk_alt_domains
[Thu Aug 27 09:06:35 CEST 2020] Le_LocalAddress
[Thu Aug 27 09:06:35 CEST 2020] d='time1.signorini.in'
[Thu Aug 27 09:06:35 CEST 2020] Check for domain='time1.signorini.in'
[Thu Aug 27 09:06:35 CEST 2020] _currentRoot='dns_gcloud'
[Thu Aug 27 09:06:35 CEST 2020] d
[Thu Aug 27 09:06:35 CEST 2020] _saved_account_key_hash is not changed, skip register account.
[Thu Aug 27 09:06:35 CEST 2020] Read key length:4096
[Thu Aug 27 09:06:35 CEST 2020] _createcsr
[Thu Aug 27 09:06:35 CEST 2020] Single domain='time1.signorini.in'
[Thu Aug 27 09:06:35 CEST 2020] Getting domain auth token for each domain
[Thu Aug 27 09:06:35 CEST 2020] d
[Thu Aug 27 09:06:36 CEST 2020] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Aug 27 09:06:36 CEST 2020] payload='{"identifiers": [{"type":"dns","value":"time1.signorini.in"}]}'
[Thu Aug 27 09:06:36 CEST 2020] RSA key
[Thu Aug 27 09:06:36 CEST 2020] HEAD
[Thu Aug 27 09:06:36 CEST 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Aug 27 09:06:36 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.IqBg3aE0 -g -I '
[Thu Aug 27 09:06:36 CEST 2020] _ret='0'
[Thu Aug 27 09:06:36 CEST 2020] POST
[Thu Aug 27 09:06:36 CEST 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Aug 27 09:06:36 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.IqBg3aE0 -g '
[Thu Aug 27 09:06:38 CEST 2020] _ret='0'
[Thu Aug 27 09:06:38 CEST 2020] code='201'
[Thu Aug 27 09:06:38 CEST 2020] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/74890194/4884647389'
[Thu Aug 27 09:06:38 CEST 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/74890194/4884647389'
[Thu Aug 27 09:06:38 CEST 2020] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/6801807659'
[Thu Aug 27 09:06:38 CEST 2020] payload
[Thu Aug 27 09:06:38 CEST 2020] POST
[Thu Aug 27 09:06:38 CEST 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/6801807659'
[Thu Aug 27 09:06:38 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.IqBg3aE0 -g '
[Thu Aug 27 09:06:40 CEST 2020] _ret='0'
[Thu Aug 27 09:06:40 CEST 2020] code='200'
[Thu Aug 27 09:06:40 CEST 2020] d='time1.signorini.in'
[Thu Aug 27 09:06:40 CEST 2020] Getting webroot for domain='time1.signorini.in'
[Thu Aug 27 09:06:40 CEST 2020] _w='dns_gcloud'
[Thu Aug 27 09:06:40 CEST 2020] _currentRoot='dns_gcloud'
[Thu Aug 27 09:06:40 CEST 2020] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/6801807659/dO1LEQ","token":"4al0y8FOvfPV6E5DCa4Z-_bvjuesoSIzn3WarEXxVbk"'
[Thu Aug 27 09:06:40 CEST 2020] token='4al0y8FOvfPV6E5DCa4Z-_bvjuesoSIzn3WarEXxVbk'
[Thu Aug 27 09:06:40 CEST 2020] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/6801807659/dO1LEQ'
[Thu Aug 27 09:06:40 CEST 2020] keyauthorization='4al0y8FOvfPV6E5DCa4Z-_bvjuesoSIzn3WarEXxVbk.3MHBVt7MnFrc5uD-ON__maKHwWkWq526YX8apEu8X1A'
[Thu Aug 27 09:06:40 CEST 2020] dvlist='time1.signorini.in#4al0y8FOvfPV6E5DCa4Z-_bvjuesoSIzn3WarEXxVbk.3MHBVt7MnFrc5uD-ON__maKHwWkWq526YX8apEu8X1A#https://acme-v02.api.letsencrypt.org/acme/chall-v3/6801807659/dO1LEQ#dns-01#dns_gcloud'
[Thu Aug 27 09:06:40 CEST 2020] d
[Thu Aug 27 09:06:40 CEST 2020] vlist='time1.signorini.in#4al0y8FOvfPV6E5DCa4Z-_bvjuesoSIzn3WarEXxVbk.3MHBVt7MnFrc5uD-ON__maKHwWkWq526YX8apEu8X1A#https://acme-v02.api.letsencrypt.org/acme/chall-v3/6801807659/dO1LEQ#dns-01#dns_gcloud,'
[Thu Aug 27 09:06:40 CEST 2020] d='time1.signorini.in'
[Thu Aug 27 09:06:40 CEST 2020] _d_alias
[Thu Aug 27 09:06:40 CEST 2020] txtdomain='_acme-challenge.time1.signorini.in'
[Thu Aug 27 09:06:40 CEST 2020] txt='f2M3lAnEdLv61_m0nGAodojA4rLyL1qAeXFwnqUrv90'
[Thu Aug 27 09:06:40 CEST 2020] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_gcloud.sh'
[Thu Aug 27 09:06:40 CEST 2020] Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_gcloud.sh
[Thu Aug 27 09:06:40 CEST 2020] Adding txt value: f2M3lAnEdLv61_m0nGAodojA4rLyL1qAeXFwnqUrv90 for domain: _acme-challenge.time1.signorini.in
[Thu Aug 27 09:06:40 CEST 2020] Using gcloud
[Thu Aug 27 09:06:40 CEST 2020] fulldomain='_acme-challenge.time1.signorini.in'
[Thu Aug 27 09:06:40 CEST 2020] txtvalue='f2M3lAnEdLv61_m0nGAodojA4rLyL1qAeXFwnqUrv90'
[Thu Aug 27 09:06:40 CEST 2020] filter='dnsName=( _acme-challenge.time1.signorini.in. time1.signorini.in. signorini.in. in. ) AND visibility=public'
[Thu Aug 27 09:06:41 CEST 2020] dnsName='signorini.in.'
[Thu Aug 27 09:06:41 CEST 2020] managedZone='internal'
[Thu Aug 27 09:06:41 CEST 2020] tr='/tmp/tmp.vyfoDHuo/tr.yaml'
[Thu Aug 27 09:06:42 CEST 2020] _dns_gcloud_start_tr: failed to execute transaction
[Thu Aug 27 09:06:42 CEST 2020] Error add txt for domain:_acme-challenge.time1.signorini.in
[Thu Aug 27 09:06:42 CEST 2020] _on_issue_err
[Thu Aug 27 09:06:42 CEST 2020] Please check log file for more details: /var/log/acme.sh.log
[Thu Aug 27 09:06:42 CEST 2020] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/6801807659/dO1LEQ'
[Thu Aug 27 09:06:42 CEST 2020] payload='{}'
[Thu Aug 27 09:06:42 CEST 2020] POST
[Thu Aug 27 09:06:42 CEST 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/6801807659/dO1LEQ'
[Thu Aug 27 09:06:42 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.IqBg3aE0 -g '
[Thu Aug 27 09:06:43 CEST 2020] _ret='0'
[Thu Aug 27 09:06:43 CEST 2020] code='200'
[Thu Aug 27 09:06:43 CEST 2020] Diagnosis versions:
openssl:openssl
OpenSSL 1.1.1d-freebsd 10 Sep 2019
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.18.0
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-pcre --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_smtp_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --add-module=/usr/obj/usr/ports/www/nginx/work/nginx-module-vts-0.1.18 --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/ngx_brotli-8104036 --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/naxsi-0.56/naxsi_src --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/njs-b12fc23/nginx
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.3.4 on Jul 28 2020 02:36:32
running on FreeBSD version FreeBSD 12.1-RELEASE-p8-HBSD #2 505cf134d9b(stable/20.7)-dirty: Mon Aug 10 12:14:34 CEST 2020 root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP, release 12.1-RELEASE-p8-HBSD, machine amd64
features:
#define WITH_STDIO 1
#define WITH_FDNUM 1
#define WITH_FILE 1
#define WITH_CREAT 1
#define WITH_GOPEN 1
#define WITH_TERMIOS 1
#define WITH_PIPE 1
#define WITH_UNIX 1
#undef WITH_ABSTRACT_UNIXSOCKET
#define WITH_IP4 1
#define WITH_IP6 1
#define WITH_RAWIP 1
#define WITH_GENERICSOCKET 1
#undef WITH_INTERFACE
#define WITH_TCP 1
#define WITH_UDP 1
#define WITH_SCTP 1
#define WITH_LISTEN 1
#define WITH_SOCKS4 1
#define WITH_SOCKS4A 1
#define WITH_PROXY 1
#define WITH_SYSTEM 1
#define WITH_EXEC 1
#undef WITH_READLINE
#undef WITH_TUN
#define WITH_PTY 1
#define WITH_OPENSSL 1
#undef WITH_FIPS
#define WITH_LIBWRAP 1
#define WITH_SYCLS 1
#define WITH_FILAN 1
#define WITH_RETRY 1
#define WITH_MSGLEVEL 0 /*debug*/
[Thu Aug 27 09:06:43 CEST 2020] pid
[Thu Aug 27 09:06:43 CEST 2020] No need to restore nginx, skip.
[Thu Aug 27 09:06:43 CEST 2020] _clearupdns
[Thu Aug 27 09:06:43 CEST 2020] dns_entries
[Thu Aug 27 09:06:43 CEST 2020] skip dns.
Now gcloud logs are unreadable... (they was readable with 20.1)
2020.08.27[root@myfw ~/.config/gcloud]# cat logs
▒
n
.▒
n
..▒n
2020.08.08pn
2020.08.19▒n
2020.08.20▒n
2020.08.21
2020.08.24▒n
2020.08.25-n
2020.08.26▒
n
2020.07.28
n
2020.07.29▒
n
n020.07.30
2020.07.31n
2020.08.13
n
2020.08.22▒n
n020.08.23▒
n020.08.01▒
2020.08.02fn
2020.08.03▒n
2020.08.04Jn
2020.08.05▒n
2020.08.06.n
2020.08.07 n
2020.08.09▒n
2020.08.10n
2020.08.11▒n
2020.08.12▒n
2020.08.14(n
2020.08.15▒n
2020.08.16Bn
2020.08.17▒n
2020.08.18▒n▒
Here some errors I see in the dashboard:
PHP Errors:
[24-Aug-2020 00:00:48 Europe/Zurich] PHP Warning: dns_get_record(): DNS Query failed in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 994
[25-Aug-2020 00:00:50 Europe/Zurich] PHP Warning: dns_get_record(): DNS Query failed in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 994
[25-Aug-2020 15:15:01 Europe/Zurich] PHP Warning: unlink(/var/log/nginx/tls_handshake.log.work): No such file or directory in /usr/local/opnsense/scripts/nginx/tls_ua_fingerprint.php on line 124
[26-Aug-2020 00:00:41 Europe/Zurich] PHP Warning: dns_get_record(): DNS Query failed in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 994
[26-Aug-2020 08:45:01 Europe/Zurich] PHP Warning: unlink(/var/log/nginx/tls_handshake.log.work): No such file or directory in /usr/local/opnsense/scripts/nginx/tls_ua_fingerprint.php on line 124
[26-Aug-2020 23:15:00 Europe/Zurich] PHP Warning: unlink(/var/log/nginx/tls_handshake.log.work): No such file or directory in /usr/local/opnsense/scripts/nginx/tls_ua_fingerprint.php on line 124
[27-Aug-2020 00:00:36 Europe/Zurich] PHP Warning: dns_get_record(): DNS Query failed in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 994
[27-Aug-2020 09:06:34 Europe/Zurich] PHP Warning: dns_get_record(): DNS Query failed in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 994
Manually:
[root@myfw ~]# gcloud dns record-sets list -z internal
NAME TYPE TTL DATA
signorini.in. A 900 84.227.70.208
signorini.in. NS 21600 ns-cloud-a1.googledomains.com.,ns-cloud-a2.googledomains.com.,ns-cloud-a3.googledomains.com.,ns-cloud-a4.googledomains.com.
signorini.in. SOA 21600 ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 61 21600 3600 259200 300
. . .
Updates are available for some Cloud SDK components. To install them,
please run:
$ gcloud components update
[root@myfw ~]# gcloud dns record-sets transaction start --zone=internal
Transaction started [transaction.yaml].
[root@myfw ~]# cat transaction.yaml
---
additions:
- kind: dns#resourceRecordSet
name: signorini.in.
rrdatas:
- ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 62 21600 3600
259200 300
ttl: 21600
type: SOA
deletions:
- kind: dns#resourceRecordSet
name: signorini.in.
rrdatas:
- ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 61 21600 3600
259200 300
ttl: 21600
type: SOA
[root@myfw ~]# gcloud dns record-sets transaction add "1.1.1.1" --zone=internal --name="dummytest.signorini.in." --type="A" --ttl="300"
Record addition appended to transaction at [transaction.yaml].
[root@myfw ~]# cat transaction.yaml
---
additions:
- kind: dns#resourceRecordSet
name: signorini.in.
rrdatas:
- ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 62 21600 3600
259200 300
ttl: 21600
type: SOA
- kind: dns#resourceRecordSet
name: dummytest.signorini.in.
rrdatas:
- 1.1.1.1
ttl: 300
type: A
deletions:
- kind: dns#resourceRecordSet
name: signorini.in.
rrdatas:
- ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 61 21600 3600
259200 300
ttl: 21600
type: SOA
[root@myfw ~]# gcloud dns record-sets transaction execute --zone=internal
Executed transaction [transaction.yaml] for managed-zone [internal].
Created [https://dns.googleapis.com/dns/v1/projects/dns-signorini-in/managedZones/internal/changes/104].
ID START_TIME STATUS
104 2020-08-27T07:16:57.012Z pending
[root@myfw ~]# echo $?
0
[root@myfw ~]# gcloud dns record-sets list -z internal | grep dummytest
dummytest.signorini.in. A 300 1.1.1.1
I struggled with this problem as well. The following patch, which disables most error checking in dns_gcloud.sh
, results in a successful update. Obviously not a valid fix for the problem, but a temporary workaround that got my certs updated.
--- /usr/local/share/examples/acme.sh/dnsapi/dns_gcloud.sh.orig 2020-05-03 19:41:37.000000000 -0500
+++ /usr/local/share/examples/acme.sh/dnsapi/dns_gcloud.sh 2020-08-17 12:25:36.892204000 -0500
@@ -58,9 +58,10 @@
if ! gcloud dns record-sets transaction start \
--transaction-file="$tr" \
--zone="$managedZone"; then
- rm -r "$trd"
- _err "_dns_gcloud_start_tr: failed to execute transaction"
- return 1
+ #rm -r "$trd"
+ #_err "_dns_gcloud_start_tr: failed to execute transaction"
+ _debug _dns_gcloud_start_tr "failed to execute transaction"
+ #return 1
fi
}
@@ -69,9 +70,10 @@
--transaction-file="$tr" \
--zone="$managedZone"; then
_debug tr "$(cat "$tr")"
- rm -r "$trd"
- _err "_dns_gcloud_execute_tr: failed to execute transaction"
- return 1
+ #rm -r "$trd"
+ #_err "_dns_gcloud_execute_tr: failed to execute transaction"
+ _debug _dns_gcloud_execute_tr "failed to execute transaction"
+ #return 1
fi
rm -r "$trd"
@@ -87,6 +89,7 @@
fi
done
+ _debug tr "$(cat "$tr")"
_err "_dns_gcloud_execute_tr: transaction is still pending after 10 minutes"
rm -r "$trd"
return 1
@@ -100,9 +103,10 @@
--zone="$managedZone" \
--transaction-file="$tr"; then
_debug tr "$(cat "$tr")"
- rm -r "$trd"
- _err "_dns_gcloud_remove_rrs: failed to remove RRs"
- return 1
+ #rm -r "$trd"
+ #_err "_dns_gcloud_remove_rrs: failed to remove RRs"
+ _debug _dns_gcloud_remove_rrs "failed to remove RRs"
+ #return 1
fi
}
@@ -115,9 +119,10 @@
--zone="$managedZone" \
--transaction-file="$tr"; then
_debug tr "$(cat "$tr")"
- rm -r "$trd"
- _err "_dns_gcloud_add_rrs: failed to add RRs"
- return 1
+ #rm -r "$trd"
+ #_err "_dns_gcloud_add_rrs: failed to add RRs"
+ _debug _dns_gcloud_add_rrs "failed to add RRs"
+ #return 1
fi
}
looks like it actually works if I ginore the exit codes :) probably there's something wrong on that, it could be transaction succeed even with exit code different from 0, maybe just some warning?
I modified /usr/local/share/examples/acme.sh/dnsapi/dns_gcloud.sh like this
50 _dns_gcloud_start_tr() {
51 if ! trd=$(mktemp -d); then
52 _err "_dns_gcloud_start_tr: failed to create temporary directory"
53 return 1
54 fi
55 tr="$trd/tr.yaml"
56 _debug tr "$tr"
57
58 _err "__SIGA_DEBUG tr: >$tr<"
59 _err "__SIGA_DEBUG zone: >$managedZone<"
60
61 gcloud dns record-sets transaction start \
62 --transaction-file="$tr" \
63 --zone="$managedZone"
64 rc=$?
65 _err "_dns_gcloud_start_tr: RC= $rc failed to execute transaction"
66 return 0
67 }
68
69 _dns_gcloud_execute_tr() {
70 _debug __SIGA_DEBUG _dns_gcloud_execute_tr
71
72 gcloud dns record-sets transaction execute \
73 --transaction-file="$tr" \
74 --zone="$managedZone"
75 rc=$?
76 _debug tr "$(cat "$tr")"
77 _err "_dns_gcloud_execute_tr: RC= $rc failed to execute transaction"
78
79
80 for i in $(seq 1 120); do
81
82 _err "__SIGA_DEBUG i: $i"
83 if gcloud dns record-sets changes list \
84 --zone="$managedZone" \
85 --filter='status != done' \
86 | grep -q '^.*'; then
87 _info "_dns_gcloud_execute_tr: waiting for transaction to be comitted ($i/120)..."
88 sleep 5
89 else
90 return 0
91 fi
92 done
113 _dns_gcloud_add_rrs() {
114 ttl=60
115 xargs -r gcloud dns record-sets transaction add \
116 --name="$fulldomain." \
117 --ttl="$ttl" \
118 --type=TXT \
119 --zone="$managedZone" \
120 --transaction-file="$tr"
121 rc=$?
122 _debug tr "$(cat "$tr")"
123 _err "_dns_gcloud_add_rrs: rc=$rc failed to add RRs"
124 return 0
125 }
[Thu Aug 27 16:06:02 CEST 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Thu Aug 27 16:06:02 CEST 2020] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
[Thu Aug 27 16:06:02 CEST 2020] DOMAIN_PATH='/var/etc/acme-client/home/time1.signorini.in'
[Thu Aug 27 16:06:03 CEST 2020] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Thu Aug 27 16:06:03 CEST 2020] _init api for server: https://acme-staging-v02.api.letsencrypt.org/directory
[Thu Aug 27 16:06:03 CEST 2020] GET
[Thu Aug 27 16:06:03 CEST 2020] url='https://acme-staging-v02.api.letsencrypt.org/directory'
[Thu Aug 27 16:06:03 CEST 2020] timeout=
[Thu Aug 27 16:06:03 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.yM6hBRIJ -g '
[Thu Aug 27 16:06:03 CEST 2020] ret='0'
[Thu Aug 27 16:06:03 CEST 2020] ACME_KEY_CHANGE='https://acme-staging-v02.api.letsencrypt.org/acme/key-change'
[Thu Aug 27 16:06:03 CEST 2020] ACME_NEW_AUTHZ
[Thu Aug 27 16:06:03 CEST 2020] ACME_NEW_ORDER='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Thu Aug 27 16:06:03 CEST 2020] ACME_NEW_ACCOUNT='https://acme-staging-v02.api.letsencrypt.org/acme/new-acct'
[Thu Aug 27 16:06:03 CEST 2020] ACME_REVOKE_CERT='https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert'
[Thu Aug 27 16:06:03 CEST 2020] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Thu Aug 27 16:06:03 CEST 2020] ACME_NEW_NONCE='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Aug 27 16:06:03 CEST 2020] ACME_VERSION='2'
[Thu Aug 27 16:06:03 CEST 2020] Le_NextRenewTime='1595000189'
[Thu Aug 27 16:06:03 CEST 2020] _on_before_issue
[Thu Aug 27 16:06:03 CEST 2020] _chk_main_domain='time1.signorini.in'
[Thu Aug 27 16:06:03 CEST 2020] _chk_alt_domains
[Thu Aug 27 16:06:03 CEST 2020] Le_LocalAddress
[Thu Aug 27 16:06:03 CEST 2020] d='time1.signorini.in'
[Thu Aug 27 16:06:03 CEST 2020] Check for domain='time1.signorini.in'
[Thu Aug 27 16:06:03 CEST 2020] _currentRoot='dns_gcloud'
[Thu Aug 27 16:06:03 CEST 2020] d
[Thu Aug 27 16:06:03 CEST 2020] _saved_account_key_hash is not changed, skip register account.
[Thu Aug 27 16:06:03 CEST 2020] Read key length:4096
[Thu Aug 27 16:06:03 CEST 2020] _createcsr
[Thu Aug 27 16:06:03 CEST 2020] Single domain='time1.signorini.in'
[Thu Aug 27 16:06:04 CEST 2020] Getting domain auth token for each domain
[Thu Aug 27 16:06:04 CEST 2020] d
[Thu Aug 27 16:06:04 CEST 2020] url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Thu Aug 27 16:06:04 CEST 2020] payload='{"identifiers": [{"type":"dns","value":"time1.signorini.in"}]}'
[Thu Aug 27 16:06:04 CEST 2020] RSA key
[Thu Aug 27 16:06:04 CEST 2020] HEAD
[Thu Aug 27 16:06:04 CEST 2020] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Aug 27 16:06:04 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.ccgVS7Jl -g -I '
[Thu Aug 27 16:06:04 CEST 2020] _ret='0'
[Thu Aug 27 16:06:04 CEST 2020] POST
[Thu Aug 27 16:06:04 CEST 2020] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
[Thu Aug 27 16:06:04 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.ccgVS7Jl -g '
[Thu Aug 27 16:06:05 CEST 2020] _ret='0'
[Thu Aug 27 16:06:05 CEST 2020] code='201'
[Thu Aug 27 16:06:05 CEST 2020] Le_LinkOrder='https://acme-staging-v02.api.letsencrypt.org/acme/order/11137429/138133936'
[Thu Aug 27 16:06:05 CEST 2020] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/11137429/138133936'
[Thu Aug 27 16:06:05 CEST 2020] url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/100814639'
[Thu Aug 27 16:06:05 CEST 2020] payload
[Thu Aug 27 16:06:05 CEST 2020] POST
[Thu Aug 27 16:06:05 CEST 2020] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/100814639'
[Thu Aug 27 16:06:05 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.ccgVS7Jl -g '
[Thu Aug 27 16:06:06 CEST 2020] _ret='0'
[Thu Aug 27 16:06:06 CEST 2020] code='200'
[Thu Aug 27 16:06:06 CEST 2020] d='time1.signorini.in'
[Thu Aug 27 16:06:06 CEST 2020] Getting webroot for domain='time1.signorini.in'
[Thu Aug 27 16:06:06 CEST 2020] _w='dns_gcloud'
[Thu Aug 27 16:06:06 CEST 2020] _currentRoot='dns_gcloud'
[Thu Aug 27 16:06:06 CEST 2020] entry='"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/100814639/utr7Ug","token":"L6EfTdYYzKbkQcsG9r3S9sv-u8pHjbUfe7RT7fIMCvY"'
[Thu Aug 27 16:06:06 CEST 2020] token='L6EfTdYYzKbkQcsG9r3S9sv-u8pHjbUfe7RT7fIMCvY'
[Thu Aug 27 16:06:06 CEST 2020] uri='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/100814639/utr7Ug'
[Thu Aug 27 16:06:06 CEST 2020] keyauthorization='L6EfTdYYzKbkQcsG9r3S9sv-u8pHjbUfe7RT7fIMCvY.3MHBVt7MnFrc5uD-ON__maKHwWkWq526YX8apEu8X1A'
[Thu Aug 27 16:06:06 CEST 2020] dvlist='time1.signorini.in#L6EfTdYYzKbkQcsG9r3S9sv-u8pHjbUfe7RT7fIMCvY.3MHBVt7MnFrc5uD-ON__maKHwWkWq526YX8apEu8X1A#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/100814639/utr7Ug#dns-01#dns_gcloud'
[Thu Aug 27 16:06:06 CEST 2020] d
[Thu Aug 27 16:06:06 CEST 2020] vlist='time1.signorini.in#L6EfTdYYzKbkQcsG9r3S9sv-u8pHjbUfe7RT7fIMCvY.3MHBVt7MnFrc5uD-ON__maKHwWkWq526YX8apEu8X1A#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/100814639/utr7Ug#dns-01#dns_gcloud,'
[Thu Aug 27 16:06:06 CEST 2020] d='time1.signorini.in'
[Thu Aug 27 16:06:06 CEST 2020] _d_alias
[Thu Aug 27 16:06:06 CEST 2020] txtdomain='_acme-challenge.time1.signorini.in'
[Thu Aug 27 16:06:06 CEST 2020] txt='XXkeH9BbM26ImHdf1C6KqjS95wVPDV8oRWQ7mg69voI'
[Thu Aug 27 16:06:06 CEST 2020] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_gcloud.sh'
[Thu Aug 27 16:06:06 CEST 2020] Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_gcloud.sh
[Thu Aug 27 16:06:06 CEST 2020] Adding txt value: XXkeH9BbM26ImHdf1C6KqjS95wVPDV8oRWQ7mg69voI for domain: _acme-challenge.time1.signorini.in
[Thu Aug 27 16:06:06 CEST 2020] Using gcloud
[Thu Aug 27 16:06:06 CEST 2020] fulldomain='_acme-challenge.time1.signorini.in'
[Thu Aug 27 16:06:06 CEST 2020] txtvalue='XXkeH9BbM26ImHdf1C6KqjS95wVPDV8oRWQ7mg69voI'
[Thu Aug 27 16:06:06 CEST 2020] filter='dnsName=( _acme-challenge.time1.signorini.in. time1.signorini.in. signorini.in. in. ) AND visibility=public'
[Thu Aug 27 16:06:07 CEST 2020] dnsName='signorini.in.'
[Thu Aug 27 16:06:07 CEST 2020] managedZone='internal'
[Thu Aug 27 16:06:07 CEST 2020] tr='/tmp/tmp.tq76osSN/tr.yaml'
[Thu Aug 27 16:06:07 CEST 2020] __SIGA_DEBUG tr: >/tmp/tmp.tq76osSN/tr.yaml<
[Thu Aug 27 16:06:07 CEST 2020] __SIGA_DEBUG zone: >internal<
[Thu Aug 27 16:06:08 CEST 2020] _dns_gcloud_start_tr: RC= 120 failed to execute transaction
[Thu Aug 27 16:06:10 CEST 2020] tr='---
additions:
- kind: dns#resourceRecordSet
name: signorini.in.
rrdatas:
- ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 65 21600 3600
259200 300
ttl: 21600
type: SOA
- kind: dns#resourceRecordSet
name: _acme-challenge.time1.signorini.in.
rrdatas:
- '"XXkeH9BbM26ImHdf1C6KqjS95wVPDV8oRWQ7mg69voI"'
ttl: 60
type: TXT
deletions:
- kind: dns#resourceRecordSet
name: signorini.in.
rrdatas:
- ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 64 21600 3600
259200 300
ttl: 21600
type: SOA'
[Thu Aug 27 16:06:10 CEST 2020] _dns_gcloud_add_rrs: rc=1 failed to add RRs
[Thu Aug 27 16:06:10 CEST 2020] __SIGA_DEBUG='_dns_gcloud_execute_tr'
[Thu Aug 27 16:06:11 CEST 2020] tr='---
additions:
- kind: dns#resourceRecordSet
name: signorini.in.
rrdatas:
- ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 65 21600 3600
259200 300
ttl: 21600
type: SOA
- kind: dns#resourceRecordSet
name: _acme-challenge.time1.signorini.in.
rrdatas:
- '"XXkeH9BbM26ImHdf1C6KqjS95wVPDV8oRWQ7mg69voI"'
ttl: 60
type: TXT
deletions:
- kind: dns#resourceRecordSet
name: signorini.in.
rrdatas:
- ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 64 21600 3600
259200 300
ttl: 21600
type: SOA'
[Thu Aug 27 16:06:11 CEST 2020] _dns_gcloud_execute_tr: RC= 120 failed to execute transaction
[Thu Aug 27 16:06:11 CEST 2020] __SIGA_DEBUG i: 1
[Thu Aug 27 16:06:13 CEST 2020] _acme-challenge.time1.signorini.in record added
[Thu Aug 27 16:06:13 CEST 2020] The txt record is added: Success.
[Thu Aug 27 16:06:13 CEST 2020] Sleep 120 seconds for the txt records to take effect
[Thu Aug 27 16:08:13 CEST 2020] ok, let's start to verify
[Thu Aug 27 16:08:13 CEST 2020] Verifying: time1.signorini.in
[Thu Aug 27 16:08:13 CEST 2020] d='time1.signorini.in'
[Thu Aug 27 16:08:13 CEST 2020] keyauthorization='L6EfTdYYzKbkQcsG9r3S9sv-u8pHjbUfe7RT7fIMCvY.3MHBVt7MnFrc5uD-ON__maKHwWkWq526YX8apEu8X1A'
[Thu Aug 27 16:08:13 CEST 2020] uri='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/100814639/utr7Ug'
[Thu Aug 27 16:08:13 CEST 2020] _currentRoot='dns_gcloud'
[Thu Aug 27 16:08:13 CEST 2020] url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/100814639/utr7Ug'
[Thu Aug 27 16:08:13 CEST 2020] payload='{}'
[Thu Aug 27 16:08:13 CEST 2020] POST
[Thu Aug 27 16:08:13 CEST 2020] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/100814639/utr7Ug'
[Thu Aug 27 16:08:13 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.ccgVS7Jl -g '
[Thu Aug 27 16:08:14 CEST 2020] _ret='0'
[Thu Aug 27 16:08:14 CEST 2020] code='200'
[Thu Aug 27 16:08:14 CEST 2020] trigger validation code: 200
[Thu Aug 27 16:08:14 CEST 2020] sleep 2 secs to verify
[Thu Aug 27 16:08:16 CEST 2020] checking
[Thu Aug 27 16:08:16 CEST 2020] url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/100814639/utr7Ug'
[Thu Aug 27 16:08:16 CEST 2020] payload
[Thu Aug 27 16:08:16 CEST 2020] POST
[Thu Aug 27 16:08:16 CEST 2020] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/100814639/utr7Ug'
[Thu Aug 27 16:08:16 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.ccgVS7Jl -g '
[Thu Aug 27 16:08:17 CEST 2020] _ret='0'
[Thu Aug 27 16:08:17 CEST 2020] code='200'
[Thu Aug 27 16:08:17 CEST 2020] Success
[Thu Aug 27 16:08:17 CEST 2020] pid
[Thu Aug 27 16:08:17 CEST 2020] Skip for removelevel:
[Thu Aug 27 16:08:17 CEST 2020] pid
[Thu Aug 27 16:08:17 CEST 2020] No need to restore nginx, skip.
[Thu Aug 27 16:08:17 CEST 2020] _clearupdns
[Thu Aug 27 16:08:17 CEST 2020] dns_entries='time1.signorini.in,_acme-challenge.time1.signorini.in,,dns_gcloud,XXkeH9BbM26ImHdf1C6KqjS95wVPDV8oRWQ7mg69voI,/usr/local/share/examples/acme.sh/dnsapi/dns_gcloud.sh
'
[Thu Aug 27 16:08:17 CEST 2020] Removing DNS records.
[Thu Aug 27 16:08:17 CEST 2020] d='time1.signorini.in'
[Thu Aug 27 16:08:17 CEST 2020] txtdomain='_acme-challenge.time1.signorini.in'
[Thu Aug 27 16:08:17 CEST 2020] aliasDomain='_acme-challenge.time1.signorini.in'
[Thu Aug 27 16:08:17 CEST 2020] _currentRoot='dns_gcloud'
[Thu Aug 27 16:08:17 CEST 2020] txt='XXkeH9BbM26ImHdf1C6KqjS95wVPDV8oRWQ7mg69voI'
[Thu Aug 27 16:08:17 CEST 2020] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_gcloud.sh'
[Thu Aug 27 16:08:17 CEST 2020] Removing txt: XXkeH9BbM26ImHdf1C6KqjS95wVPDV8oRWQ7mg69voI for domain: _acme-challenge.time1.signorini.in
[Thu Aug 27 16:08:17 CEST 2020] Using gcloud
[Thu Aug 27 16:08:17 CEST 2020] fulldomain='_acme-challenge.time1.signorini.in'
[Thu Aug 27 16:08:17 CEST 2020] txtvalue='XXkeH9BbM26ImHdf1C6KqjS95wVPDV8oRWQ7mg69voI'
[Thu Aug 27 16:08:17 CEST 2020] filter='dnsName=( _acme-challenge.time1.signorini.in. time1.signorini.in. signorini.in. in. ) AND visibility=public'
[Thu Aug 27 16:08:18 CEST 2020] dnsName='signorini.in.'
[Thu Aug 27 16:08:18 CEST 2020] managedZone='internal'
[Thu Aug 27 16:08:18 CEST 2020] tr='/tmp/tmp.Qiiv0PKm/tr.yaml'
[Thu Aug 27 16:08:18 CEST 2020] __SIGA_DEBUG tr: >/tmp/tmp.Qiiv0PKm/tr.yaml<
[Thu Aug 27 16:08:18 CEST 2020] __SIGA_DEBUG zone: >internal<
[Thu Aug 27 16:08:19 CEST 2020] _dns_gcloud_start_tr: RC= 120 failed to execute transaction
[Thu Aug 27 16:08:21 CEST 2020] tr='---
additions:
- kind: dns#resourceRecordSet
name: signorini.in.
rrdatas:
- ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 66 21600 3600
259200 300
ttl: 21600
type: SOA
deletions:
- kind: dns#resourceRecordSet
name: signorini.in.
rrdatas:
- ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 65 21600 3600
259200 300
ttl: 21600
type: SOA
- kind: dns#resourceRecordSet
name: _acme-challenge.time1.signorini.in.
rrdatas:
- '"XXkeH9BbM26ImHdf1C6KqjS95wVPDV8oRWQ7mg69voI"'
ttl: 60
type: TXT'
[Thu Aug 27 16:08:21 CEST 2020] _dns_gcloud_remove_rrs: failed to remove RRs
[Thu Aug 27 16:08:21 CEST 2020] Error removing txt for domain:_acme-challenge.time1.signorini.in
[Thu Aug 27 16:08:21 CEST 2020] Verify finished, start to sign.
[Thu Aug 27 16:08:21 CEST 2020] i='2'
[Thu Aug 27 16:08:21 CEST 2020] j='26'
[Thu Aug 27 16:08:21 CEST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/11137429/138133936
[Thu Aug 27 16:08:21 CEST 2020] url='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/11137429/138133936'
[Thu Aug 27 16:08:21 CEST 2020] payload='{"csr": "MIIEnzCCAocCAQAwHTEbMBkGA1UEAwwSdGltZTEuc2lnbm9yaW5pLmluMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxk9Y_FBpwOuDt0JLVHjyQ2pr7dOvQILDadl8G85na7w423CC8oQl_-JajqNT37LiNcQ5rE5qdxc63KZn3JSJY4FAbQ4Dv5iStmGaaSw2f8WOAF2f2145ovqWSIH_62PiXxU0O9w02n_i4ne_b2ygT1TjNWp94PltmxJsLHvZ_92Rraodu5P2MAmd6QqZsXQBGeK78hEggAltbS9pwlrztnfAeAX5iXln7oytwopMUPiDkhbeZmMCmEDZFRGpxEml0-aTKMLdsA6yyr2NBc2pcoa5quvbEI4Mf04B8lYE_ClXuODL9YB53dTgmYny5NismMjuggMs4xG4E2kEg6XqPMDR_v0ACBCF_droscczwi3is8YUTENR2URyfJxGG_MBwfEqFGXXrpc-llvLzpWOQukReKFnNvvTjeFUnvonxbigOMKbaerk041YFo-HTjfVrVzr5o4Gru8fFwDO7oWJaszf_EwHXmd88EPm7_btGFMIOTFu_v55LrOuwic7HLs9eMX7IvaY08sD9ZZhn_BkzVgUxolYVlELw2RVmNAqMZzgE13MqLmUdDlaT2MEIApl0FRVl0q3pX8MnEzutfb1ikKbJEkAdIBaN_5wu9jMpC163KbaVsRKhcEfH6fPhgKbdODvYaipCkWx3f8BWwcS8azZObFuXQa7Q2pGoQNrZP0CAwEAAaA9MDsGCSqGSIb3DQEJDjEuMCwwCwYDVR0PBAQDAgXgMB0GA1UdEQQWMBSCEnRpbWUxLnNpZ25vcmluaS5pbjANBgkqhkiG9w0BAQsFAAOCAgEAJzdTT2mRMvOPnD8fAl9kKmZqfJuE5xxa0RGyBkIh6Cj49cfki11GO9DSQGAJ2f_2ZiZWUvRcCqLlwjEkXV3eJRHun2LJrly0UxCRaLPCu2GGGWJvztypLOsNczipmrYBwRMHPAGjuuN7-nXxAIWwl83pI7DXSm_dX2jpIdHR8-3UGY41bblXCLk9nCro_3HpZrLafYVZ6bWBJM5N9Oww25rl0MfPTLNRRcZdTFZ_IHU8NWHNZUhEU20K3fqoMVyS84jNme1J7pANk5kzBFizXwCO_e00hvYzR14awKhEsFIJcvs-XhpNJlFVKhvka2geaz46FDayZz-MiMb9olSLJVm4aeabc2s9uGWDT3x6uBsfDp4kYobyqviiQmOedyzPCin2cr0mFF-k4YaiGWz0KV1EkCUW-mRcKugniboYpIgreY3zLqrknliR0ZYrnQgvDGwtHUuP-QxB7Ho0L_MI10V6vsNFvgCMSae58O6Vqs66tO-gfvZxW2C9vadqqKIz9QtC082aBfvvE4maZAhDp-I1Q9AI3jnJ2avy9_CmNdDeHSYr29e4QxrlDkgNbDmQHwNKI3zfOnQgb6e8BFufAOb-4Dw79WQKzkcIBmvE1YrLiKidq6LaXX7_wA7zYIiM0VNyFYh5Ka6TQuEIcecFRk2lg5SCZnUjhDnPabWZf1E"}'
[Thu Aug 27 16:08:21 CEST 2020] POST
[Thu Aug 27 16:08:21 CEST 2020] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/11137429/138133936'
[Thu Aug 27 16:08:21 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.ccgVS7Jl -g '
[Thu Aug 27 16:08:22 CEST 2020] _ret='0'
[Thu Aug 27 16:08:22 CEST 2020] code='200'
[Thu Aug 27 16:08:22 CEST 2020] Order status is valid.
[Thu Aug 27 16:08:22 CEST 2020] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa44605fb86aa80bd2992f1e9428bd058fb1'
[Thu Aug 27 16:08:22 CEST 2020] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa44605fb86aa80bd2992f1e9428bd058fb1
[Thu Aug 27 16:08:22 CEST 2020] url='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa44605fb86aa80bd2992f1e9428bd058fb1'
[Thu Aug 27 16:08:22 CEST 2020] payload
[Thu Aug 27 16:08:22 CEST 2020] POST
[Thu Aug 27 16:08:22 CEST 2020] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa44605fb86aa80bd2992f1e9428bd058fb1'
[Thu Aug 27 16:08:22 CEST 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.ccgVS7Jl -g '
[Thu Aug 27 16:08:23 CEST 2020] _ret='0'
[Thu Aug 27 16:08:23 CEST 2020] code='200'
[Thu Aug 27 16:08:23 CEST 2020] Found cert chain
[Thu Aug 27 16:08:23 CEST 2020] _end_n='36'
[Thu Aug 27 16:08:23 CEST 2020] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa44605fb86aa80bd2992f1e9428bd058fb1'
[Thu Aug 27 16:08:23 CEST 2020] Cert success.
[Thu Aug 27 16:08:23 CEST 2020] Your cert is in /var/etc/acme-client/home/time1.signorini.in/time1.signorini.in.cer
[Thu Aug 27 16:08:23 CEST 2020] Your cert key is in /var/etc/acme-client/home/time1.signorini.in/time1.signorini.in.key
[Thu Aug 27 16:08:23 CEST 2020] v2 chain.
[Thu Aug 27 16:08:23 CEST 2020] The intermediate CA cert is in /var/etc/acme-client/home/time1.signorini.in/ca.cer
[Thu Aug 27 16:08:23 CEST 2020] And the full chain certs is there: /var/etc/acme-client/home/time1.signorini.in/fullchain.cer
[Thu Aug 27 16:08:23 CEST 2020] Installing cert to:/var/etc/acme-client/certs/5ec3fc5621b4a6.04922996/cert.pem
[Thu Aug 27 16:08:23 CEST 2020] Installing CA to:/var/etc/acme-client/certs/5ec3fc5621b4a6.04922996/chain.pem
[Thu Aug 27 16:08:23 CEST 2020] Installing key to:/var/etc/acme-client/keys/5ec3fc5621b4a6.04922996/private.key
[Thu Aug 27 16:08:23 CEST 2020] Installing full chain to:/var/etc/acme-client/certs/5ec3fc5621b4a6.04922996/fullchain.pem
[Thu Aug 27 16:08:23 CEST 2020] _on_issue_success
^C
a query reveal the record is there
root@linjs:/root # dig txt _acme-challenge.time1.signorini.in @8.8.8.8
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> txt _acme-challenge.time1.signorini.in @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12621
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.time1.signorini.in. IN TXT
;; ANSWER SECTION:
_acme-challenge.time1.signorini.in. 59 IN TXT "XXkeH9BbM26ImHdf1C6KqjS95wVPDV8oRWQ7mg69voI"
;; Query time: 35 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 27 16:07:55 CEST 2020
;; MSG SIZE rcvd: 119
and the certificate is created
LOL
looks like we posted at the same time the almost same "solution"
No doubt in my mind it is a bug with the plugin. I stepped through all of the gcloud invocations on the command line and they all succeeded with exit code zero. I can't fathom why they don't return zero in the plugin, but that seems to be the case.
I modified /usr/local/share/examples/acme.sh/dnsapi/dns_gcloud.sh like this
Thanks for sharing.
If this solves your problem, then this is not something that can be fixed here. It looks like a bug in acme.sh's gcloud implementation and should be reported there: https://github.com/acmesh-official/acme.sh/issues
I'll close this issue now, because we'll rely on upstream to fix this bug (assuming that someone will report this to acme.sh).
So the issue is actually caused by the way the acme plugin code runs shell commands, not acme.sh specifically.
gcloud validation does not work anymore since the last 20.1.8 update
Also manually using gcloud command does not works:
Adding the env var in /etc/login.conf
And rebuilding makes the command line to correctly works
Still acme validation does not works, I tried to add
in file /usr/local/share/examples/acme.sh/dnsapi/dns_gcloud.sh
but does not help
it fails here
doing it manually works
LOG:
(__SIGA_DEBUG lines is my entries I added to be sure it was failing there)
OPNsense 20.1.8_1 on Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram