search

opnsense / plugins

OPNsense plugin collection
https://opnsense.org/
BSD 2-Clause "Simplified" License
839 stars 629 forks source link

security/acme-client: Failing to get certificates from Gandi LiveDNS #3526

Closed FreakyBigFoot closed 9 months ago

FreakyBigFoot commented 1 year ago

The bug I'm not able to renew a certificate when using the Challenge Type of DNS-01 via Gandi LiveDNS. 

2023-08-06T21:51:18-07:00` | acme.sh | [Sun Aug  6 21:51:18 PDT 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
-- | -- | --
2023-08-06T21:51:18-07:00 | acme.sh | [Sun Aug  6 21:51:18 PDT 2023] Please add '--debug' or '--log' to check more details.
2023-08-06T21:51:18-07:00 | acme.sh | [Sun Aug  6 21:51:18 PDT 2023] Error add txt for domain:_acme-challenge.mydomain.xyz
2023-08-06T21:51:16-07:00 | acme.sh | [Sun Aug  6 21:51:16 PDT 2023] Adding txt value:  yehi3EBS36zpUVEDVrs4QEmJYWLldyXVtISx2MDIgGg for domain:   _acme-challenge.mydomain.xyz
2023-08-06T21:51:16-07:00 | acme.sh | [Sun Aug  6 21:51:16 PDT 2023] Getting webroot for domain='*.mydomain.xyz'
2023-08-06T21:51:16-07:00 | acme.sh | [Sun Aug  6 21:51:16 PDT 2023] Getting webroot for domain='mydomain.xyz'
2023-08-06T21:51:15-07:00 | acme.sh | [Sun Aug  6 21:51:15 PDT 2023] Getting domain auth token for each domain
2023-08-06T21:51:15-07:00 | acme.sh | [Sun Aug  6 21:51:15 PDT 2023] Multi domain='DNS:mydomain.xyz,DNS:*.mydomain.xyz'
2023-08-06T21:51:15-07:00 | acme.sh | [Sun Aug  6 21:51:15 PDT 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory

I've updated my API key and even attempted to setup timeouts. The DNS txt record is never created. I'm not sure how to troubleshoot this more. Any help is appreciated.

OPNsense 23.7 AMD Ryzen 7 5800U Network Intel® i226

OPNsense-bot commented 1 year ago

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

fraenki commented 1 year ago

Please enable debug logging on the Acme-Client settings page and try again. This may reveal why it is failing.

xer0x commented 11 months ago

@FreakyBigFoot I have a hunch that switching your /var/etc/acme-client/accounts/**/account.conf to use GANDI_LIVEDNS_TOKEN instead of GANDI_LIVEDNS_KEY will fix your problem.

Gandi switched to using a Personal Access Token for their authentication.

The ACME plugin UI looks like it might set the GANDI_LIVEDNS_KEY The plugin looks like it has a little extra logic to handle both: https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_gandi_livedns.sh#L23

FreakyBigFoot commented 11 months ago

Hey @xer0x Thank you very much! That worked. @fraenki So sorry.. I never saw this response. It's been a crazy month or 2.

I had to also paste my key in there. I wonder how we can get this updated in the UI to use the newer system?

fraenki commented 9 months ago

Support for Personal Access Tokens will be available in os-acme-client 3.20.