search

opnsense / plugins

OPNsense plugin collection
https://opnsense.org/
BSD 2-Clause "Simplified" License
839 stars 629 forks source link

ACME plugin: can't obtain production certificate using DNS challenge through Gandi DNS provider #3844

Closed tugdualenligne closed 7 months ago

tugdualenligne commented 7 months ago

Describe the bug Can't obtain production certificate using DNS challenge through Gandi DNS provider but I can obtain Let's Encrypt staging certificates. Very strange issue. Any help appreciated

Expected behavior I expect to be able to request LE certificates from the Production CA and not only the Staging CA

Relevant log files 2024-03-02T18:57:52 opnsense AcmeClient: validation for certificate failed: oceanos.XXXX.fr 2024-03-02T18:57:52 opnsense AcmeClient: domain validation failed (dns01) 2024-03-02T18:57:52 opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 6 --log-level 1 --server 'letsencrypt' --dns 'dns_gandi_livedns' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/65da763b0ae855.58243047' --certpath '/var/etc/acme-client/certs/65da763b0ae855.58243047/cert.pem' --keypath '/var/etc/acme-client/keys/65da763b0ae855.58243047/private.key' --capath '/var/etc/acme-client/certs/65da763b0ae855.58243047/chain.pem' --fullchainpath '/var/etc/acme-client/certs/65da763b0ae855.58243047/fullchain.pem' --domain 'oceanos.XXXX.fr' --domain 'oceanos.XXXX.fr' --days '1' --force --ocsp --keylength '4096' --accountconf '/var/etc/acme-client/accounts/65da74b1412297.72803520_prod/account.conf'' 2024-03-02T18:57:47 opnsense AcmeClient: using challenge type: DNS-challenge 2024-03-02T18:57:47 opnsense AcmeClient: account is registered: ACME 2024-03-02T18:57:47 opnsense AcmeClient: using CA: letsencrypt 2024-03-02T18:57:47 opnsense AcmeClient: issue certificate: oceanos.XXXX.fr

And

2024-03-02T18:57:51 acme.sh [Sat Mar 2 18:57:51 CET 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh 2024-03-02T18:57:51 acme.sh [Sat Mar 2 18:57:51 CET 2024] Please add '--debug' or '--log' to check more details. 2024-03-02T18:57:51 acme.sh [Sat Mar 2 18:57:51 CET 2024] Error add txt for domain:_acme-challenge.oceanos.XXXX.fr 2024-03-02T18:57:50 acme.sh [Sat Mar 2 18:57:50 CET 2024] Adding txt value: SHslfCqq9nxoy4A_rKvmsJp4LF_anCWl0iluEB3jU_Y for domain: _acme-challenge.oceanos.XXXX.fr 2024-03-02T18:57:50 acme.sh [Sat Mar 2 18:57:50 CET 2024] Getting webroot for domain='oceanos.XXXX.fr' 2024-03-02T18:57:50 acme.sh [Sat Mar 2 18:57:50 CET 2024] Getting webroot for domain='oceanos.XXXX.fr' 2024-03-02T18:57:48 acme.sh [Sat Mar 2 18:57:48 CET 2024] Getting domain auth token for each domain 2024-03-02T18:57:48 acme.sh [Sat Mar 2 18:57:48 CET 2024] Multi domain='DNS:oceanos.XXXX.fr,DNS:oceanos.XXXX.fr' 2024-03-02T18:57:48 acme.sh [Sat Mar 2 18:57:48 CET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory

Environment OPNsense 24.1.2_1-amd64

OPNsense-bot commented 7 months ago

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.