search

opnsense / plugins

OPNsense plugin collection
https://opnsense.org/
BSD 2-Clause "Simplified" License
832 stars 617 forks source link

security/acme-client: can't obtain production certificate using DNS challenge through Gandi DNS provider #3845

Closed tugdualenligne closed 1 week ago

tugdualenligne commented 6 months ago

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug Can't obtain production certificate using DNS challenge through Gandi DNS provider but I can obtain Let's Encrypt staging certificates. Very strange issue. Any help appreciated

To Reproduce Steps to reproduce the behavior:

  1. Go to 'ACME plugin'
  2. set-up Let's Encrypt to issue certificates using the Production CA (not the Staging one)
  3. Try issue
  4. See error, the Production CA doen't issue a certificate

Expected behavior I expect to be able to request LE certificates from the Production CA and not only the Staging CA

Screenshots N/A

Relevant log files 2024-03-02T18:57:52 opnsense AcmeClient: validation for certificate failed: oceanos.XXXX.fr 2024-03-02T18:57:52 opnsense AcmeClient: domain validation failed (dns01) 2024-03-02T18:57:52 opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 6 --log-level 1 --server 'letsencrypt' --dns 'dns_gandi_livedns' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/65da763b0ae855.58243047' --certpath '/var/etc/acme-client/certs/65da763b0ae855.58243047/cert.pem' --keypath '/var/etc/acme-client/keys/65da763b0ae855.58243047/private.key' --capath '/var/etc/acme-client/certs/65da763b0ae855.58243047/chain.pem' --fullchainpath '/var/etc/acme-client/certs/65da763b0ae855.58243047/fullchain.pem' --domain 'oceanos.XXXX.fr' --domain 'oceanos.XXXX.fr' --days '1' --force --ocsp --keylength '4096' --accountconf '/var/etc/acme-client/accounts/65da74b1412297.72803520_prod/account.conf'' 2024-03-02T18:57:47 opnsense AcmeClient: using challenge type: DNS-challenge 2024-03-02T18:57:47 opnsense AcmeClient: account is registered: ACME 2024-03-02T18:57:47 opnsense AcmeClient: using CA: letsencrypt 2024-03-02T18:57:47 opnsense AcmeClient: issue certificate: oceanos.XXXX.fr

And

2024-03-02T18:57:51 acme.sh [Sat Mar 2 18:57:51 CET 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh 2024-03-02T18:57:51 acme.sh [Sat Mar 2 18:57:51 CET 2024] Please add '--debug' or '--log' to check more details. 2024-03-02T18:57:51 acme.sh [Sat Mar 2 18:57:51 CET 2024] Error add txt for domain:_acme-challenge.oceanos.XXXX.fr 2024-03-02T18:57:50 acme.sh [Sat Mar 2 18:57:50 CET 2024] Adding txt value: SHslfCqq9nxoy4A_rKvmsJp4LF_anCWl0iluEB3jU_Y for domain: _acme-challenge.oceanos.XXXX.fr 2024-03-02T18:57:50 acme.sh [Sat Mar 2 18:57:50 CET 2024] Getting webroot for domain='oceanos.XXXX.fr' 2024-03-02T18:57:50 acme.sh [Sat Mar 2 18:57:50 CET 2024] Getting webroot for domain='oceanos.XXXX.fr' 2024-03-02T18:57:48 acme.sh [Sat Mar 2 18:57:48 CET 2024] Getting domain auth token for each domain 2024-03-02T18:57:48 acme.sh [Sat Mar 2 18:57:48 CET 2024] Multi domain='DNS:oceanos.XXXX.fr,DNS:oceanos.XXXX.fr' 2024-03-02T18:57:48 acme.sh [Sat Mar 2 18:57:48 CET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory

Additional context N/A

Environment Software version used and hardware type if relevant. OPNsense 24.1.2_1-amd64

fraenki commented 6 months ago

Error add txt for domain

It failed to add the required DNS entries. Maybe wrong credentials? Set log level to "debug 3" and try again.

tugdualenligne commented 6 months ago

Sure, I can try to change log level, not too sure how to do that, but if I can obtain a Staging certificate with the same exact credentials, it is strange it doesn’t work for the Prod environment

Thx

Le mar. 5 mars 2024 à 16:09, Frank Wall @.***> a écrit :

Error add txt for domain

It failed to add the required DNS entries. Maybe wrong credentials? Set log level to "debug 3" and try again.

— Reply to this email directly, view it on GitHub https://github.com/opnsense/plugins/issues/3845#issuecomment-1978991504, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD5OO4VDX7L3JP2WFLOQFB3YWXNY5AVCNFSM6AAAAABEEG6KOGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZYHE4TCNJQGQ . You are receiving this because you authored the thread.Message ID: @.***>

fraenki commented 6 months ago

Sure, I can try to change log level, not too sure how to do that

Services -> ACME Client -> Settings

tugdualenligne commented 6 months ago

Thx. Here are the requested logs:

2024-03-05T19:12:54 acme.sh [Tue Mar 5 19:12:54 CET 2024] skip dns.
2024-03-05T19:12:54 acme.sh [Tue Mar 5 19:12:54 CET 2024] dns_entries
2024-03-05T19:12:54 acme.sh [Tue Mar 5 19:12:54 CET 2024] _clearupdns
2024-03-05T19:12:54 acme.sh [Tue Mar 5 19:12:54 CET 2024] No need to restore nginx, skip.
2024-03-05T19:12:54 acme.sh [Tue Mar 5 19:12:54 CET 2024] pid
        #define WITH_DEFAULT_IPV 4
        #define WITH_MSGLEVEL 0 /*debug*/
        #define WITH_RETRY 1
        #define WITH_FILAN 1
        #define WITH_SYCLS 1
        #define WITH_LIBWRAP 1
        #undef WITH_FIPS
        #define WITH_OPENSSL 1
        #define WITH_PTY 1
        #undef WITH_TUN
        #undef WITH_READLINE
        #define WITH_EXEC 1
        #define WITH_SHELL 1
        #define WITH_SYSTEM 1
        #define WITH_PROXY 1
        #undef WITH_NAMESPACES
        #undef WITH_VSOCK
        #define WITH_SOCKS5 1
        #define WITH_SOCKS4A 1
        #define WITH_SOCKS4 1
        #undef WITH_POSIXMQ
        #define WITH_LISTEN 1
        #define WITH_UDPLITE 1
        #define WITH_DCCP 1
        #define WITH_SCTP 1
        #define WITH_UDP 1
        #define WITH_TCP 1
        #undef WITH_INTERFACE
        #define WITH_GENERICSOCKET 1
        #define WITH_RAWIP 1
        #define WITH_IP6 1
        #define WITH_IP4 1
        #undef WITH_ABSTRACT_UNIXSOCKET
        #define WITH_UNIX 1
        #define WITH_SOCKETPAIR 1
        #define WITH_PIPE 1
        #define WITH_TERMIOS 1
        #define WITH_GOPEN 1
        #define WITH_CREAT 1
        #define WITH_FILE 1
        #define WITH_FDNUM 1
        #define WITH_STDIO 1
        #define WITH_STATS 1
        #define WITH_HELP 1
        features:
        running on FreeBSD version FreeBSD 13.2-RELEASE-p10 stable/24.1-n254984-f7b006edfa8 SMP, release 13.2-RELEASE-p10, machine amd64
        socat version 1.8.0.0 on Jan 26 2024 01:12:33
        socat by Gerhard Rieger and contributors - see www.dest-unreach.org
        socat:
        nginx doesn't exist.
        nginx:
        apache doesn't exist.
        apache:
        OpenSSL 1.1.1t-freebsd 7 Feb 2023
        openssl:openssl
2024-03-05T19:12:54 acme.sh [Tue Mar 5 19:12:54 CET 2024] Diagnosis versions:
2024-03-05T19:12:54 acme.sh [Tue Mar 5 19:12:54 CET 2024] code='200'
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] _ret='0'
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.T4nmE9gP -g '
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/322815227257/QH3nnQ'
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] POST
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] payload='{}'
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/322815227257/QH3nnQ'
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] =======Begin Send Signed Request=======
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] Please add '--debug' or '--log' to check more details.
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] _on_issue_err
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] Error add txt for domain:_acme-challenge.oceanos.du-XXXXXX.fr
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] _ret='0'
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.T4nmE9gP -g '
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] _post_url='https://dns.api.gandi.net/api/v5/domains/du-XXXXXX.fr/records/_acme-challenge.oceanos/TXT'
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] PUT
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] data='{"rrset_ttl": 300, "rrset_values": ["9M4qCwqc6QP4GG_UYi80qvajfQwQeQPznXs88sCk6rs"]}'
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] domains/du-XXXXXX.fr/records/_acme-challenge.oceanos/TXT
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] new_rrset_values='["9M4qCwqc6QP4GG_UYi80qvajfQwQeQPznXs88sCk6rs"]'
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] Creating new record
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] Does not have a _acme-challenge TXT record yet.
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] ret='0'
2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.T4nmE9gP -g '
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] timeout=
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] url='https://dns.api.gandi.net/api/v5/domains/du-XXXXXX.fr/records/_acme-challenge.oceanos'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] GET
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] domains/du-XXXXXX.fr/records/_acme-challenge.oceanos
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] sub_domain='_acme-challenge.oceanos'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] domain='du-XXXXXX.fr'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] txtvalue='9M4qCwqc6QP4GG_UYi80qvajfQwQeQPznXs88sCk6rs'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] fulldomain='_acme-challenge.oceanos.du-XXXXXX.fr'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] ret='0'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.T4nmE9gP -g '
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] timeout=
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] url='https://dns.api.gandi.net/api/v5/domains/du-XXXXXX.fr'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] GET
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] domains/du-XXXXXX.fr
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] h='du-XXXXXX.fr'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] oceanos.du-XXXXXX.fr not found
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] ret='0'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.T4nmE9gP -g '
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] timeout=
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] url='https://dns.api.gandi.net/api/v5/domains/oceanos.du-XXXXXX.fr'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] GET
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] domains/oceanos.du-XXXXXX.fr
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] h='oceanos.du-XXXXXX.fr'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] First detect the root zone
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] Adding txt value: 9M4qCwqc6QP4GG_UYi80qvajfQwQeQPznXs88sCk6rs for domain: _acme-challenge.oceanos.du-XXXXXX.fr
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_gandi_livedns.sh
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_gandi_livedns.sh'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] txt='9M4qCwqc6QP4GG_UYi80qvajfQwQeQPznXs88sCk6rs'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] txtdomain='_acme-challenge.oceanos.du-XXXXXX.fr'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] _d_alias
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] d='oceanos.du-XXXXXX.fr'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] vlist='oceanos.du-XXXXXX.fr#UXXyrb9zfRLPJe5HkVe4vHWwoeHMM2_gnfOCGOl0x2k.Zoao8VUsfk2dBILPfmbn_nhT3xDkwRTHwbR1o8irLJI#https://acme-v02.api.letsencrypt.org/acme/chall-v3/322815227257/QH3nnQ#dns-01#dns_gandi_livedns#https://acme-v02.api.letsencrypt.org/acme/authz-v3/322815227257,'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] d
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] dvlist='oceanos.du-XXXXXX.fr#UXXyrb9zfRLPJe5HkVe4vHWwoeHMM2_gnfOCGOl0x2k.Zoao8VUsfk2dBILPfmbn_nhT3xDkwRTHwbR1o8irLJI#https://acme-v02.api.letsencrypt.org/acme/chall-v3/322815227257/QH3nnQ#dns-01#dns_gandi_livedns#https://acme-v02.api.letsencrypt.org/acme/authz-v3/322815227257'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] keyauthorization='UXXyrb9zfRLPJe5HkVe4vHWwoeHMM2_gnfOCGOl0x2k.Zoao8VUsfk2dBILPfmbn_nhT3xDkwRTHwbR1o8irLJI'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/322815227257/QH3nnQ'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] token='UXXyrb9zfRLPJe5HkVe4vHWwoeHMM2_gnfOCGOl0x2k'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/322815227257/QH3nnQ","token":"UXXyrb9zfRLPJe5HkVe4vHWwoeHMM2_gnfOCGOl0x2k"'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/322815227257'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] _currentRoot='dns_gandi_livedns'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] _w='dns_gandi_livedns'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] Getting webroot for domain='oceanos.du-XXXXXX.fr'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] d='oceanos.du-XXXXXX.fr'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] code='200'
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] _ret='0'
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.T4nmE9gP -g '
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/322815227257'
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] POST
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] payload
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/322815227257'
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] =======Begin Send Signed Request=======
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1587203917/249856658727'
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/1587203917/249856658727'
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] code='201'
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] _ret='0'
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.T4nmE9gP -g '
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] POST
2024-03-05T19:12:51 acme.sh [Tue Mar 5 19:12:51 CET 2024] _ret='0'
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.T4nmE9gP -g -I '
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] HEAD
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] RSA key
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] payload='{"identifiers": [{"type":"dns","value":"oceanos.du-XXXXXX.fr"}]}'
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] =======Begin Send Signed Request=======
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] d
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] Getting domain auth token for each domain
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] Single domain='oceanos.du-XXXXXX.fr'
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] _createcsr
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] Read key length:4096
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] _saved_account_key_hash is not changed, skip register account.
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] d
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] _currentRoot='dns_gandi_livedns'
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] Check for domain='oceanos.du-XXXXXX.fr'
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] d='oceanos.du-XXXXXX.fr'
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] Le_LocalAddress
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] _chk_alt_domains
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] _chk_main_domain='oceanos.du-XXXXXX.fr'
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] _on_before_issue
2024-03-05T19:12:50 acme.sh [Tue Mar 5 19:12:50 CET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] ACME_NEW_AUTHZ
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] ret='0'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.0f864CAu -g '
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] timeout=
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] url='https://acme-v02.api.letsencrypt.org/directory'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] GET
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] _init api for server: https://acme-v02.api.letsencrypt.org/directory
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] Le_NextRenewTime
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] DOMAIN_PATH='/var/etc/acme-client/cert-home/65e4e36976b151.96815654/oceanos.du-XXXXXX.fr'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] Using config home:/var/etc/acme-client/home
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] _alt_domains='no'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] _main_domain='oceanos.du-XXXXXX.fr'
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] Running cmd: issue
2024-03-05T19:12:49 acme.sh [Tue Mar 5 19:12:49 CET 2024] Using server: https://acme-v02.api.letsencrypt.org/directory
fraenki commented 5 months ago

I think these log entries may be of interest:

2024-03-05T19:12:53 acme.sh [Tue Mar 5 19:12:53 CET 2024] Error add txt for domain:_acme-challenge.oceanos.du-XXXXXX.fr
...
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] oceanos.du-XXXXXX.fr not found
...
2024-03-05T19:12:52 acme.sh [Tue Mar 5 19:12:52 CET 2024] url='https://dns.api.gandi.net/api/v5/domains/oceanos.du-XXXXXX.fr'

First it fails to find the "oceanos" sub domain (while querying the Gandi API), and consequently it fails to add the required TXT DNS entry. That's all we know.

The current version of acme.sh (on OPNsense) still uses the old Gandi API. This may be important to know, because it looks like the old Gandi API does not support Personal Access Tokens and other limitations may apply.

The next version of acme.sh will contain support for the new Gandi API, maybe this will solve your issue: https://github.com/acmesh-official/acme.sh/commit/bfb41ce12327ccd49fd7ef0b4d077d2f1a6506e7

Again, I'm just guessing here...

OPNsense-bot commented 1 week ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.