os-acme-client / acme.sh - namesilo dns challenge failure, might need to update acme.sh package shipped with opnsense

[sk0rabu]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [x] The title contains the plugin to which this issue belongs

Describe the bug

Currently the OPNsense repo ships with 3.0.7_1 version of acme.sh, which seems to not work well with DNS-01 challenge with namesilo domains.

I tried to add a domain to the web UI and issue a new cert (in turn, a DNS challenge would have to be done), but would always run into such errors in logs:

AcmeClient: domain validation failed (dns01)
AcmeClient: validation for certificate failed: xxx

Errors from syslog:

**Can not find dns api hook for: dns_namesilo**
Please add the TXT records to the domains, and re-run with --renew.
Please add '--debug' or '--log' to check more details.
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

The full command for issuing the cert (and starting a DNS challenge) is:

/usr/local/sbin/acme.sh --issue --syslog 6 --log-level 1 --server 'letsencrypt' --dns 'dns_namesilo' --dnssleep 'xxxx' --home '/var/etc/acme-client/home' --cert-home '/var/etc/cert/home' --certpath '/var/etc/acme-client/cert/path' --keypath '/var/etc/acme-client/key/path' --capath '/var/etc/acme-client/ca/path' --fullchainpath '/var/etc/acme-client/full/chain' --domain 'your.domain' --domain '*.your.domain' --days '1' --force  --keylength 'ec-384' --accountconf '/var/etc/acme-client/account/conf'

Manually running which in shell would start the manual DNS challenge.

I think for some reason the included acme.sh pkg in repo may be missing the dns api hook. I tried this solution to update the dns api hooks to no avail. But if I instead run the updated /root/.acme.sh/acme.sh itself with the above arguments, it correctly calls the API and automates the DNS challenge.

Would be great if you can take a look. Thanks

[fraenki]

Currently the OPNsense repo ships with 3.0.7_1 version of acme.sh, which seems to not work well with DNS-01 challenge with namesilo domains.

OPNsense already includes the required file:

root@opnsense:~ # pkg list acme.sh-3.0.7_1 | grep namesilo
/usr/local/share/examples/acme.sh/dnsapi/dns_namesilo.sh

The reasons why it's not found by Acme Client are probably manual modifications to acme.sh on this OPNsense installation. Maybe by running acme.sh manually with incompatible/insufficient parameters...

I tried this solution to update the dns api hooks to no avail. But if I instead run the updated /root/.acme.sh/acme.sh itself with the above arguments, it correctly calls the API and automates the DNS challenge.

This is not recommended and unsupported. If you manually upgrade acme.sh you risk to permanently break Acme Client.