NameCom plugin - Domain not found

[eeldivad]

I can't create a wildcard certificate for my domain. but it works for non-wildcard.

this works in LE_PROD

New-PACertificate 'eeldivad.net' -AcceptTOS -Contact $email

this fails in LE_PROD

New-PACertificate '*.eeldivad.net' -AcceptTOS -Contact $email Exception: C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.24.0\Public\New-PACertificate.ps1:256 Line | 256 | Submit-ChallengeValidation | ~~~~~~ | Domain not found for _acme-challenge.eeldivad.net

this works in LE_STAGE

New-PACertificate '*.eeldivad.net' -AcceptTOS -Contact $email

Not sure why, but I had just transferred the domain from godaddy to name.com yesterday since goaddy drop support for api. all looks good and i verified the new name servers at name.com are working properly when I make changes there. Any idea why I can't create cert for *.eeldivad.net in LE_PROD but I can create the cert for eeldivad.net?

I am using the latest powershell 7.4.3 and posh-acme 4.24.0

[rmbolger]

There shouldn't be any normal reason why a non-wildcard works and a wildcard doesn't work aside from CAA record restrictions which the error message from Let's Encrypt would have indicated. The TXT record that needs to be created for the DNS challenge is literally the same FQDN, just different values.

That said, there have been a few service interruptions in the past couple days that could have coincided with your attempts. The most recent one was today and affected connectivity from New Zealand apparently. https://letsencrypt.status.io/

Your calls to New-PACertificate don't specify a plugin or pluginargs. Are you using the default manual DNS plugin for the time being? If so, you might want to try adding a slightly longer -DnsSleep value than the default of 2 min. It's possible the name.com nameservers need a bit more time to propagate. You might try doubling it to 4 minutes with -DnsSleep 240.

[eeldivad]

I just tried yesterday and today again and got the same error when I run this: New-PACertificate '*.eeldivad.net' -AcceptTOS -Contact $email

I tried it with the plugin before and got the same error. I tried it with valid and invalid credentials and got the same error so it's not even reaching the part to connect to the api yet and it fails: New-PACertificate *.eeldivad.net, eeldivad.net -AcceptTOS -Contact $email -Plugin NameCom -PluginArgs $pargs -Force

The reason why I think there's a bug because when I do it without the plugin, I expect it to ask me to create the TXT record but it gives me the error within a few seconds instead. I tried dnsSleep 300 but it still gives me the same error after 1 or 2 seconds and doesn't bother waiting. Could you try running the same command for my domain and see why it doesn't ask me to create the TXT?

When I try the same command with *.aol.com then it asks me to create the TXT record as expected even if i don't own it. I think it's the way the code tries to lookup the domain or something so it seems specific to the domain but no idea what it is. I thought it just does an nslookup to verify the domain is valid and then by default it should ask me to create the TXT and then wait 2mins to verify i created it. it's as if it skipped a step and doesn't ask me to create the TXT record and just tries to look for _acme-challenge.eeldivad.net before I had a chance to create it.

[rmbolger]

There's no domain lookup on the module side. It takes whatever string its given as a domain name and passes it straight to the ACME server as-is.

The initial error you posted indicated the error occurred during the call to Submit-ChallengeValidation which is sort of the meat of the process and also where the plugins get called. Getting there means the module was able to successfully create an order object on the ACME server and its state was "pending" which indicates there is at least one identifier/name in the order that needs a challenge validated. The actual error message Domain not found for <blah> is explicitly an error thrown by the NameCom plugin.

I think what's confusing things is that subsequent calls to New-PACertificate without the plugin parameters are picking up and re-using the existing pending order that has the plugin parameters already attached. We can fix that by explicitly removing the old order with Get-PAOrder | Remove-PAOrder and then re-running New-PACertificate without the plugin parameters which should at least let you proceed manually.

But ultimately, it sounds like we're going to have to troubleshoot the actual plugin functionality. Give this a try to test just the plugin functionality without the hassle of actually creating a cert order.

# Use your existing $pargs var and leave the domain as the non-wildcard form. Don't add "*."
$DebugPreference = 'Continue'  # enable debug output
Publish-Challenge eeldivad.net (Get-PAAccount) faketoken NameCom $pargs -Verbose

Looking at the code, we're not going to get much in the way of Verbose or Debug output, but every little bit helps if you can post the results.

[eeldivad]

Doesn't look like the order was ever created. I see an old order for a slightly different domain eeldivad.com but not for eeldivad.net. But it won't let me delete the old order for the other domain either. I'm running as administrator

PS C:\Users\Administrator> Get-PAOrder

Name           MainDomain     status  KeyLength SANs CertExpires Plugin
----           ----------     ------  --------- ---- ----------- ------
!.eeldivad.com *.eeldivad.com pending 2048      {}               {GoDaddy, GoDaddy}

PS C:\Users\Administrator> Get-PAOrder | Remove-PAAccount
WARNING: Specified account ID (!.eeldivad.com) was not found.

Then I run the publish-challenge and get this error:

$DebugPreference = 'Continue'  # enable debug output
PS C:\Users\Administrator> Publish-Challenge eeldivad.net (Get-PAAccount) faketoken NameCom $pargs -Verbose
VERBOSE: Publishing challenge for Domain eeldivad.net with Token faketoken using Plugin NameCom and DnsAlias ''.
DEBUG: Loading PAAccount list from disk
DEBUG: Calling NameCom plugin to add _acme-challenge.eeldivad.net TXT with value t_wT5BeeFglSuwjNVz510ZCRVOw7CI42HtzRDrrt4jw
VERBOSE: Requested HTTP/1.1 GET with 0-byte payload
VERBOSE: Received HTTP/1.1 response of content type text/html of unknown size
Exception: C:\Users\Administrator\Documents\PowerShell\Modules\posh-acme\4.24.0\Plugins\NameCom.ps1:244
Line |
 244 |          throw "Domain not found for $RecordName"
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Domain not found for _acme-challenge.eeldivad.net     

[rmbolger]

Try Get-PAOrder -List to see all previous orders instead of just the currently selected one.

The Publish-Challenge test basically verifies that something in the plugin and something in the API are not happy with each other or the credentials you're trying to use with the plugin are somehow not working. Or perhaps something about the API changed since the last time the code was touched. Unfortunately, the existing plugin code doesn't have the greatest error handling to narrow down the problem.

I'll probably end up picking up a cheap throwaway domain with them to test stuff with and refactor the plugin code while I'm at it. But I'm also about to go on vacation. So no promises on timeline.

[eeldivad]

after using Get-PAOrder -List I was able to see the order and remove it. after removing it i was able to create a new wildcard order manually and it finally asks me to create the TXT and after doing so it generated the cert as expected. New-PACertificate *.eeldivad.net, eeldivad.net -AcceptTOS -Contact $email

But then i remove the order and tried it again with the plugin and it fails with the same error. yeh i think there must have been changes to the api that broke the plugin. you are welcome to use my api token and account to test it on your side with my domain. eeldivad.net is a test domain so i don't mind giving you access to it. its the only domain on my name.com account since i wanted to make sure everything works before i continue transferring my other domains from godaddy. let me know and i can DM you the token if you want to use it. thank you so much for taking the time to create and support this awesome product.

[rmbolger]

Hey @eeldivad, do you by chance have two-step verification enabled on your account? I'm poking around on my own account and it looks like the API no longer allows access to API keys when the parent account has two-step verification enabled.

I'll still need to update the plugin with better error handling to be sure. But my guess is that turning off two-step verification on your account will fix things for you. And yes, that is an utterly dumb security decision on Name.com's part.

[eeldivad]

I noticed under "Security Settings" on name.com there is an option at the bottom that says:

NAME.COM API ACCESS

You have Two-Step Verification enabled on your account. Our API does not support this service. You can manage API access to your name.com account below. Turning API access ON will enable your account to be accessed by our API without the 2FA security token. Turning API access OFF will disallow use of the API.

I turned this on and it works now :)

Could you add that on the docs page here so others don't miss this critical step during setup. I'm sure they must have added that feature after you created the plugin so I must be the first to discover it since then. https://poshac.me/docs/v4/Plugins/NameCom

Thank you so much!! Enjoy your vacation.