Script dns_add_ionos problem

[HerroBert]

Describe the bug dns script dns_add_ionos show errors:

Upgraded to v2 (changed https://acme-v01.api.letsencrypt.org to https://acme-v02.api.letsencrypt.org) Registering account Verify each domain Verifying example.de checking DNS at ns1025.ui-dns.com sleeping 60 seconds before asking the ACME server to check the dns sending request to ACME server saying we're ready for challenge checking if challenge is complete Verified example.de curl: (3) URL using bad/illegal format or missing URL Verifying .example.de checking DNS at ns1025.ui-dns.com sleeping 60 seconds before asking the ACME server to check the dns sending request to ACME server saying we're ready for challenge checking if challenge is complete Pending checking if challenge is complete Pending checking if challenge is complete getssl: .example.de:Verify error: "detail": "DNS problem: SERVFAIL looking up CAA for example.de - the domain's nameservers may be malfunctioning",

To Reproduce Steps to reproduce the behavior:

1. create config for dns valition: DNS_ADD_COMMAND=/home/user/.getssl/dns_add_ionos
2. put IONOS-Key into dns_add_ionos (why?)
3. run getssl example.de
4. See error

Expected behavior No error and completed cert creation

Operating system (please complete the following information):

• OS: Ubuntu 21.10
• Bash Version GNU bash, Version 5.1.8(1)-release-(x86_64-pc-linux-gnu)

Additional context First try with IONOS-API. Do I really have put api-key into dns-script? That is strange.

[githubRover]

DNS problem: SERVFAIL looking up CAA

The DNS Server is not responding correctly to requests for the CAA record. The DNS server can say "I dont have one" or "Here it is" but it cannot respond SERVFAIL

Often this has to do with incorrect DNSSEC. This tool helps identify such problems: https://dnsviz.net/

Other DNS configuration problems can cause this. You might want to try posting on the Let's Encrypt community forum https://community.letsencrypt.org/ They will need to know your actual domain name for good advice on DNS problems especially.

[HerroBert]

There is no dsnsec for that domain.

[githubRover]

Did dnsviz point to any other problems?

unboundtest.com mimics what Let's Encrypt servers do to get DNS records (CAA, TXT, ...). It requires DNS experience to understand but perhaps this can help you debug the problem yourself if you are unwilling to share your domain name.

I am not expert at DNS so these commonly used tools are the best I can offer.

[HerroBert]

I know DNS very well. I tried again and that worked. But this error message is still there: curl: (3) URL using bad/illegal format or missing URL

[githubRover]

I am sure Tim will respond at some point.

Do you get any helpful info using -d (debug) on the command line? I could only guess it is related to the wildcard request and I don't use one with getssl to try it.

[HerroBert]

I checked with another domain and saw, that del-script is causing this problem: removing DNS RR via command: /home/user/.getssl/dns_del_ionos example.de NH_2Dnh...g180w6zKHg curl: (3) URL using bad/illegal format or missing URL

[githubRover]

Should not be too difficult to find the underlying reason. That ionos script is really small: https://github.com/srvrco/getssl/blob/master/dns_scripts/dns_del_ionos Their docs: https://developer.hosting.ionos.com/docs/dns

Another acme client, acme.sh, has a lot of DNS API plug-ins. Maybe compare theirs to this one for clues? https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_ionos.sh

Sorry if this is rudimentary or not helpful. Just ideas in hopes of helping.

[HerroBert]

I think the record curl call is faulty. I got a jq error: jq: error (at :1): Cannot index array with string "records"

There is no part called records in that curl output. So _RECORDID does not get any number.

edit: and btw this script is not capable of customer accounts with multiple domains.