win-acme / win-acme

A simple ACME client for Windows (for use with Let's Encrypt et al.)
https://www.win-acme.com/
Apache License 2.0
5.28k stars 816 forks source link

Renewal failed, dnsmadeeasy plugin #2528

Closed Wlad-R closed 7 months ago

Wlad-R commented 9 months ago

Hello, The certificate was created successfully two months ago with (just replaced with cr.com) Wacs --verbose --source iis --host commit.cr.com --order single --validationmode DNS-01 --validation dnsmadeeasy --apikey c3xxx--apisecret 5xxx8 --store certificatestore --installation iis --accepttos --emailaddress commitcrm@C*r.com Renewal failed yesterday Dnsmadeeasy Api key works – another server from the same domain was renewed successfully yesterday with the same setup. Server time is synced Not sure what else I should check

[DBUG] [3cx.cr.com] Attempting to create DNS record under _acme-challenge.3cx.cr.com... [DBUG] [HTTP] Send GET to https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=c*r.com [VERB] [HTTP] Request completed with status Forbidden [VERB] [HTTP] Response of type null (32 bytes) [DBUG] [3cx.cr.com] Failed to create record under _acme-challenge.3cx.cr.com [EROR] [3cx.cr.com] Error preparing for challenge answer System.Exception: [3cx.cr.com] Unable to prepare for challenge answer at PKISharp.WACS.Plugins.ValidationPlugins.DnsValidation1.PrepareChallenge(ValidationContext context, Dns01ChallengeValidationDetails challenge) at PKISharp.WACS.Plugins.ValidationPlugins.Validation1.PrepareChallenge(ValidationContext context) at PKISharp.WACS.RenewalValidator.Prepare(ValidationContext context, RunLevel runLevel) [VERB] Starting post-validation cleanup [VERB] Post-validation cleanup was succesful

Thank you, Wlad

WouterTinus commented 9 months ago

This build should show the error message returned from the API, which is currently hidden: https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49183286/artifacts

Wlad-R commented 9 months ago

Hi Wouter, below is --verbose result:

[DBUG] [commit.corporatepower.com] Attempting to create DNS record under _acme-challenge.commit.corporatepower.com... [DBUG] [HTTP] Send GET to https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=corporatepower.com [WARN] [HTTP] Request completed with status Forbidden [VERB] [HTTP] Response of type null (36 bytes) [WARN] Unable to create record at DnsMadeEasy: {"error": ["Unable to verify HMAC"]} [DBUG] [commit.corporatepower.com] Failed to create record under _acme-challenge.commit.corporatepower.com [EROR] [commit.corporatepower.com] Error preparing for challenge answer System.Exception: [commit.corporatepower.com] Unable to prepare for challenge answer at PKISharp.WACS.Plugins.ValidationPlugins.DnsValidation1.PrepareChallenge(ValidationContext context, Dns01ChallengeValidationDetails challenge) at PKISharp.WACS.Plugins.ValidationPlugins.Validation1.PrepareChallenge(ValidationContext context) at PKISharp.WACS.RenewalValidator.Prepare(ValidationContext context, RunLevel runLevel) [VERB] Starting post-validation cleanup [DBUG] DNS record cleanup finalized

Thank you, Wlad

WouterTinus commented 8 months ago

So at least we can see the error now: "Unable to verify HMAC" seems to mean that either the API key is wrong or the time is off. I'm also not sure what to check anymore, especially since it works on another server.

Wlad-R commented 8 months ago

Hello, thank you for the confirmation. The time and key were/are good I freaked out a bit, deleted everything including programdata\win-acme and installed from scratch. And it worked. I don't know what was wrong with cached/saved credentials, but my expectation is command line parameters should have precedence over the saved configuration. Thank you, Wlad

WouterTinus commented 7 months ago

I'm glad it's working now.

I don't know what was wrong with cached/saved credentials, but my expectation is command line parameters should have precedence over the saved configuration.

That is true when you replace your renewal, but you cannot renew and change stuff at the same time (but trying to do that leads to a fatal error from the command line, so that was not your issue).