acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard

Published 20 hours ago verified publisher icon acmesh-official

Report bugs to OpenProvider dns api

Open TheLastProject opened this issue 6 years ago • 17 comments

This is the place to report bugs in the OpenProvider DNS API.

If you experience a bug, please report it in this issue.

Thanks!

TheLastProject avatar Feb 22 '19 14:02 TheLastProject

How do I use the Openprovider API? I am trying to use it the following way: docker run --rm -it -e OPENPROVIDER_USER="username" -e OPENPROVIDER_PASSWORDHASH="passwordhash" -v "$(pwd)/out":/acme.sh neilpang/acme.sh --issue -d '*.domain.co' --dns dns_openprovider -k ec-384 --debug

Only now I am getting into a finite loop. Do I have to have my DNS records in a specific way to make this work? I am having the following zone file at OpenProvider:

  | www.domain.co | A | 1.2.3.4 |   | 15 minutes | Wijzig Verwijder
-- | -- | -- | -- | -- | -- | --
  | vpn.domain.co | A | 1.2.3.4 |   | 15 minutes | Wijzig Verwijder
  | *.domain.co | A | 1.2.3.4 |   | 15 minutes | Wijzig Verwijder
  | domain.co | SOA | ns1.openprovider.nl dns.openprovider.eu 2019090701 10800 3600 604800 3600 |   | 1 day |  
  | domain.co | NS | ns1.openprovider.nl |   | 1 hours |  
  | domain.co | NS | ns2.openprovider.be |   | 1 hours |  
  | domain.co | NS | ns3.openprovider.eu |   | 1 hours |  
  | domain.co | A | 1.2.3.4 |   | 15 minutes | Wijzig Verwijder

weyert avatar Sep 07 '19 16:09 weyert

Do you have the debug output? I sadly no longer have anything hosted at OpenProvider so it's hard for me to guess what it could be.

TheLastProject avatar Sep 07 '19 16:09 TheLastProject

Appears to work when I don't have any A records. Let me try to get a debug log for you :) @TheLastProject Please find the log here: https://gist.github.com/weyert/08d55ce124263d6ef99d90167006d992

weyert avatar Sep 07 '19 16:09 weyert

The error is on https://github.com/Neilpang/acme.sh/blob/master/dnsapi/dns_openprovider.sh#L62, the sed statement doesn't seem to see the match and thus the list of records never changes. Not sure yet why this is the case...

TheLastProject avatar Sep 07 '19 17:09 TheLastProject

Sorry, my shell scripting skill is like non-existent. Anyway I could assist you? I did notice that when I don't have any A records (e.g. *.domain.co) it's working fine. Could it be falling over the case that A record for *.domain.co exists for which I am also requesting a certificate?

weyert avatar Sep 07 '19 18:09 weyert

Nah, it's just not marking an item it dealt with as "done", and thus gets stuck in that loop. The sed statement is supposed to remove the item that it just dealt with from the list of items, but somehow that isn't working. May be some special characters weirdness, not quite sure why, probably someone whose POSIX shell scripting is less rusty could solve it in a second.

TheLastProject avatar Sep 07 '19 18:09 TheLastProject

Oh okay, I hope someone can help us then :)

weyert avatar Sep 07 '19 19:09 weyert

Not sure, how to progress this.

weyert avatar Sep 09 '19 18:09 weyert

I'm having the same loop problem as @weyert. The API is constantly looping over the existing A records and not adding the challenge records. Only when removing existing A records and re-running acme.sh the challenges are added.

It would be nice if someone could fix it.

markoetie avatar Apr 02 '20 10:04 markoetie

Hi all, I Fixed the looping and a setting with custom NS servers, works like a charm :-)

Also lowered the TTL for the temporary acme record to 10 min, so you can retry after 10 minutes if it fails and you don't have to wait for a day until the records times out from dns-caches.

Will submit a pull-request with the changes. Note: requesting wildcard-domain certificates still fail, investigating cause..

Ritbit avatar Apr 27 '20 13:04 Ritbit

Thanks @Ritbit that's great :)

weyert avatar Apr 27 '20 14:04 weyert

Tried Acme.sh with openprovider_dns, all I keep getting is a API request failed. message. Tested with a few diffrent domains, some with A records, some without. Adding --debug revealed response='<?xml version="1.0" encoding="UTF-8"?><openXML><reply><code>808</code><desc>Invalid record type</desc><data/></reply></openXML> even though types sent are only NS, MX and TXT types.

johanneskonst avatar Sep 21 '20 13:09 johanneskonst

Same here... I've used the dns api on openprovider with dehydrated (I wrote that backend for dehydrated), but was looking into acme.sh since it has wider support, but giving me issues with openprovider.

It seems that API failures are printed in red, but then don't trigger stopping further requests/tests if the field was added.

[Mon 23 Nov 2020 10:01:41 PM CET] existing_items='A45.11.28.1086400NSns3.openprovider.eu3600NSns2.openprovider.be3600NSns1.openprovider.nl3600MXmail.sig-io.nl1086400AAAA2a0e:5700::1086400' [Mon 23 Nov 2020 10:01:41 PM CET] results_retrieved='7' [Mon 23 Nov 2020 10:01:41 PM CET] item='www.jaar2038.nlCNAMEjaar2038.nl86400<creationDate></creationDate><modificationDate></modificationDate>' [Mon 23 Nov 2020 10:01:41 PM CET] existing_items='A45.11.28.1086400NSns3.openprovider.eu3600NSns2.openprovider.be3600NSns1.openprovider.nl3600MXmail.sig-io.nl1086400AAAA2a0e:5700::1086400wwwCNAMEjaar2038.nl86400' [Mon 23 Nov 2020 10:01:41 PM CET] results_retrieved='8' [Mon 23 Nov 2020 10:01:41 PM CET] item [Mon 23 Nov 2020 10:01:41 PM CET] total='8' [Mon 23 Nov 2020 10:01:41 PM CET] Creating acme record [Mon 23 Nov 2020 10:01:41 PM CET] POST [Mon 23 Nov 2020 10:01:41 PM CET] _post_url='https://api.openprovider.eu/' [Mon 23 Nov 2020 10:01:41 PM CET] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g ' [Mon 23 Nov 2020 10:01:42 PM CET] _ret='0' [Mon 23 Nov 2020 10:01:42 PM CET] response=' <openXML>808Invalid record type</openXML>' [Mon 23 Nov 2020 10:01:42 PM CET] API request failed. [Mon 23 Nov 2020 10:01:42 PM CET]

sigio avatar Nov 23 '20 21:11 sigio

Removing 'NS' from line 72 worked for me.... the API docs also say the allowed field types are:

One of the following data types: A, AAAA, CNAME, MX, SPF, SRV, TXT, TLSA, SSHFP, CAA (In some cases NS records can be added after contacting Support.)

So... NS is not allowed by default... but is returned from the api (and automatically added it seems)

sigio avatar Nov 24 '20 14:11 sigio

It also looks like the dns_openprovider.sh just replaces the entire zone/config, instead of just adding/removing a single record:

In the control-panel: 2020-11-24 15:53:08 Records have been replaced.

As opposed to the script used in dehydrated which adds/removes individual txt records: 2020-10-09 13:01:34 Record is deleted: name: _acme-challenge.jaar2038.nl, type: TXT, value: "XXX", ttl: 600 2020-10-09 13:01:30 Record is added: name: _acme-challenge.jaar2038.nl, type: TXT, value: "XXX", ttl: 600

Doing it this way would avoid issues with unknown or not-allowed record-types, and avoid losing existing records if they might not match the regex (or simultanious updates from other api-calls)

sigio avatar Nov 24 '20 14:11 sigio

This plugin should be rewritten to the Openprovider REST API (beta). The REST API has the option to add and remove single records.

ixp-nl avatar Jun 17 '21 10:06 ixp-nl

Created a pull request where the NS type is removed so it atleast works again.

WinSCaP avatar Jun 22 '24 09:06 WinSCaP