Report bugs to dynv6 DNS API

[StefanAbl]

Please report any bugs with the dynv6 dns api here.

Thanks!

[pd12bbf7608ae1]

While using acme.sh issue a cert for domain like example123.dynv6.net, it will stuck at:

Your='key'
using keyfile /root/.acme.sh/acme.key
getting domain for _acme-challenge.example123.dynv6.net
The record we are ging to use is _acme-challenge
And the host is example123.dynv6.net

But it worked when using domain like example.dynv6.net.

My system is armbian based on debian.

[StefanAbl]

Sorry for getting back to you so late, however I just tried with a domain named "example123.0 ... .dynv6.com" and I had no issue obtaining a certificate. Your problem was most likely with dynv6, I have also encountered that their ssh api sometimes is not very quick, sometimes to the point where you would think it is stuck. And since the command right after your output is a ssh connection to dynv6.com, I would think that is the issue. Maybe you could try again and see if the issue persists.

[pd12bbf7608ae1]

Sorry for getting back to you so late, however I just tried with a domain named "example123.0 ... .dynv6.com" and I had no issue obtaining a certificate. Your problem was most likely with dynv6, I have also encountered that their ssh api sometimes is not very quick, sometimes to the point where you would think it is stuck. And since the command right after your output is a ssh connection to dynv6.com, I would think that is the issue. Maybe you could try again and see if the issue persists.

I try again on Ubuntu server 18.04, it took about 2 hours to add records. It's the problem of dynv6. Thanks.

[StefanAbl]

No Problem, however that is unusually long, but I think they are having some problems right now. I also had some issues with the DNS records for my sites not being found in the last few days. But thats of topic ...

[FerrahWolfeh]

When trying to run the script on FreeNAS, it gets stuck at "The record we are ging to use is _acme-challenge..."

ssh connection to the dynv6 api works fine, but the script may be failing to do something

[StefanAbl]

That should be line 90 and where it might be stuck is here I assume the while loop is the issue here, since you say there is no output after "The record we are going to use is _acme-challenge...".

If this is the issue you can try with the new code from this PR, which greatly improves the detection of the host and the record.

Edit: you don't use any custom domain or "weird" domain name?

[FerrahWolfeh]

That should be line 90 and where it might be stuck is here I assume the while loop is the issue here, since you say there is no output after "The record we are going to use is _acme-challenge...".

If this is the issue you can try with the new code from this PR, which greatly improves the detection of the host and the record.

Edit: you don't use any custom domain or "weird" domain name?

Makes sense, I'm going to try this later on

and no, I was using as simple as "name.dynv6.net", but I got it to work by running the script on my Arch computer then transferred the files to my server

[railzy]

When I try to issue cert like this ./acme.sh -d example.dynv6.net -d *.example.dynv6.net --issue --dns dns_dynv6 I found it try to add 2 different txt value with the same name. As the result, acme.sh will only success to check one of it and go in a loop.

[StefanAbl]

@railzy unfortunately this is an issue with the underlying SSH API, if the records have the same name the data will always be overwritten, instead of creating a new record with the same name but different data. I already posted in the dynv6 forum about this. Until this is is resolved you could use dns manual mode which I would not recommend or issue a certificate for every domain separately. For example use a bash script with a for-loop to easily loop over the needed domains.

[railzy]

I try to issue a certificate again like this ./acme.sh -d example.dynv6.net -d *.example.dynv6.net --issue --dns dns_dynv6 after issuing a certificate for every domain separately. And I find it success.

root@OpenWrt:~# /tmp/acme/acme.sh --home "/tmp/acme" -d example.dynv6.net -d .example.dynv6.net --issue --dns dns_dynv6 [Fri Jul 17 09:43:12 CST 2020] Multi domain='DNS:example.dynv6.net,DNS:.example.dynv6.net' [Fri Jul 17 09:43:13 CST 2020] Getting domain auth token for each domain [Fri Jul 17 09:43:35 CST 2020] Getting webroot for domain='example.dynv6.net' [Fri Jul 17 09:43:36 CST 2020] Getting webroot for domain='.example.dynv6.net' [Fri Jul 17 09:43:36 CST 2020] example.dynv6.net is already verified, skip dns-01. [Fri Jul 17 09:43:36 CST 2020] .example.dynv6.net is already verified, skip dns-01. [Fri Jul 17 09:43:36 CST 2020] Verify finished, start to sign. [Fri Jul 17 09:43:37 CST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/********** [Fri Jul 17 09:43:42 CST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/********** [Fri Jul 17 09:43:48 CST 2020] Cert success.

Maybe we can pass the check by adding and checking the records of domains one by one.

[pd12bbf7608ae1]

I found that dynv6 provided a new API based on the REST API. Is it possible to consider switching over the current SSH API or handing over the option to the users?

[StefanAbl]

@pdxgf1208 Yes I am already working on expanding the current script to work with both SSH and the HTTP API. See my personal GitHub for the current status. It should already work but It is not fully tested yet.

[StefanAbl]

I try to issue a certificate again like this ./acme.sh -d example.dynv6.net -d *.example.dynv6.net --issue --dns dns_dynv6 after issuing a certificate for every domain separately. And I find it success.

root@OpenWrt:~# /tmp/acme/acme.sh --home "/tmp/acme" -d example.dynv6.net -d .example.dynv6.net --issue --dns dns_dynv6 [Fri Jul 17 09:43:12 CST 2020] Multi domain='DNS:example.dynv6.net,DNS:.example.dynv6.net' [Fri Jul 17 09:43:13 CST 2020] Getting domain auth token for each domain [Fri Jul 17 09:43:35 CST 2020] Getting webroot for domain='example.dynv6.net' [Fri Jul 17 09:43:36 CST 2020] Getting webroot for domain='_.example.dynv6.net' [Fri Jul 17 09:43:36 CST 2020] example.dynv6.net is already verified, skip dns-01. [Fri Jul 17 09:43:36 CST 2020] _.example.dynv6.net is already verified, skip dns-01. [Fri Jul 17 09:43:36 CST 2020] Verify finished, start to sign. [Fri Jul 17 09:43:37 CST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/__********** [Fri Jul 17 09:43:42 CST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/********** [Fri Jul 17 09:43:48 CST 2020] Cert success.

Maybe we can pass the check by adding and checking the records of domains one by one.

Were you able to get a valid wildcard certificate?
If so that is probably a bug, since the way you would get a wildcard certificate is to add two TXT records named _acme_challenge.example.dynv6.net with different values to your DNS and than Let's encrypt would check if they can see both of these records. But even though it is possible to add two records to your dynv6 domain with the same name but different data only one of those is returned when queried. You can test this on a Linux system with the command dig TXT record.example.dynv6.net . We'll have to wait a bit more, they are going to implement it at some point.

[atykhyy]

Since HTTP API support is not yet released or even merged into master, maybe it's a bit premature to say in dnsapi wiki page that it is supported?

[StefanAbl]

Yes maybe. Somehow it took longer than expected to get it merged, but it is in dev now so it should not be long. I probably should have added it later, but I am not gonna take it out since than I would only forget to add it back in, since there is no notification for when the PR is merged into master (AFAIK).
Sorry for the confusion

[Neilpang]

merged

[StefanAbl]

Thanks

[ColinWoW]

It don't work because no zone found. I only have two zond in dynv6, aaa.example.tk and bbb.example.tk. I can't add the zone acme-challenge.example.tk, because the underscore() can't be the subdomain name in dynv6. I have also submitted an issue #4465 about it. I hope you can take a look at it, because it's more detailed. Thanks!

[peter1123]

Can not find dns api hook for: dns_dynv6

root@OpenWrt:/etc/.acme.sh# ./acme.sh --issue --dns dns_dynv6 -d xintiandi.dynv6.net [Tue Jan 31 21:43:46 CST 2023] Domains not changed. [Tue Jan 31 21:43:46 CST 2023] Skip, Next renewal time is: 2023-03-31T09:36:09Z [Tue Jan 31 21:43:46 CST 2023] Add '--force' to force to renew. root@OpenWrt:/etc/.acme.sh# ./acme.sh --issue --dns dns_dynv6 -d xintiandi.dynv6.net --force --key-file /etc/uhttpd.key --cert-file /etc/uhttpd.crt [Tue Jan 31 21:47:35 CST 2023] Using CA: https://acme.zerossl.com/v2/DV90 [Tue Jan 31 21:47:35 CST 2023] Single domain='xintiandi.dynv6.net' [Tue Jan 31 21:47:35 CST 2023] Getting domain auth token for each domain [Tue Jan 31 21:47:49 CST 2023] Getting webroot for domain='xintiandi.dynv6.net' [Tue Jan 31 21:47:50 CST 2023] Can not find dns api hook for: dns_dynv6 [Tue Jan 31 21:47:50 CST 2023] You need to add the txt record manually. [Tue Jan 31 21:47:50 CST 2023] Add the following TXT record: [Tue Jan 31 21:47:50 CST 2023] Domain: '_acme-challenge.xintiandi.dynv6.net' [Tue Jan 31 21:47:50 CST 2023] TXT value: 'rbemUfYIQaePHDK0SzjkO01ybX6Dvkb7Hl2ZJDn_1EA' [Tue Jan 31 21:47:50 CST 2023] Please be aware that you prepend _acme-challenge. before your domain [Tue Jan 31 21:47:50 CST 2023] so the resulting subdomain will be: _acme-challenge.xintiandi.dynv6.net [Tue Jan 31 21:47:50 CST 2023] Please add the TXT records to the domains, and re-run with --renew. [Tue Jan 31 21:47:50 CST 2023] Please add '--debug' or '--log' to check more details. [Tue Jan 31 21:47:50 CST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

root@OpenWrt:/etc/.acme.sh# ./acme.sh -v https://github.com/acmesh-official/acme.sh v3.0.6

[ColinWoW]

Can not find dns api hook for: dns_dynv6

root@OpenWrt:/etc/.acme.sh# ./acme.sh --issue --dns dns_dynv6 -d xintiandi.dynv6.net [Tue Jan 31 21:43:46 CST 2023] Domains not changed. [Tue Jan 31 21:43:46 CST 2023] Skip, Next renewal time is: 2023-03-31T09:36:09Z [Tue Jan 31 21:43:46 CST 2023] Add '--force' to force to renew. root@OpenWrt:/etc/.acme.sh# ./acme.sh --issue --dns dns_dynv6 -d xintiandi.dynv6.net --force --key-file /etc/uhttpd.key --cert-file /etc/uhttpd.crt [Tue Jan 31 21:47:35 CST 2023] Using CA: https://acme.zerossl.com/v2/DV90 [Tue Jan 31 21:47:35 CST 2023] Single domain='xintiandi.dynv6.net' [Tue Jan 31 21:47:35 CST 2023] Getting domain auth token for each domain [Tue Jan 31 21:47:49 CST 2023] Getting webroot for domain='xintiandi.dynv6.net' [Tue Jan 31 21:47:50 CST 2023] Can not find dns api hook for: dns_dynv6 [Tue Jan 31 21:47:50 CST 2023] You need to add the txt record manually. [Tue Jan 31 21:47:50 CST 2023] Add the following TXT record: [Tue Jan 31 21:47:50 CST 2023] Domain: '_acme-challenge.xintiandi.dynv6.net' [Tue Jan 31 21:47:50 CST 2023] TXT value: 'rbemUfYIQaePHDK0SzjkO01ybX6Dvkb7Hl2ZJDn_1EA' [Tue Jan 31 21:47:50 CST 2023] Please be aware that you prepend _acme-challenge. before your domain [Tue Jan 31 21:47:50 CST 2023] so the resulting subdomain will be: _acme-challenge.xintiandi.dynv6.net [Tue Jan 31 21:47:50 CST 2023] Please add the TXT records to the domains, and re-run with --renew. [Tue Jan 31 21:47:50 CST 2023] Please add '--debug' or '--log' to check more details. [Tue Jan 31 21:47:50 CST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

root@OpenWrt:/etc/.acme.sh# ./acme.sh -v https://github.com/acmesh-official/acme.sh v3.0.6

The ACME in the openwrt maybe save the script of dns in /usr/lib/client/dnsapi. But ACME will find the script of dns in /usr/lib/dnsapi. Try this to see if it can be solved. #4336

[peter1123]

Can not find dns api hook for: dns_dynv6 root@OpenWrt:/etc/.acme.sh# ./acme.sh --issue --dns dns_dynv6 -d xintiandi.dynv6.net [Tue Jan 31 21:43:46 CST 2023] Domains not changed. [Tue Jan 31 21:43:46 CST 2023] Skip, Next renewal time is: 2023-03-31T09:36:09Z [Tue Jan 31 21:43:46 CST 2023] Add '--force' to force to renew. root@OpenWrt:/etc/.acme.sh# ./acme.sh --issue --dns dns_dynv6 -d xintiandi.dynv6.net --force --key-file /etc/uhttpd.key --cert-file /etc/uhttpd.crt [Tue Jan 31 21:47:35 CST 2023] Using CA: https://acme.zerossl.com/v2/DV90 [Tue Jan 31 21:47:35 CST 2023] Single domain='xintiandi.dynv6.net' [Tue Jan 31 21:47:35 CST 2023] Getting domain auth token for each domain [Tue Jan 31 21:47:49 CST 2023] Getting webroot for domain='xintiandi.dynv6.net' [Tue Jan 31 21:47:50 CST 2023] Can not find dns api hook for: dns_dynv6 [Tue Jan 31 21:47:50 CST 2023] You need to add the txt record manually. [Tue Jan 31 21:47:50 CST 2023] Add the following TXT record: [Tue Jan 31 21:47:50 CST 2023] Domain: '_acme-challenge.xintiandi.dynv6.net' [Tue Jan 31 21:47:50 CST 2023] TXT value: 'rbemUfYIQaePHDK0SzjkO01ybX6Dvkb7Hl2ZJDn_1EA' [Tue Jan 31 21:47:50 CST 2023] Please be aware that you prepend _acme-challenge. before your domain [Tue Jan 31 21:47:50 CST 2023] so the resulting subdomain will be: _acme-challenge.xintiandi.dynv6.net [Tue Jan 31 21:47:50 CST 2023] Please add the TXT records to the domains, and re-run with --renew. [Tue Jan 31 21:47:50 CST 2023] Please add '--debug' or '--log' to check more details. [Tue Jan 31 21:47:50 CST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh root@OpenWrt:/etc/.acme.sh# ./acme.sh -v https://github.com/acmesh-official/acme.sh v3.0.6

The ACME in the openwrt maybe save the script of dns in /usr/lib/client/dnsapi. But ACME will find the script of dns in /usr/lib/dnsapi. Try this to see if it can be solved. #4336

thanks! acme.sh is running well

[IIIPr0t0typ3III]

Hey there, I found a bug while trying to get a certificate for a domain containing the string 'id' (example: domain_id.name): The zone_id will be set to (containing a newline):

zone_id=[{name:domain_id.name\nid:3430420

I dug around the code (dns_dynv6.sh) a little and it seems to be the following issue: When trying to extract the zone_id in line 262

zone_id="$(echo "$response" | tr '}' '\n' | grep "$selected" | tr ',' '\n' | grep id | tr -d '"')"

the command ... | grep id | ... will find the field "name":"domain_id.name" in addition to "id":XXXXXXX and the zone_id will be set to a combination of both fields. A fix could be something like: grep '"id":'

I can create a pull request if you want, but I wanted to ask first what would be best for you.

Tanks for the great work of maintaining this and coding it in the first place!

[StefanAbl]

Hi, thank you for taking the time to report the bug. I see the problem in my code. While I did not test your code it looks like it addresses the issue. Please open the PR

[IIIPr0t0typ3III]

While creating the pull request I ran into the problem that the unit tests did not complete. The issue here is that the unit tests will try to create the subdomain 'acmetestXyzRandomName'. dynv6 rejects this domain name due to it containing upper case letters. Imo this does not make a lot of sense since afaik DNS is completely case insensitive and therefore they could just convert it on their side.

Since the unit tests are a requirement for pull requests I included a conversion for all upper case letters to lower case ones for the domain name. (instead of fulldomain=$1 now fulldomain="$(echo "$1" | tr "[:upper:]" "[:lower:]")") With this everything runs fine.

I'm not sure if this is the best solution or even a good one so I wanted to put this up for discussion first.

[StefanAbl]

Sorry for taking so long to reply. Converting to lower case seems reasonable.

I did not even know there are unit tests now.

[IIIPr0t0typ3III]

All good! We all have other stuff to care about too.

Since it seems to be working with everything I'll send the pull request sometime today.