plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

os-acme-client / acme.sh - namesilo dns challenge failure, might need to update acme.sh package shipped with opnsense

Open sk0rabu opened this issue 1 year ago • 1 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [x] The title contains the plugin to which this issue belongs

Describe the bug

Currently the OPNsense repo ships with 3.0.7_1 version of acme.sh, which seems to not work well with DNS-01 challenge with namesilo domains.

I tried to add a domain to the web UI and issue a new cert (in turn, a DNS challenge would have to be done), but would always run into such errors in logs:

AcmeClient: domain validation failed (dns01)
AcmeClient: validation for certificate failed: xxx

Errors from syslog:

**Can not find dns api hook for: dns_namesilo**
Please add the TXT records to the domains, and re-run with --renew.
Please add '--debug' or '--log' to check more details.
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

The full command for issuing the cert (and starting a DNS challenge) is:

/usr/local/sbin/acme.sh --issue --syslog 6 --log-level 1 --server 'letsencrypt' --dns 'dns_namesilo' --dnssleep 'xxxx' --home '/var/etc/acme-client/home' --cert-home '/var/etc/cert/home' --certpath '/var/etc/acme-client/cert/path' --keypath '/var/etc/acme-client/key/path' --capath '/var/etc/acme-client/ca/path' --fullchainpath '/var/etc/acme-client/full/chain' --domain 'your.domain' --domain '*.your.domain' --days '1' --force  --keylength 'ec-384' --accountconf '/var/etc/acme-client/account/conf'

Manually running which in shell would start the manual DNS challenge.

I think for some reason the included acme.sh pkg in repo may be missing the dns api hook. I tried this solution to update the dns api hooks to no avail. But if I instead run the updated /root/.acme.sh/acme.sh itself with the above arguments, it correctly calls the API and automates the DNS challenge.

Would be great if you can take a look. Thanks

sk0rabu avatar Jun 27 '24 05:06 sk0rabu

Currently the OPNsense repo ships with 3.0.7_1 version of acme.sh, which seems to not work well with DNS-01 challenge with namesilo domains.

OPNsense already includes the required file:

root@opnsense:~ # pkg list acme.sh-3.0.7_1 | grep namesilo
/usr/local/share/examples/acme.sh/dnsapi/dns_namesilo.sh

The reasons why it's not found by Acme Client are probably manual modifications to acme.sh on this OPNsense installation. Maybe by running acme.sh manually with incompatible/insufficient parameters...

I tried this solution to update the dns api hooks to no avail. But if I instead run the updated /root/.acme.sh/acme.sh itself with the above arguments, it correctly calls the API and automates the DNS challenge.

This is not recommended and unsupported. If you manually upgrade acme.sh you risk to permanently break Acme Client.

fraenki avatar Jul 02 '24 15:07 fraenki

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Dec 24 '24 04:12 OPNsense-bot