Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 278
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P6
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Thu Jun 14, 2018 6:27 pm

Pepe wrote:Hello JDunphy:
Still does not work, i must put

Code: Select all

--yes-I-know-dns-manual-mode-enough-go-ahead-please
in order to install, otherwise i cant.

Code: Select all

[zimbratest@prueba2 acme.sh]$ sh acme.sh --issue --dns -d mail.zimbraxyz.com
[jue jun 14 13:56:29 BOT 2018] It seems that you are using dns manual mode. Read this link first: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode


Do i have to use socat? Its just one test server. One thing more, i have separated servers, one for zimbra and other for dns.

Thank you.

No... Here is the full message about socat from the output of acme.sh.

Code: Select all

It is recommended to install socat first.
We use socat for standalone server if you use standalone mode.
If you don't use standalone mode, just ignore

Given you are not using acme.sh in one of its standalone verification methods such as the few based on http/https you don't need it.
Thanks for the heads up on that new option for manual DNS. I'll add that to this thread. I suspect that extra switch 'yes-I-know-dns-manual-mode-enough-go-ahead-please' was recently added to alert you to the fact the verification window has been decreasing by letsencrypt. The author of acme.sh most likely is trying to get people to use an automatic mode ... including those 2 automatic DNS modes or perhaps the many other server based options with acme.sh ... I don't like the server base modes myself with zimbra because I don't want to take a zimbra outage to get/test and validate a certificate. I also use a push methodolgy here so I don't need to be on the same machine I get my certs verified with those automatic DNS methods.

Note: This acme.sh software appears to be evolving fast so many of the comments in this thread have alerted me to go back and issue an 'acme.sh --update' to get a new version. I love that DNS alias method BTW which was added a few months ago.


User avatar
Pepe
Posts: 33
Joined: Mon Jun 26, 2017 2:28 am

Re: Another Letsencrypt method

Postby Pepe » Thu Jun 14, 2018 7:50 pm

Hello again JDunphy:
It does not work... this is the message i recieve when i try to renew

Code: Select all

[zimbratest@prueba2 acme.sh]$ sh acme.sh --renew --dns -d mail.zimbralocalxyz.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[jue jun 14 15:33:15 BOT 2018] Renew: 'mail.zimbralocalxyz.com'
[jue jun 14 15:36:52 BOT 2018] Single domain='mail.zimbralocalxyz.com'
[jue jun 14 15:36:52 BOT 2018] Getting domain auth token for each domain
[jue jun 14 15:36:52 BOT 2018] Verifying:mail.zimbralocalxyz.com
[jue jun 14 15:44:02 BOT 2018] mail.zimbralocalxyz.com:Challenge error: {"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: The challenge is not pending.","status": 400}


And this is my dns record

Code: Select all

_acme-challenge.mail.zimbralocalxyz.com.        IN      TXT     "ad5p2Cq7jIDLW6qfe5LPTsB5rcy01NQNLO1MJjJN9L0"


Gonna try with deploy.sh
Thanks.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 278
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P6
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Thu Jun 14, 2018 8:08 pm

Pepe wrote:Hello again JDunphy:
It does not work... this is the message i recieve when i try to renew

And this is my dns record

Code: Select all

_acme-challenge.mail.zimbralocalxyz.com.        IN      TXT     "ad5p2Cq7jIDLW6qfe5LPTsB5rcy01NQNLO1MJjJN9L0"


Gonna try with deploy.sh
Thanks.


Don't use deploy until you have a valid cert. You need to see success back from acme.sh ... You should see something like this with Success most likely in green depending on your terminal window:

Code: Select all

[Wed Jun 13 09:33:04 PDT 2018] Verifying: mail.zimbralocalxyz.com
[Wed Jun 13 09:33:07 PDT 2018] Success
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 278
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P6
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Thu Jun 14, 2018 8:29 pm

The order is: --init then --renew. If you get an error with --renew then you are back at --init again I believe. So the process is:

Code: Select all

acme.sh --init --dns  --yes-I-know-dns-manual-mode-enough-go-ahead-please -d mail.zimbralocalxyz.com

update the TXT record and SOA. Watch out for caching because letsencrypt is going to be pulling that txt record when you issue the --renew command for verification.

Code: Select all

acme.sh --renew --dns  --yes-I-know-dns-manual-mode-enough-go-ahead-please -d mail.zimbralocalxyz.com

The error message 'The challenge is not pending' seems to indicate that something went wrong at --init or the internal state files under .acme.sh/mail.zimbralocalxyz.com is corrupt I think.

Perhaps try with a clean state and wipe the ~/.acme.sh directory or just that .acme.sh/mail.zimbralocalxyz.com directory ... assuming you did your git clone of acme.sh in your home directory here is how to start fresh.

Code: Select all

mv ~/.acme.sh ~/acme.sh-to-delete
cd ~/acme.sh
acme.sh --update  # this will re-create the .acme.sh directory and files
cd ~/.acme.sh
Note: update account.conf if you had before with your email address, etc.

now begin with ./acme.sh --init --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please -d mail.zimbralocalxyz.com

Don't know what else to tell you. Perhaps ask the author of the software or change to one of the other verification methods or use one of the automatic DNS methods. Once this works, it seems pretty bullet proof from my experience. You can turn on debug mode but that might be more confusing to you.

Jim
User avatar
Pepe
Posts: 33
Joined: Mon Jun 26, 2017 2:28 am

Re: Another Letsencrypt method

Postby Pepe » Thu Jun 14, 2018 9:03 pm

Well, i did not even generate certs on folder .acme.sh/mail.zimbralocalxyz.com

Code: Select all

[zimbratest@prueba2 mail.zimbralocalxyz.com]$ ls
mail.zimbralocalxyz.com.conf  mail.zimbralocalxyz.com.csr.conf
mail.zimbralocalxyz.com.csr   mail.zimbralocalxyz.com.key


And still give me the error for --renew. I dont get it...
Thanks.

EDIT: commands --update and --init are unknown
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 278
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P6
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Thu Jun 14, 2018 9:18 pm

Pepe wrote:Well, i did not even generate certs on folder .acme.sh/mail.zimbralocalxyz.com

Code: Select all

[zimbratest@prueba2 mail.zimbralocalxyz.com]$ ls
mail.zimbralocalxyz.com.conf  mail.zimbralocalxyz.com.csr.conf
mail.zimbralocalxyz.com.csr   mail.zimbralocalxyz.com.key


And still give me the error for --renew. I dont get it...
Thanks.

I have to agree. Very weird. I use that acme.sh script on everything from apache,nginx, zimbra, etc on all different OS's...

I wonder why for your environment? If you want, add the --staging and --debug flags and email me the resulting logs and I could take a look. I mention the --staging because there is a limit of the number of times one can ask for validation from letsencrypt per day. Normally this just works out of the box first time so I don't mention the --staging/--testing in my notes.
yvespires
Posts: 8
Joined: Tue Jan 03, 2017 1:15 pm

Re: Another Letsencrypt method

Postby yvespires » Sat Aug 04, 2018 2:41 pm

Hey, i'm using acme.sh with dns_ispconfig API to generate cert for zimbra 8.8.9.GA.2055.UBUNTU16.64 and its failling

[Sat Aug 4 09:41:24 BRT 2018] mail.yvespires.tk:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mail.yvespires.tk


if i add DNS entries by hand its works.

bind zone while acme is sleeping waiting for dns changes

yvespires.tk. 3600 TXT “v=spf1 mx a:yvespires.tk mx a:mail.yvespires.tk ip4:177.129.104.6 ~all”
_acme-challenge.mail.yvespires.tk. 3600 TXT “Id50s6kzkOrduI8YNdP-btruJ2ZhoZ3GTuEhZeKDhLA”
_acme-challenge.webmail.yvespires.tk. 3600 TXT “T7jmehGhe9JZsWHYorUeeMb_qe1ARtOlBU24K8cbJxE”
_dmarc 3600 TXT “v=DMARC1; p=none”


full log

root@mx:~# acme.sh --debug --issue --dns dns_ispconfig -d mail.yvespires.tk -d webmail.yvespires.tk
[Sat Aug 4 09:39:13 BRT 2018] Lets find script dir.
[Sat Aug 4 09:39:13 BRT 2018] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sat Aug 4 09:39:13 BRT 2018] _script='/root/.acme.sh/acme.sh'
[Sat Aug 4 09:39:13 BRT 2018] _script_home='/root/.acme.sh'
[Sat Aug 4 09:39:13 BRT 2018] Using config home:/root/.acme.sh
https://github.com/Neilpang/acme.sh
v2.8.0
[Sat Aug 4 09:39:13 BRT 2018] _main_domain='mail.yvespires.tk'
[Sat Aug 4 09:39:13 BRT 2018] _alt_domains='webmail.yvespires.tk'
[Sat Aug 4 09:39:13 BRT 2018] Using config home:/root/.acme.sh
[Sat Aug 4 09:39:13 BRT 2018] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Sat Aug 4 09:39:13 BRT 2018] DOMAIN_PATH='/root/.acme.sh/mail.yvespires.tk'
[Sat Aug 4 09:39:13 BRT 2018] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Sat Aug 4 09:39:13 BRT 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Sat Aug 4 09:39:13 BRT 2018] GET
[Sat Aug 4 09:39:13 BRT 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Sat Aug 4 09:39:13 BRT 2018] timeout=
[Sat Aug 4 09:39:13 BRT 2018] _WGET='wget -q --content-on-error '
[Sat Aug 4 09:39:14 BRT 2018] ret='0'
[Sat Aug 4 09:39:14 BRT 2018] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Sat Aug 4 09:39:14 BRT 2018] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Aug 4 09:39:14 BRT 2018] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Sat Aug 4 09:39:14 BRT 2018] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Sat Aug 4 09:39:14 BRT 2018] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Sat Aug 4 09:39:14 BRT 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Sat Aug 4 09:39:14 BRT 2018] ACME_NEW_NONCE
[Sat Aug 4 09:39:14 BRT 2018] ACME_VERSION
[Sat Aug 4 09:39:14 BRT 2018] _on_before_issue
[Sat Aug 4 09:39:14 BRT 2018] _chk_main_domain='mail.yvespires.tk'
[Sat Aug 4 09:39:14 BRT 2018] _chk_alt_domains='webmail.yvespires.tk'
[Sat Aug 4 09:39:14 BRT 2018] Le_LocalAddress
[Sat Aug 4 09:39:14 BRT 2018] d='mail.yvespires.tk'
[Sat Aug 4 09:39:14 BRT 2018] Check for domain='mail.yvespires.tk'
[Sat Aug 4 09:39:14 BRT 2018] _currentRoot='dns_ispconfig'
[Sat Aug 4 09:39:14 BRT 2018] d='webmail.yvespires.tk'
[Sat Aug 4 09:39:14 BRT 2018] Check for domain='webmail.yvespires.tk'
[Sat Aug 4 09:39:14 BRT 2018] _currentRoot='dns_ispconfig'
[Sat Aug 4 09:39:14 BRT 2018] d
[Sat Aug 4 09:39:14 BRT 2018] config file is empty, can not read CA_KEY_HASH
[Sat Aug 4 09:39:14 BRT 2018] Using config home:/root/.acme.sh
[Sat Aug 4 09:39:14 BRT 2018] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Sat Aug 4 09:39:14 BRT 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Sat Aug 4 09:39:14 BRT 2018] Use default length 2048
[Sat Aug 4 09:39:14 BRT 2018] length='2048'
[Sat Aug 4 09:39:14 BRT 2018] Using config home:/root/.acme.sh
[Sat Aug 4 09:39:14 BRT 2018] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Sat Aug 4 09:39:14 BRT 2018] Use length 2048
[Sat Aug 4 09:39:14 BRT 2018] Using RSA: 2048
[Sat Aug 4 09:39:14 BRT 2018] RSA key
[Sat Aug 4 09:39:14 BRT 2018] Registering account
[Sat Aug 4 09:39:14 BRT 2018] url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Sat Aug 4 09:39:14 BRT 2018] payload='{"resource": "new-reg", "terms-of-service-agreed": true, "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"}'
[Sat Aug 4 09:39:14 BRT 2018] GET
[Sat Aug 4 09:39:14 BRT 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Sat Aug 4 09:39:14 BRT 2018] timeout=
[Sat Aug 4 09:39:15 BRT 2018] _WGET='wget -q --content-on-error '
[Sat Aug 4 09:39:15 BRT 2018] ret='0'
[Sat Aug 4 09:39:15 BRT 2018] POST
[Sat Aug 4 09:39:15 BRT 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Sat Aug 4 09:39:15 BRT 2018] _WGET='wget -q --content-on-error '
[Sat Aug 4 09:39:15 BRT 2018] Using sed -i
[Sat Aug 4 09:39:15 BRT 2018] _ret='0'
[Sat Aug 4 09:39:15 BRT 2018] code='201'
[Sat Aug 4 09:39:15 BRT 2018] Registered
[Sat Aug 4 09:39:15 BRT 2018] _accUri='https://acme-v01.api.letsencrypt.org/acme/reg/39605767'
[Sat Aug 4 09:39:15 BRT 2018] Calc CA_KEY_HASH='D+yS5AHJRTXVZGd39FmlXq07hthFSu8/EK6qC7WLtDg='
[Sat Aug 4 09:39:16 BRT 2018] ACCOUNT_THUMBPRINT='G6QAQ96BML54u_T4wsnsxuUC1q1uzLBu72fJ8EIyo9E'
[Sat Aug 4 09:39:16 BRT 2018] Read key length:
[Sat Aug 4 09:39:16 BRT 2018] Creating domain key
[Sat Aug 4 09:39:16 BRT 2018] Use DEFAULT_DOMAIN_KEY_LENGTH=2048
[Sat Aug 4 09:39:16 BRT 2018] Using config home:/root/.acme.sh
[Sat Aug 4 09:39:16 BRT 2018] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Sat Aug 4 09:39:16 BRT 2018] Use length 2048
[Sat Aug 4 09:39:16 BRT 2018] Using RSA: 2048
[Sat Aug 4 09:39:16 BRT 2018] The domain key is here: /root/.acme.sh/mail.yvespires.tk/mail.yvespires.tk.key
[Sat Aug 4 09:39:16 BRT 2018] _createcsr
[Sat Aug 4 09:39:16 BRT 2018] Multi domain='DNS:mail.yvespires.tk,DNS:webmail.yvespires.tk'
[Sat Aug 4 09:39:16 BRT 2018] Getting domain auth token for each domain
[Sat Aug 4 09:39:16 BRT 2018] d='mail.yvespires.tk'
[Sat Aug 4 09:39:16 BRT 2018] Getting webroot for domain='mail.yvespires.tk'
[Sat Aug 4 09:39:16 BRT 2018] _w='dns_ispconfig'
[Sat Aug 4 09:39:16 BRT 2018] _currentRoot='dns_ispconfig'
[Sat Aug 4 09:39:16 BRT 2018] Getting new-authz for domain='mail.yvespires.tk'
[Sat Aug 4 09:39:16 BRT 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Sat Aug 4 09:39:16 BRT 2018] Try new-authz for the 0 time.
[Sat Aug 4 09:39:16 BRT 2018] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Aug 4 09:39:16 BRT 2018] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "mail.yvespires.tk"}}'
[Sat Aug 4 09:39:16 BRT 2018] POST
[Sat Aug 4 09:39:16 BRT 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Aug 4 09:39:16 BRT 2018] _WGET='wget -q --content-on-error '
[Sat Aug 4 09:39:17 BRT 2018] Using sed -i
[Sat Aug 4 09:39:17 BRT 2018] _ret='0'
[Sat Aug 4 09:39:17 BRT 2018] code='201'
[Sat Aug 4 09:39:17 BRT 2018] The new-authz request is ok.
[Sat Aug 4 09:39:17 BRT 2018] entry='"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/bCx8Ee5pS7QKJQScWQvCw2PH8yHDFtHyEJys-YXoq0E/6176152247","token":"CwZqIxd1CI9zH-fwlDztvGef4PbMP51Mzlmd65J6eyI"'
[Sat Aug 4 09:39:17 BRT 2018] token='CwZqIxd1CI9zH-fwlDztvGef4PbMP51Mzlmd65J6eyI'
[Sat Aug 4 09:39:17 BRT 2018] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/bCx8Ee5pS7QKJQScWQvCw2PH8yHDFtHyEJys-YXoq0E/6176152247'
[Sat Aug 4 09:39:17 BRT 2018] keyauthorization='CwZqIxd1CI9zH-fwlDztvGef4PbMP51Mzlmd65J6eyI.G6QAQ96BML54u_T4wsnsxuUC1q1uzLBu72fJ8EIyo9E'
[Sat Aug 4 09:39:17 BRT 2018] dvlist='mail.yvespires.tk#CwZqIxd1CI9zH-fwlDztvGef4PbMP51Mzlmd65J6eyI.G6QAQ96BML54u_T4wsnsxuUC1q1uzLBu72fJ8EIyo9E#https://acme-v01.api.letsencrypt.org/acme/challenge/bCx8Ee5pS7QKJQScWQvCw2PH8yHDFtHyEJys-YXoq0E/6176152247#dns-01#dns_ispconfig'
[Sat Aug 4 09:39:17 BRT 2018] d='webmail.yvespires.tk'
[Sat Aug 4 09:39:17 BRT 2018] Getting webroot for domain='webmail.yvespires.tk'
[Sat Aug 4 09:39:17 BRT 2018] _w='dns_ispconfig'
[Sat Aug 4 09:39:17 BRT 2018] _currentRoot='dns_ispconfig'
[Sat Aug 4 09:39:17 BRT 2018] Getting new-authz for domain='webmail.yvespires.tk'
[Sat Aug 4 09:39:17 BRT 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Sat Aug 4 09:39:17 BRT 2018] Try new-authz for the 0 time.
[Sat Aug 4 09:39:17 BRT 2018] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Aug 4 09:39:17 BRT 2018] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "webmail.yvespires.tk"}}'
[Sat Aug 4 09:39:17 BRT 2018] POST
[Sat Aug 4 09:39:17 BRT 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Aug 4 09:39:17 BRT 2018] _WGET='wget -q --content-on-error '
[Sat Aug 4 09:39:17 BRT 2018] Using sed -i
[Sat Aug 4 09:39:17 BRT 2018] _ret='0'
[Sat Aug 4 09:39:17 BRT 2018] code='201'
[Sat Aug 4 09:39:17 BRT 2018] The new-authz request is ok.
[Sat Aug 4 09:39:17 BRT 2018] entry='"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/53h22fOVZPxUO7aCHCG0sBMogFsf_oZ9aTrzw6Ffhe8/6176152527","token":"OvMXSNxw-tkTpQsogoOA528UzzaJUJFljnSjHcqb6Kk"'
[Sat Aug 4 09:39:17 BRT 2018] token='OvMXSNxw-tkTpQsogoOA528UzzaJUJFljnSjHcqb6Kk'
[Sat Aug 4 09:39:17 BRT 2018] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/53h22fOVZPxUO7aCHCG0sBMogFsf_oZ9aTrzw6Ffhe8/6176152527'
[Sat Aug 4 09:39:18 BRT 2018] keyauthorization='OvMXSNxw-tkTpQsogoOA528UzzaJUJFljnSjHcqb6Kk.G6QAQ96BML54u_T4wsnsxuUC1q1uzLBu72fJ8EIyo9E'
[Sat Aug 4 09:39:18 BRT 2018] dvlist='webmail.yvespires.tk#OvMXSNxw-tkTpQsogoOA528UzzaJUJFljnSjHcqb6Kk.G6QAQ96BML54u_T4wsnsxuUC1q1uzLBu72fJ8EIyo9E#https://acme-v01.api.letsencrypt.org/acme/challenge/53h22fOVZPxUO7aCHCG0sBMogFsf_oZ9aTrzw6Ffhe8/6176152527#dns-01#dns_ispconfig'
[Sat Aug 4 09:39:18 BRT 2018] d
[Sat Aug 4 09:39:18 BRT 2018] vlist='mail.yvespires.tk#CwZqIxd1CI9zH-fwlDztvGef4PbMP51Mzlmd65J6eyI.G6QAQ96BML54u_T4wsnsxuUC1q1uzLBu72fJ8EIyo9E#https://acme-v01.api.letsencrypt.org/acme/challenge/bCx8Ee5pS7QKJQScWQvCw2PH8yHDFtHyEJys-YXoq0E/6176152247#dns-01#dns_ispconfig,webmail.yvespires.tk#OvMXSNxw-tkTpQsogoOA528UzzaJUJFljnSjHcqb6Kk.G6QAQ96BML54u_T4wsnsxuUC1q1uzLBu72fJ8EIyo9E#https://acme-v01.api.letsencrypt.org/acme/challenge/53h22fOVZPxUO7aCHCG0sBMogFsf_oZ9aTrzw6Ffhe8/6176152527#dns-01#dns_ispconfig,'
[Sat Aug 4 09:39:18 BRT 2018] d='mail.yvespires.tk'
[Sat Aug 4 09:39:18 BRT 2018] _d_alias
[Sat Aug 4 09:39:18 BRT 2018] txtdomain='_acme-challenge.mail.yvespires.tk'
[Sat Aug 4 09:39:18 BRT 2018] txt='Id50s6kzkOrduI8YNdP-btruJ2ZhoZ3GTuEhZeKDhLA'
[Sat Aug 4 09:39:18 BRT 2018] d_api='/root/.acme.sh/dnsapi/dns_ispconfig.sh'
[Sat Aug 4 09:39:18 BRT 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_ispconfig.sh
[Sat Aug 4 09:39:18 BRT 2018] Calling: dns_ispconfig_add() '_acme-challenge.mail.yvespires.tk' 'Id50s6kzkOrduI8YNdP-btruJ2ZhoZ3GTuEhZeKDhLA'
[Sat Aug 4 09:39:18 BRT 2018] Getting Session ID
[Sat Aug 4 09:39:18 BRT 2018] POST
[Sat Aug 4 09:39:18 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:39:18 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:39:18 BRT 2018] Using sed -i
[Sat Aug 4 09:39:18 BRT 2018] _ret='0'
[Sat Aug 4 09:39:18 BRT 2018] Calling _ISPC_login: '{"username":"yves","password":"mypass","client_login":false}' 'https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:39:18 BRT 2018] Result of _ISPC_login: '{"code":"ok","message":"","response":"53a3812cfa6f77f03174d3f11f749745"}'
[Sat Aug 4 09:39:18 BRT 2018] Retrieved Session ID.
[Sat Aug 4 09:39:18 BRT 2018] Session ID: '53a3812cfa6f77f03174d3f11f749745'
[Sat Aug 4 09:39:18 BRT 2018] Getting Zoneinfo
[Sat Aug 4 09:39:18 BRT 2018] POST
[Sat Aug 4 09:39:18 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?dns_zone_get'
[Sat Aug 4 09:39:18 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:39:18 BRT 2018] Using sed -i
[Sat Aug 4 09:39:18 BRT 2018] _ret='0'
[Sat Aug 4 09:39:18 BRT 2018] Calling _ISPC_getZoneInfo: '{"session_id":"53a3812cfa6f77f03174d3f11f749745","primary_id":{"origin":"mail.yvespires.tk."}}' 'https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:39:18 BRT 2018] Result of _ISPC_getZoneInfo: '{"code":"ok","message":"","response":[]}'
[Sat Aug 4 09:39:18 BRT 2018] POST
[Sat Aug 4 09:39:18 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?dns_zone_get'
[Sat Aug 4 09:39:18 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:39:18 BRT 2018] Using sed -i
[Sat Aug 4 09:39:18 BRT 2018] _ret='0'
[Sat Aug 4 09:39:18 BRT 2018] Calling _ISPC_getZoneInfo: '{"session_id":"53a3812cfa6f77f03174d3f11f749745","primary_id":{"origin":"yvespires.tk."}}' 'https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:39:18 BRT 2018] Result of _ISPC_getZoneInfo: '{"code":"ok","message":"","response":[{"id":"263","sys_userid":"1","sys_groupid":"0","sys_perm_user":"riud","sys_perm_group":"ru","sys_perm_other":"","server_id":"3","origin":"yvespires.tk.","ns":"ns1.hbinfo.com.br.","mbox":"postmaster.hbinfo.com.br.","serial":"2018080403","refresh":"7200","retry":"3600","expire":"604800","minimum":"10800","ttl":"3600","active":"Y","xfer":"177.129.104.2","also_notify":"","update_acl":"","dnssec_initialized":"N","dnssec_wanted":"N","dnssec_last_signed":"0","dnssec_info":""}]}'
[Sat Aug 4 09:39:18 BRT 2018] Retrieved zone data.
[Sat Aug 4 09:39:18 BRT 2018] Zone data: '{"code":"ok","message":"","response":[{"id":"263","sys_userid":"1","sys_groupid":"0","sys_perm_user":"riud","sys_perm_group":"ru","sys_perm_other":"","server_id":"3","origin":"yvespires.tk.","ns":"ns1.hbinfo.com.br.","mbox":"postmaster.hbinfo.com.br.","serial":"2018080403","refresh":"7200","retry":"3600","expire":"604800","minimum":"10800","ttl":"3600","active":"Y","xfer":"177.129.104.2","also_notify":"","update_acl":"","dnssec_initialized":"N","dnssec_wanted":"N","dnssec_last_signed":"0","dnssec_info":""}]}'
[Sat Aug 4 09:39:18 BRT 2018] Server ID: '3'
[Sat Aug 4 09:39:18 BRT 2018] Retrieved Server ID
[Sat Aug 4 09:39:18 BRT 2018] Zone: '263'
[Sat Aug 4 09:39:18 BRT 2018] Retrieved Zone ID
[Sat Aug 4 09:39:18 BRT 2018] Client ID: '1'
[Sat Aug 4 09:39:18 BRT 2018] Retrieved Client ID.
[Sat Aug 4 09:39:18 BRT 2018] POST
[Sat Aug 4 09:39:18 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?dns_txt_add'
[Sat Aug 4 09:39:18 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:39:18 BRT 2018] Using sed -i
[Sat Aug 4 09:39:18 BRT 2018] _ret='0'
[Sat Aug 4 09:39:18 BRT 2018] Calling _ISPC_addTxt: '{"session_id":"53a3812cfa6f77f03174d3f11f749745","client_id":"1","params":{"server_id":"3","zone":"263","name":"_acme-challenge.mail.yvespires.tk.","type":"txt","data":"Id50s6kzkOrduI8YNdP-btruJ2ZhoZ3GTuEhZeKDhLA","aux":"0","ttl":"3600","active":"y","stamp":"2018-08-04 09:39:18","serial":"1533386358"},"update_serial":true}' 'https://myserver.com:8080/remote/json.php?dns_txt_add'
[Sat Aug 4 09:39:18 BRT 2018] Result of _ISPC_addTxt: '{"code":"ok","message":"","response":"18218"}'
[Sat Aug 4 09:39:18 BRT 2018] Record ID: '18218'
[Sat Aug 4 09:39:18 BRT 2018] Added ACME Challenge TXT record to zone.
[Sat Aug 4 09:39:18 BRT 2018] d='webmail.yvespires.tk'
[Sat Aug 4 09:39:18 BRT 2018] _d_alias
[Sat Aug 4 09:39:18 BRT 2018] txtdomain='_acme-challenge.webmail.yvespires.tk'
[Sat Aug 4 09:39:18 BRT 2018] txt='T7jmehGhe9JZsWHYorUeeMb_qe1ARtOlBU24K8cbJxE'
[Sat Aug 4 09:39:18 BRT 2018] d_api='/root/.acme.sh/dnsapi/dns_ispconfig.sh'
[Sat Aug 4 09:39:18 BRT 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_ispconfig.sh
[Sat Aug 4 09:39:18 BRT 2018] Calling: dns_ispconfig_add() '_acme-challenge.webmail.yvespires.tk' 'T7jmehGhe9JZsWHYorUeeMb_qe1ARtOlBU24K8cbJxE'
[Sat Aug 4 09:39:18 BRT 2018] Getting Session ID
[Sat Aug 4 09:39:18 BRT 2018] POST
[Sat Aug 4 09:39:18 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:39:19 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:39:19 BRT 2018] Using sed -i
[Sat Aug 4 09:39:19 BRT 2018] _ret='0'
[Sat Aug 4 09:39:19 BRT 2018] Calling _ISPC_login: '{"username":"yves","password":"mypass","client_login":false}' 'https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:39:19 BRT 2018] Result of _ISPC_login: '{"code":"ok","message":"","response":"d0708e81d7c315a853574db30d4e41d3"}'
[Sat Aug 4 09:39:19 BRT 2018] Retrieved Session ID.
[Sat Aug 4 09:39:19 BRT 2018] Session ID: 'd0708e81d7c315a853574db30d4e41d3'
[Sat Aug 4 09:39:19 BRT 2018] Getting Zoneinfo
[Sat Aug 4 09:39:19 BRT 2018] POST
[Sat Aug 4 09:39:19 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?dns_zone_get'
[Sat Aug 4 09:39:19 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:39:19 BRT 2018] Using sed -i
[Sat Aug 4 09:39:19 BRT 2018] _ret='0'
[Sat Aug 4 09:39:19 BRT 2018] Calling _ISPC_getZoneInfo: '{"session_id":"d0708e81d7c315a853574db30d4e41d3","primary_id":{"origin":"webmail.yvespires.tk."}}' 'https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:39:19 BRT 2018] Result of _ISPC_getZoneInfo: '{"code":"ok","message":"","response":[]}'
[Sat Aug 4 09:39:19 BRT 2018] POST
[Sat Aug 4 09:39:19 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?dns_zone_get'
[Sat Aug 4 09:39:19 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:39:19 BRT 2018] Using sed -i
[Sat Aug 4 09:39:19 BRT 2018] _ret='0'
[Sat Aug 4 09:39:19 BRT 2018] Calling _ISPC_getZoneInfo: '{"session_id":"d0708e81d7c315a853574db30d4e41d3","primary_id":{"origin":"yvespires.tk."}}' 'https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:39:19 BRT 2018] Result of _ISPC_getZoneInfo: '{"code":"ok","message":"","response":[{"id":"263","sys_userid":"1","sys_groupid":"0","sys_perm_user":"riud","sys_perm_group":"ru","sys_perm_other":"","server_id":"3","origin":"yvespires.tk.","ns":"ns1.hbinfo.com.br.","mbox":"postmaster.hbinfo.com.br.","serial":"2018080403","refresh":"7200","retry":"3600","expire":"604800","minimum":"10800","ttl":"3600","active":"Y","xfer":"177.129.104.2","also_notify":"","update_acl":"","dnssec_initialized":"N","dnssec_wanted":"N","dnssec_last_signed":"0","dnssec_info":""}]}'
[Sat Aug 4 09:39:19 BRT 2018] Retrieved zone data.
[Sat Aug 4 09:39:19 BRT 2018] Zone data: '{"code":"ok","message":"","response":[{"id":"263","sys_userid":"1","sys_groupid":"0","sys_perm_user":"riud","sys_perm_group":"ru","sys_perm_other":"","server_id":"3","origin":"yvespires.tk.","ns":"ns1.hbinfo.com.br.","mbox":"postmaster.hbinfo.com.br.","serial":"2018080403","refresh":"7200","retry":"3600","expire":"604800","minimum":"10800","ttl":"3600","active":"Y","xfer":"177.129.104.2","also_notify":"","update_acl":"","dnssec_initialized":"N","dnssec_wanted":"N","dnssec_last_signed":"0","dnssec_info":""}]}'
[Sat Aug 4 09:39:19 BRT 2018] Server ID: '3'
[Sat Aug 4 09:39:19 BRT 2018] Retrieved Server ID
[Sat Aug 4 09:39:19 BRT 2018] Zone: '263'
[Sat Aug 4 09:39:19 BRT 2018] Retrieved Zone ID
[Sat Aug 4 09:39:19 BRT 2018] Client ID: '1'
[Sat Aug 4 09:39:19 BRT 2018] Retrieved Client ID.
[Sat Aug 4 09:39:19 BRT 2018] POST
[Sat Aug 4 09:39:19 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?dns_txt_add'
[Sat Aug 4 09:39:19 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:39:19 BRT 2018] Using sed -i
[Sat Aug 4 09:39:19 BRT 2018] _ret='0'
[Sat Aug 4 09:39:19 BRT 2018] Calling _ISPC_addTxt: '{"session_id":"d0708e81d7c315a853574db30d4e41d3","client_id":"1","params":{"server_id":"3","zone":"263","name":"_acme-challenge.webmail.yvespires.tk.","type":"txt","data":"T7jmehGhe9JZsWHYorUeeMb_qe1ARtOlBU24K8cbJxE","aux":"0","ttl":"3600","active":"y","stamp":"2018-08-04 09:39:19","serial":"1533386359"},"update_serial":true}' 'https://myserver.com:8080/remote/json.php?dns_txt_add'
[Sat Aug 4 09:39:19 BRT 2018] Result of _ISPC_addTxt: '{"code":"ok","message":"","response":"18219"}'
[Sat Aug 4 09:39:19 BRT 2018] Record ID: '18219'
[Sat Aug 4 09:39:19 BRT 2018] Added ACME Challenge TXT record to zone.
[Sat Aug 4 09:39:19 BRT 2018] Sleep 120 seconds for the txt records to take effect
[Sat Aug 4 09:41:21 BRT 2018] ok, let's start to verify
[Sat Aug 4 09:41:21 BRT 2018] Verifying:mail.yvespires.tk
[Sat Aug 4 09:41:21 BRT 2018] d='mail.yvespires.tk'
[Sat Aug 4 09:41:21 BRT 2018] keyauthorization='CwZqIxd1CI9zH-fwlDztvGef4PbMP51Mzlmd65J6eyI.G6QAQ96BML54u_T4wsnsxuUC1q1uzLBu72fJ8EIyo9E'
[Sat Aug 4 09:41:21 BRT 2018] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/bCx8Ee5pS7QKJQScWQvCw2PH8yHDFtHyEJys-YXoq0E/6176152247'
[Sat Aug 4 09:41:21 BRT 2018] _currentRoot='dns_ispconfig'
[Sat Aug 4 09:41:21 BRT 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/bCx8Ee5pS7QKJQScWQvCw2PH8yHDFtHyEJys-YXoq0E/6176152247'
[Sat Aug 4 09:41:21 BRT 2018] payload='{"resource": "challenge", "keyAuthorization": "CwZqIxd1CI9zH-fwlDztvGef4PbMP51Mzlmd65J6eyI.G6QAQ96BML54u_T4wsnsxuUC1q1uzLBu72fJ8EIyo9E"}'
[Sat Aug 4 09:41:21 BRT 2018] POST
[Sat Aug 4 09:41:21 BRT 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/bCx8Ee5pS7QKJQScWQvCw2PH8yHDFtHyEJys-YXoq0E/6176152247'
[Sat Aug 4 09:41:21 BRT 2018] _WGET='wget -q --content-on-error '
[Sat Aug 4 09:41:22 BRT 2018] Using sed -i
[Sat Aug 4 09:41:22 BRT 2018] _ret='0'
[Sat Aug 4 09:41:22 BRT 2018] code='202'
[Sat Aug 4 09:41:22 BRT 2018] sleep 2 secs to verify
[Sat Aug 4 09:41:24 BRT 2018] checking
[Sat Aug 4 09:41:24 BRT 2018] GET
[Sat Aug 4 09:41:24 BRT 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/bCx8Ee5pS7QKJQScWQvCw2PH8yHDFtHyEJys-YXoq0E/6176152247'
[Sat Aug 4 09:41:24 BRT 2018] timeout=
[Sat Aug 4 09:41:24 BRT 2018] _WGET='wget -q --content-on-error '
[Sat Aug 4 09:41:24 BRT 2018] ret='0'
[Sat Aug 4 09:41:24 BRT 2018] mail.yvespires.tk:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mail.yvespires.tk
[Sat Aug 4 09:41:24 BRT 2018] Skip for removelevel:
[Sat Aug 4 09:41:24 BRT 2018] pid
[Sat Aug 4 09:41:24 BRT 2018] No need to restore nginx, skip.
[Sat Aug 4 09:41:24 BRT 2018] _clearupdns
[Sat Aug 4 09:41:24 BRT 2018] Removing DNS records.
[Sat Aug 4 09:41:25 BRT 2018] txt='Id50s6kzkOrduI8YNdP-btruJ2ZhoZ3GTuEhZeKDhLA'
[Sat Aug 4 09:41:25 BRT 2018] d_api='/root/.acme.sh/dnsapi/dns_ispconfig.sh'
[Sat Aug 4 09:41:25 BRT 2018] _d_alias
[Sat Aug 4 09:41:25 BRT 2018] Calling: dns_ispconfig_rm() '_acme-challenge.mail.yvespires.tk'
[Sat Aug 4 09:41:25 BRT 2018] Getting Session ID
[Sat Aug 4 09:41:25 BRT 2018] POST
[Sat Aug 4 09:41:25 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:41:25 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:41:25 BRT 2018] Using sed -i
[Sat Aug 4 09:41:25 BRT 2018] _ret='0'
[Sat Aug 4 09:41:25 BRT 2018] Calling _ISPC_login: '{"username":"yves","password":"mypass","client_login":false}' 'https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:41:25 BRT 2018] Result of _ISPC_login: '{"code":"ok","message":"","response":"449a962de13c6a362023c2f59bb54924"}'
[Sat Aug 4 09:41:25 BRT 2018] Retrieved Session ID.
[Sat Aug 4 09:41:25 BRT 2018] Session ID: '449a962de13c6a362023c2f59bb54924'
[Sat Aug 4 09:41:25 BRT 2018] POST
[Sat Aug 4 09:41:25 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?dns_txt_get'
[Sat Aug 4 09:41:25 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:41:25 BRT 2018] Using sed -i
[Sat Aug 4 09:41:25 BRT 2018] _ret='0'
[Sat Aug 4 09:41:25 BRT 2018] Calling _ISPC_rmTxt: '{"session_id":"449a962de13c6a362023c2f59bb54924","primary_id":{"name":"_acme-challenge.mail.yvespires.tk.","type":"TXT"}}' 'https://myserver.com:8080/remote/json.php?dns_txt_get'
[Sat Aug 4 09:41:25 BRT 2018] Result of _ISPC_rmTxt: '{"code":"ok","message":"","response":[{"id":"18218","sys_userid":"2","sys_groupid":"2","sys_perm_user":"riud","sys_perm_group":"riud","sys_perm_other":"","server_id":"3","zone":"263","name":"_acme-challenge.mail.yvespires.tk.","type":"TXT","data":"Id50s6kzkOrduI8YNdP-btruJ2ZhoZ3GTuEhZeKDhLA","aux":"0","ttl":"3600","active":"Y","stamp":"2018-08-04 09:39:18","serial":"1533386358"}]}'
[Sat Aug 4 09:41:25 BRT 2018] Record ID: '18218'
[Sat Aug 4 09:41:25 BRT 2018] Retrieved Record ID.
[Sat Aug 4 09:41:25 BRT 2018] POST
[Sat Aug 4 09:41:25 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?dns_txt_delete'
[Sat Aug 4 09:41:25 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:41:25 BRT 2018] Using sed -i
[Sat Aug 4 09:41:25 BRT 2018] _ret='0'
[Sat Aug 4 09:41:25 BRT 2018] Calling _ISPC_rmTxt: '{"session_id":"449a962de13c6a362023c2f59bb54924","primary_id":"18218","update_serial":true}' 'https://myserver.com:8080/remote/json.php?dns_txt_delete'
[Sat Aug 4 09:41:25 BRT 2018] Result of _ISPC_rmTxt: '{"code":"ok","message":"","response":1}'
[Sat Aug 4 09:41:25 BRT 2018] Removed ACME Challenge TXT record from zone.
[Sat Aug 4 09:41:25 BRT 2018] txt='T7jmehGhe9JZsWHYorUeeMb_qe1ARtOlBU24K8cbJxE'
[Sat Aug 4 09:41:25 BRT 2018] d_api='/root/.acme.sh/dnsapi/dns_ispconfig.sh'
[Sat Aug 4 09:41:25 BRT 2018] _d_alias
[Sat Aug 4 09:41:25 BRT 2018] Calling: dns_ispconfig_rm() '_acme-challenge.webmail.yvespires.tk'
[Sat Aug 4 09:41:25 BRT 2018] Getting Session ID
[Sat Aug 4 09:41:25 BRT 2018] POST
[Sat Aug 4 09:41:25 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:41:25 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:41:25 BRT 2018] Using sed -i
[Sat Aug 4 09:41:25 BRT 2018] _ret='0'
[Sat Aug 4 09:41:25 BRT 2018] Calling _ISPC_login: '{"username":"yves","password":"mypass","client_login":false}' 'https://myserver.com:8080/remote/json.php?login'
[Sat Aug 4 09:41:25 BRT 2018] Result of _ISPC_login: '{"code":"ok","message":"","response":"19cc6b5b0fa2a4ffc0f2b798f9a93cf7"}'
[Sat Aug 4 09:41:25 BRT 2018] Retrieved Session ID.
[Sat Aug 4 09:41:25 BRT 2018] Session ID: '19cc6b5b0fa2a4ffc0f2b798f9a93cf7'
[Sat Aug 4 09:41:26 BRT 2018] POST
[Sat Aug 4 09:41:26 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?dns_txt_get'
[Sat Aug 4 09:41:26 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:41:26 BRT 2018] Using sed -i
[Sat Aug 4 09:41:26 BRT 2018] _ret='0'
[Sat Aug 4 09:41:26 BRT 2018] Calling _ISPC_rmTxt: '{"session_id":"19cc6b5b0fa2a4ffc0f2b798f9a93cf7","primary_id":{"name":"_acme-challenge.webmail.yvespires.tk.","type":"TXT"}}' 'https://myserver.com:8080/remote/json.php?dns_txt_get'
[Sat Aug 4 09:41:26 BRT 2018] Result of _ISPC_rmTxt: '{"code":"ok","message":"","response":[{"id":"18219","sys_userid":"2","sys_groupid":"2","sys_perm_user":"riud","sys_perm_group":"riud","sys_perm_other":"","server_id":"3","zone":"263","name":"_acme-challenge.webmail.yvespires.tk.","type":"TXT","data":"T7jmehGhe9JZsWHYorUeeMb_qe1ARtOlBU24K8cbJxE","aux":"0","ttl":"3600","active":"Y","stamp":"2018-08-04 09:39:19","serial":"1533386359"}]}'
[Sat Aug 4 09:41:26 BRT 2018] Record ID: '18219'
[Sat Aug 4 09:41:26 BRT 2018] Retrieved Record ID.
[Sat Aug 4 09:41:26 BRT 2018] POST
[Sat Aug 4 09:41:26 BRT 2018] _post_url='https://myserver.com:8080/remote/json.php?dns_txt_delete'
[Sat Aug 4 09:41:26 BRT 2018] _WGET='wget -q --content-on-error --no-check-certificate '
[Sat Aug 4 09:41:26 BRT 2018] Using sed -i
[Sat Aug 4 09:41:26 BRT 2018] _ret='0'
[Sat Aug 4 09:41:26 BRT 2018] Calling _ISPC_rmTxt: '{"session_id":"19cc6b5b0fa2a4ffc0f2b798f9a93cf7","primary_id":"18219","update_serial":true}' 'https://myserver.com:8080/remote/json.php?dns_txt_delete'
[Sat Aug 4 09:41:26 BRT 2018] Result of _ISPC_rmTxt: '{"code":"ok","message":"","response":1}'
[Sat Aug 4 09:41:26 BRT 2018] Removed ACME Challenge TXT record from zone.
[Sat Aug 4 09:41:26 BRT 2018] _on_issue_err
[Sat Aug 4 09:41:26 BRT 2018] Please add '--debug' or '--log' to check more details.
[Sat Aug 4 09:41:26 BRT 2018] See: https://github.com/Neilpang/acme.sh/wik ... ug-acme.sh
[Sat Aug 4 09:41:26 BRT 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/bCx8Ee5pS7QKJQScWQvCw2PH8yHDFtHyEJys-YXoq0E/6176152247'
[Sat Aug 4 09:41:26 BRT 2018] payload='{"resource": "challenge", "keyAuthorization": "CwZqIxd1CI9zH-fwlDztvGef4PbMP51Mzlmd65J6eyI.G6QAQ96BML54u_T4wsnsxuUC1q1uzLBu72fJ8EIyo9E"}'
[Sat Aug 4 09:41:26 BRT 2018] POST
[Sat Aug 4 09:41:26 BRT 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/bCx8Ee5pS7QKJQScWQvCw2PH8yHDFtHyEJys-YXoq0E/6176152247'
[Sat Aug 4 09:41:26 BRT 2018] _WGET='wget -q --content-on-error '
[Sat Aug 4 09:41:26 BRT 2018] wget returns 8, the server returns a 'Bad request' response, lets process the response later.
[Sat Aug 4 09:41:26 BRT 2018] Using sed -i
[Sat Aug 4 09:41:26 BRT 2018] _ret='0'
[Sat Aug 4 09:41:26 BRT 2018] code='400'
[Sat Aug 4 09:41:26 BRT 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/53h22fOVZPxUO7aCHCG0sBMogFsf_oZ9aTrzw6Ffhe8/6176152527'
[Sat Aug 4 09:41:26 BRT 2018] payload='{"resource": "challenge", "keyAuthorization": "OvMXSNxw-tkTpQsogoOA528UzzaJUJFljnSjHcqb6Kk.G6QAQ96BML54u_T4wsnsxuUC1q1uzLBu72fJ8EIyo9E"}'
[Sat Aug 4 09:41:27 BRT 2018] POST
[Sat Aug 4 09:41:27 BRT 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/53h22fOVZPxUO7aCHCG0sBMogFsf_oZ9aTrzw6Ffhe8/6176152527'
[Sat Aug 4 09:41:27 BRT 2018] _WGET='wget -q --content-on-error '
[Sat Aug 4 09:41:27 BRT 2018] Using sed -i
[Sat Aug 4 09:41:27 BRT 2018] _ret='0'
[Sat Aug 4 09:41:27 BRT 2018] code='202'
[Sat Aug 4 09:41:27 BRT 2018] socat doesn't exists.
[Sat Aug 4 09:41:27 BRT 2018] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2g 1 Mar 2016
apache:
apache doesn't exists.
nginx:
nginx doesn't exists.
socat:
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 278
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P6
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Sat Aug 04, 2018 5:52 pm

yvespires wrote:Hey, i'm using acme.sh with dns_ispconfig API to generate cert for zimbra 8.8.9.GA.2055.UBUNTU16.64 and its failling

[Sat Aug 4 09:41:24 BRT 2018] mail.yvespires.tk:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mail.yvespires.tk


if i add DNS entries by hand its works.

bind zone while acme is sleeping waiting for dns changes

yvespires.tk. 3600 TXT “v=spf1 mx a:yvespires.tk mx a:mail.yvespires.tk ip4:177.129.104.6 ~all”
_acme-challenge.mail.yvespires.tk. 3600 TXT “Id50s6kzkOrduI8YNdP-btruJ2ZhoZ3GTuEhZeKDhLA”
_acme-challenge.webmail.yvespires.tk. 3600 TXT “T7jmehGhe9JZsWHYorUeeMb_qe1ARtOlBU24K8cbJxE”
_dmarc 3600 TXT “v=DMARC1; p=none”


full log

root@mx:~# acme.sh --debug --issue --dns dns_ispconfig -d mail.yvespires.tk -d webmail.yvespires.tk

I am not familiar with dns_ipconfig but found these open issues with that plugin at acme.sh https://github.com/Neilpang/acme.sh/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+ispconfig.

The major issue with the serial record should be fixed with the version you are running. The complaint from reading the thread was ISPConfig DNS servers were not propagating the zone change to all its slaves because of serial record issues caused by their API. letsencrypt would then hit those slaves which were missing the txt records causing the domain to fail the challenge. It sounds like ispconfig changed their API changed to address this issue and those changes should be added to that plugin.

From above, it appears you are seeing the txt records being added to your domain correct? or are you showing me how you added the manual DNS txt records. I just do a refresh on my browser with cloudflare and can see those records being added while acme.sh waits 2 mins for propagation before beginning the validation phase. If you haven't used this automatic dns method before, that would be information to know and try. If you don't see txt records, you can back up and looks at what variables need to be defined to use that plugin. I see that it has a lot more variables to define in account.conf than what I use for CF.

Code: Select all

Report bugs to https://github.com/sjau/acme.sh
# Values to export:
# export ISPC_User="remoteUser"
# export ISPC_Password="remotePassword"
# export ISPC_Api="https://ispc.domain.tld:8080/remote/json.php"

You could also increase the wait if you believe it is a slave propagation error. I don't think so myself given you can do manual TXT entries and they work. Perhaps ask this question to the acme.sh link above. If this is a single server install, you could also just change your challenge methods and be done... ie. --standalone or --tls but don't forget to run acme.sh as root since they need to bind to ports below 1024 which do require root. It also means you need to take down any zimbra conflict first.. ie. nginx has ports 80 and 443 listening before running acme.sh
yvespires
Posts: 8
Joined: Tue Jan 03, 2017 1:15 pm

Re: Another Letsencrypt method

Postby yvespires » Mon Aug 06, 2018 1:16 pm


From above, it appears you are seeing the txt records being added to your domain correct? or are you showing me how you added the manual DNS txt records. I just do a refresh on my browser with cloudflare and can see those records being added while acme.sh waits 2 mins for propagation before beginning the validation phase. If you haven't used this automatic dns method before, that would be information to know and try. If you don't see txt records, you can back up and looks at what variables need to be defined to use that plugin. I see that it has a lot more variables to define in account.conf than what I use for CF.

Code: Select all

Report bugs to https://github.com/sjau/acme.sh
# Values to export:
# export ISPC_User="remoteUser"
# export ISPC_Password="remotePassword"
# export ISPC_Api="https://ispc.domain.tld:8080/remote/json.php"

You could also increase the wait if you believe it is a slave propagation error. I don't think so myself given you can do manual TXT entries and they work. Perhaps ask this question to the acme.sh link above. If this is a single server install, you could also just change your challenge methods and be done... ie. --standalone or --tls but don't forget to run acme.sh as root since they need to bind to ports below 1024 which do require root. It also means you need to take down any zimbra conflict first.. ie. nginx has ports 80 and 443 listening before running acme.sh


Yes, i can see the txt records being added to my domain with automatic challenge

Maybe the problem is with ispconfig/slave dns not getting the changes in time, i going to increase the sleep and test again.

If it all fails i going wih web 443 authentication method

Thanks.
yvespires
Posts: 8
Joined: Tue Jan 03, 2017 1:15 pm

Re: Another Letsencrypt method

Postby yvespires » Mon Aug 06, 2018 8:50 pm

You could also increase the wait if you believe it is a slave propagation error. I don't think so myself given you can do manual TXT entries and they work.


All good now, the problem was my ispconfig master/slave dns servers not working/reloading zone changes properly.

Return to “Administrators”

Who is online

Users browsing this forum: JDunphy and 21 guests