Acme invalid Domain

Managed DNS Hosting
1

Hi deSEC Members,
Im running Acme on a Synology Server and want to get a wildcard cert for a domain.
unfortunately the desec api fails at some point.
I added the token and created the _acme-challenge.*.com subdomain

How can I fix this?

Thanks in advance!

here is the log:

Retrying GET
[Mon Sep 20 16:22:49 CEST 2021] GET
[Mon Sep 20 16:22:49 CEST 2021] url='https://desec.io/api/v1/domains/'
[Mon Sep 20 16:22:49 CEST 2021] timeout=
[Mon Sep 20 16:22:49 CEST 2021] displayError='1'
[Mon Sep 20 16:22:49 CEST 2021] _CURL='curl --silent --dump-header /var/services/homes/certadmin/.acme.sh/http.header  -L  -g '
[Mon Sep 20 16:22:49 CEST 2021] ret='0'
[Mon Sep 20 16:22:49 CEST 2021] _hcode='0'
[Mon Sep 20 16:22:49 CEST 2021] http response code 401
[Mon Sep 20 16:22:50 CEST 2021] h='com'
[Mon Sep 20 16:22:50 CEST 2021] Retrying GET
[Mon Sep 20 16:22:50 CEST 2021] GET
[Mon Sep 20 16:22:50 CEST 2021] url='https://desec.io/api/v1/domains/'
[Mon Sep 20 16:22:50 CEST 2021] timeout=
[Mon Sep 20 16:22:50 CEST 2021] displayError='1'
[Mon Sep 20 16:22:50 CEST 2021] _CURL='curl --silent --dump-header /var/services/homes/certadmin/.acme.sh/http.header  -L  -g '
[Mon Sep 20 16:22:50 CEST 2021] ret='0'
[Mon Sep 20 16:22:50 CEST 2021] _hcode='0'
[Mon Sep 20 16:22:50 CEST 2021] http response code 401
[Mon Sep 20 16:22:50 CEST 2021] h
[Mon Sep 20 16:22:50 CEST 2021] invalid domain
2

Hi DNSLover,

Thanks for your message, and welcome to deSEC! :slight_smile:

I don’t know exactly what is the configuration problem you are experiencing, but I can tell you two things:

  • You do not have to manually create a subdomain, as the ACME tooling should do that for you.
  • _acme-challenge.*.com is not a valid domain name. I’d be surprised if you managed to create it. :slight_smile:

Stay secure,
Peter

3

Hello Peter,

thanks for the reply!

I’ve added the domain to your dns and all dns-lookup are fine, also the website displays fine. However, I’m getting this invalid domain error when using ACME. I’m not an expert by any means, so I would need some guidance how to set it up.
I tried it with impulse-audio-lab.com and for a wildcard with *.impulse-audio-lab.com

/usr/local/share/acme.sh$ ./acme.sh --issue --dns dns_desec -d impulse-audio-lab.com
[Tue Sep 21 10:22:48 CEST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Sep 21 10:22:48 CEST 2021] Single domain='impulse-audio-lab.com'
[Tue Sep 21 10:22:48 CEST 2021] Getting domain auth token for each domain
[Tue Sep 21 10:22:50 CEST 2021] Getting webroot for domain='impulse-audio-lab.com'
[Tue Sep 21 10:22:51 CEST 2021] Adding txt value: *********T9fSBpQm4g4EQwytItruWGcb7lK4EXCxDA for domain:  _acme-challenge.impulse-audio-lab.com
[Tue Sep 21 10:22:51 CEST 2021] Using desec.io api
[Tue Sep 21 10:22:51 CEST 2021] invalid domain
[Tue Sep 21 10:22:51 CEST 2021] Error add txt for domain:_acme-challenge.impulse-audio-lab.com
[Tue Sep 21 10:22:51 CEST 2021] Please check log file for more details: /var/services/homes/certadmin/.acme.sh/acme.sh.log

The log extract is in the first post

Thank you so much
Dan

4

Hi Dan,

I don’t know what’s wrong here, but it seems to be an issue specific to acme.sh. I suggest to get in touch with them.

Sorry I can’t help more!

Stay secure,
Peter

5

Okay, thank you!

Best
Dan

6

Hello Dan,

Is it normal that your RR TXT _acme-challenge.impulse-audio-lab.com has a TTL = 0 ?

Maybe the problem stems from that ?

Try to put it at 3600 (reference : https://github.com/acmesh-official/acme.sh/issues/2925)

Best regards,

Abdellatif

7

Hi abdel,
the reason why it didn’t work was a token issue.
I didn’t know how to resolve it, therefore i switched provider.

So in case someone is facing a similar problem, check if your login token are working properly. this will result in domain errors (not token error)

1 Like