Feature #13608
closed
ACME Not Recognizing new .au domain on wildcard
0%
Description
Australia has a new tld called companyname.au as opposed to the old companyname.com.au
If you create a single domain, such as www.companyname.au the certificate is issued.
However, if you attempt a wildcard for companyname.au it fails with an invalid domain error
[Sat Oct 29 11:48:13 AEST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Oct 29 11:48:13 AEST 2022] Multi domain='DNS:companyname.au,DNS:*.companyname.au'
[Sat Oct 29 11:48:13 AEST 2022] Getting domain auth token for each domain
[Sat Oct 29 11:48:18 AEST 2022] Getting webroot for domain='companyname.au'
[Sat Oct 29 11:48:18 AEST 2022] Getting webroot for domain='*.companyname.au'
[Sat Oct 29 11:48:18 AEST 2022] Adding txt value: 7VwrZvt3DSCbWLD37s9nHWwoWB864UBBtErl7XhU_Dw for domain: _acme-challenge.companyname.au
[Sat Oct 29 11:48:18 AEST 2022] You didn't ask to use Azure managed identity, checking service principal credentials
[Sat Oct 29 11:48:19 AEST 2022] Invalid domain
[Sat Oct 29 11:48:19 AEST 2022] invalid domain
[Sat Oct 29 11:48:19 AEST 2022] Error add txt for domain:_acme-challenge.companyname.au
[Sat Oct 29 11:48:19 AEST 2022] Please check log file for more details: /tmp/acme/wild.theitforce.au-domain/acme_issuecert.log
Files
Updated by Kris Phillips over 1 year ago
This doesn't seem like a bug, but instead a configuration issue. Can you please provide the full log file with private information redacted?
Updated by Rick Strangman over 1 year ago
- File acme_createdomainkey.log acme_createdomainkey.log added
- File acme_issuecert.log acme_issuecert.log added
See attached files
Updated by Jim Pingle over 1 year ago
- Tracker changed from Bug to Feature
- Project changed from pfSense Plus to pfSense Packages
- Category changed from Certificates to ACME
- Status changed from New to Needs Patch
- Release Notes deleted (
Default) - Affected Plus Version deleted (
22.05)
The place where that error is generated is in the upstream acme.sh code -- you'll need to report that to them, not us. It appears to be in the Azure update script but that isn't 100% certain. Nothing we can do there. Once it's updated upstream eventually we'll pull in the fix when we resync with their code.
Updated by Rick Strangman over 1 year ago
This is the unhelpful response from github:
"Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you."
How to I upgrade acme on pfsense?
Updated by Jim Pingle over 1 year ago
The version of acme.sh in the ACME package was updated about two weeks ago to version 3.0.5, so it's very current. I don't see anything relevant in the one(!) upstream commit on their master branch since that date:
https://github.com/acmesh-official/acme.sh/commit/7221d488e54dfc6bcb30ca562f6d6e38ec5bf6ce
I also don't see anything relevant on their dev branch which only has a couple additional commits:
https://github.com/acmesh-official/acme.sh/compare/master...dev
We do use a customized version of acme.sh but the changes aren't on the code path you'd be hitting on the method you're using so they wouldn't be relevant either.
You could try dropping in the upstream dev version of acme.sh in place on the firewall. If it doesn't work either you can always uninstall and reinstall the package to get the package version back.
Updated by Rick Strangman over 1 year ago
This is now becoming a huge problem for my customers who have embraced the new tld .au. We are not able to create any certificates not, not just wild card. pfsense created a www.au in September but now cannot renew it with the same error as above. I know you stated its a Let's Encrypt problem, but they refused to help. I am sure I am not the only Australian company with this problem. Is there nothing you can do?
Updated by Jim Pingle 11 months ago
- Status changed from Needs Patch to Not a Bug
There is no special handling of anything under "*.au" in this package or in acme.sh. Looking at the error in the log again, it appears to be printing that "Invalid domain" based on an error coming back from Azure.
I don't see how this could be a bug in either acme.sh, dns_azure.sh, or this ACME package. It looks more like a problem with Azure's API or infrastructure and their own handling of that TLD since they are the one rejecting it.
You can try reporting it upstream to acme.sh but I would expect them to reach the same conclusion.