Feature #13608
closed
ACME Not Recognizing new .au domain on wildcard
Added by Rick Strangman about 2 years ago.
Updated over 1 year ago.
Description
Australia has a new tld called companyname.au as opposed to the old companyname.com.au
If you create a single domain, such as www.companyname.au the certificate is issued.
However, if you attempt a wildcard for companyname.au it fails with an invalid domain error
[Sat Oct 29 11:48:13 AEST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Oct 29 11:48:13 AEST 2022] Multi domain='DNS:companyname.au,DNS:*.companyname.au'
[Sat Oct 29 11:48:13 AEST 2022] Getting domain auth token for each domain
[Sat Oct 29 11:48:18 AEST 2022] Getting webroot for domain='companyname.au'
[Sat Oct 29 11:48:18 AEST 2022] Getting webroot for domain='*.companyname.au'
[Sat Oct 29 11:48:18 AEST 2022] Adding txt value: 7VwrZvt3DSCbWLD37s9nHWwoWB864UBBtErl7XhU_Dw for domain: _acme-challenge.companyname.au
[Sat Oct 29 11:48:18 AEST 2022] You didn't ask to use Azure managed identity, checking service principal credentials
[Sat Oct 29 11:48:19 AEST 2022] Invalid domain
[Sat Oct 29 11:48:19 AEST 2022] invalid domain
[Sat Oct 29 11:48:19 AEST 2022] Error add txt for domain:_acme-challenge.companyname.au
[Sat Oct 29 11:48:19 AEST 2022] Please check log file for more details: /tmp/acme/wild.theitforce.au-domain/acme_issuecert.log
Files
This doesn't seem like a bug, but instead a configuration issue. Can you please provide the full log file with private information redacted?
- Tracker changed from Bug to Feature
- Project changed from pfSense Plus to pfSense Packages
- Category changed from Certificates to ACME
- Status changed from New to Needs Patch
- Release Notes deleted (
Default)
- Affected Plus Version deleted (
22.05)
The place where that error is generated is in the upstream acme.sh code -- you'll need to report that to them, not us. It appears to be in the Azure update script but that isn't 100% certain. Nothing we can do there. Once it's updated upstream eventually we'll pull in the fix when we resync with their code.
This is the unhelpful response from github:
"Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you."
How to I upgrade acme on pfsense?
This is now becoming a huge problem for my customers who have embraced the new tld .au. We are not able to create any certificates not, not just wild card. pfsense created a www.au in September but now cannot renew it with the same error as above. I know you stated its a Let's Encrypt problem, but they refused to help. I am sure I am not the only Australian company with this problem. Is there nothing you can do?
- Status changed from Needs Patch to Not a Bug
There is no special handling of anything under "*.au" in this package or in acme.sh. Looking at the error in the log again, it appears to be printing that "Invalid domain" based on an error coming back from Azure.
I don't see how this could be a bug in either acme.sh, dns_azure.sh, or this ACME package. It looks more like a problem with Azure's API or infrastructure and their own handling of that TLD since they are the one rejecting it.
You can try reporting it upstream to acme.sh but I would expect them to reach the same conclusion.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by