-
-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Report bugs to All-Inkl.com DNS API #2715
Comments
Today I realized, that all-inkl has changed their API endpoint from I get the following response from the KAS API which makes certificate renewal improssible (without manually patching the <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
th {
background-color:#E0ECFF;
}
.fehler {
color: #E2003D;
background: #F9C9D6;
padding: 1em 3em;
}
.soap {
color: #2200FF;
background: #FFE016;
padding: 1em 3em;
}
.erfolg {
color: #008822;
background:#CCFFD9;
padding: 1em 3em;
}
</style>
</head>
<body>
project discontinued, use <a href='https://test-account.com/formular.php?ref=kasapi.kasserver.com'>https://test-account.com/formular.php</a> instead
</body> After a quick test, it seems changing the endpoint URL here should fix the issue. |
Hi frostieDE, |
Thank you very much - in the meantime, people can patch the URL by hand as mentioned above :) |
Not only the URL has changed. They also changed the interface to soap. This change will take some time. |
Hi frostieDE, can you please check if this is working on you side? |
It does not seem to work (on my school's pfsense):
|
wait a sec... turns out the password was misconfigured. works perfectly :) |
Happy to help |
Great you fixed it, and it worked on another machine for me... but now it fails on me again. Credentials are correct (tested on the KAS web API), and Auth_Type sha1 still works contrary to what they write on their website.
so far so good, and then it fails:
missing parameter??
|
Hi, please send a log with —debug 2 |
Did some more analysis (now with --debug 2 or 3, which I was not aware of before). Calling
|
Hi, I'm sorry but its not longer my code in the repo. Please contact @Hobby-Student |
I try to wrap it up: The URL with any sort of "formular" on it (e. g. https://test-account.com/formular.php) ist not the valid endpoint. I did speak with someone form all-inkl.com staff and he said that people are using (better: abusing) the test form in production queries which was never intended nor recommended. The right place for the API calls is the SOAP endpoint. @Marco4223 and I did several changes to the dns_kas.sh. Now it's the right syntax with the right endpoint. Thx to @Marco4223 the code is using a session token. Upon merging those 2 versions something got mixed up and the @Neilpang You can assign me to the owner of this issue. Do you have a schedule when the changes in dev branch will get merged into master? |
merged |
btw @Hobby-Student and @Marco4223, thanks a ton for transferring this API to SOAP. Those complicated SOAP xml structures are way beyond me... |
And @Neilpang, the current release does not include the fixed |
This script doesn't seem to work with Wildcard certs or multiple certs using dns alias since it always deletes existing txt entries in dns_kas_add, regardless whether these were only just created 10 seconds earlier in the same command. I copied the command to a custom file and commented out the Lines 47-55 and now my issue command works. |
In my first commits I also didn't clean the DNS entries before generating the ones for the current request. Somewhere in the process I merged my idea with Marco4223's and this is the result. Perhaps you are right and the script should not clean before adding entries, just at the end of the cert request. Give me some days to test and I'll come back. |
@rhurling |
@Marco4223 what's your oppinion on this? Do you have any scenario where NOT deleting all _acme TXT entries before issuing a new cert could cause problems? |
@Hobby-Student This was a leftover to clean only the generated token. The problem is that you generate many tokens on your dns server when you are in debug mode and not deleting them. But when you have multiple instances running (like one on a NAS, second one on a Router etc) at the same time you get a problem with race conditions because of one instance delete the token from the other one. So yes, it's a good idea to delete only the one you had generated. The used record value is stored in _txtvalue in the dns_kas_rm. So you only have to change a few lines. |
Thanks. I thought nearly the same. The deletion of entries after a success can lead to a race condition, too. @rhurling I'll try to optimize |
@rhurling |
do you have some details on how you invoke acme.sh? I did some tests while modifying and I repeated a multi domain request few minutes ago. On my system it's working. Every TXT for all 3 domains (in 1 cert) is added and deleted accordingly afterwards. |
i use this command to run acme.sh
and this fails i solved it by simply running acme.sh two times. first with only the default Domain, and second with all others.
it seems it struggles with the wildcard domain if the default domain is not yet successfully created. |
thx for the information. Unfortunately, I can't reproduce this issue. For me it's working as intended.
|
second thought: are you sure you need
|
@OnkelM using dns_kas once is enough and I'd be surprised if you could issue LE certificates for a myfritz.net domain. Unless you work for AVM and are in charge of that domain... If you leave those two items out - does it work without complaining? |
isn't myfritz.net a dyndns service for customers of AVM? If true, the approach with using webroot seems right to me. |
@alxwolf using dns_kas once might be enough if all the issues would be the same type and provider, this is how acme.sh works. if i want to issue a cert for DOMAIN.TLD with DNS, and *.DOMAIN.TLD with DNS, and *.myfritz.net with WEBROOT, then acme.sh will treat only the first entry as DNS, and every other as WEBROOT, hence the command will fail with the error message The only way to overcome this is by specifying the type on every entry, thats why i am adding @Hobby-Student thanks, the myfritz.net is a DDNS service the router uses, i can issue a cert for this by going with the webroot type and pointing to a local webserver the issue itself it seems is the added TXT record in DNS i have removed the 3'rd myfritz.net domain from the issue command, i am now only testing with the two DOMAIN.TLD and *.DOMAIN.TLS This are the results: and this is the current DNS entry on the domain only the second TXT record is left see also the lines and now after acme has put 2 txt entrys (at least the logic says this), the next step is to validate those entrys. thats my opinion at least |
@OnkelM are you sure you are using https://github.com/Hobby-Student/acme.sh/blob/540d4180d2cc258433442df2e14faf8f0c3f9169/dnsapi/dns_kas.sh ? In all my tests, acme.sh is adding multiple TXT entrys and they are deleted AFTER every specified domain and wildcard certificate is succesfully created. |
since there is no version info in the header i can only assume that i's the same, i also did a update before testing this again. also this is the files md5 on my drive c423e1a51a2bb7c97e60449f9592a2b2 i can send you the logs in private, what i see (also on screenshots) the script first writes the TXT to domain, validates if the TXT has been written, and only later on in the ca creation process it validates against the TXT record again with the challenge. And since the first one is overwritten as it can be seen on the screenshots this leads to an infinite 'not ready' loop validating the first domain because the script expects to see the first TXT and cannot find it. |
I'll add (hopefully tomorrow) some logging and see which TXT entry is deleted and when it's deleted. |
i found a bug report for the main app acme.sh which describes my issue, it maybe is not (or not entirely) the fault of dns_kas.sh at all.. |
Hello, I'm trying to use the (integrated) ACME-script on my local proxmox-server to generate certificates for my domain, which is hosted at all-inkl. My account at all-inkl is protected via 2FA. Can you explain how to use the ACME-script (in proxmox) for this setup? KAS_Login="myaccount" in the ACME DNS Plugin, but it does not work. Or is there a place (link) where the use of the script (in proxmox) including ths kas dns plugin is described in more detail then here? |
To my knowledge - you can't use 2FA with this script. |
Is it possible to prepare a seperate account in kas (with disabled 2fa) for only this purpose? |
you should ask all-inkl about this use the test page from all-inkl to test your credentials, if they work there it should also work with acme |
Hi, I hope someone can help me with this. I added the dns_kas plugin to my local Proxmox server to generate certificates for my domain hosted at all-inkl. I'm not sure if I'm doing something wrong when setting it up. This is what is in my plugin Validation delay: 600 DNS API: kas API data: Then I want to request a certificate for I get this message: Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/XXXXXXXXXXXX' |
nothing wrong here with acme.sh and dns_kas |
@lichtbringer667 |
IIt works. Thanks for the help. Sometimes you can't do without them and sometimes they have to go.... |
Please report any bugs with the All-Inkl.com dns api here.
Thanks!
The text was updated successfully, but these errors were encountered: