Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deSEC.io DNS challenge: TTL is too low for non-dedyn.io domains #2925

Closed
vikanezrimaya opened this issue May 13, 2020 · 3 comments
Closed

deSEC.io DNS challenge: TTL is too low for non-dedyn.io domains #2925

vikanezrimaya opened this issue May 13, 2020 · 3 comments

Comments

@vikanezrimaya
Copy link

Steps to reproduce

  1. Set up desec.io on a level 2 domain
  2. Try to apply for a certificate using ACME.sh
  3. Fail with HTTP 400 on DNS API, stating that the TTL is too low

Debug log

[root@primrose.fireburn.ru:~]# export DEDYN_TOKEN=$(cat /run/keys/desec-token) DEDYN_NAME=fireburn.ru && acme.sh --issue --dns dns_desec -d $DEDYN_NAME -d *.$DEDYN_NAME --home /var/lib/acme --server https://acme-staging-v02.api.letsencrypt.org/directory --insecure --debug 2 --output-insecure

<snip - irrelevant>
[Wed 13 May 2020 06:56:21 PM UTC] Using desec.io api
[Wed 13 May 2020 06:56:21 PM UTC] fulldomain='_acme-challenge.fireburn.ru'
[Wed 13 May 2020 06:56:21 PM UTC] txtvalue='XlqQCPBE5bljbGjM5_Ji1OfIAQXPFQDtDA_iYW3zyKE'
[Wed 13 May 2020 06:56:21 PM UTC] First detect the root zone
[Wed 13 May 2020 06:56:21 PM UTC] h='fireburn.ru'
[Wed 13 May 2020 06:56:21 PM UTC] GET
[Wed 13 May 2020 06:56:21 PM UTC] url='https://desec.io/api/v1/domains/'
[Wed 13 May 2020 06:56:21 PM UTC] timeout=
[Wed 13 May 2020 06:56:21 PM UTC] Http already initialized.
[Wed 13 May 2020 06:56:21 PM UTC] _CURL='curl -L --silent --dump-header /var/lib/acme/http.header  --trace-ascii /tmp/tmp.T77iN0HRmA  -g  --insecure  '
[Wed 13 May 2020 06:56:22 PM UTC] ret='0'
[Wed 13 May 2020 06:56:22 PM UTC] http response code 200
[Wed 13 May 2020 06:56:22 PM UTC] response='[{"created":"2020-01-29T10:24:03Z","published":"2020-05-13T01:09:39.056758Z","name":"fireburn.ru","minimum_ttl":3600}]'
[Wed 13 May 2020 06:56:22 PM UTC] _sub_domain='_acme-challenge'
[Wed 13 May 2020 06:56:22 PM UTC] _domain='fireburn.ru'
[Wed 13 May 2020 06:56:22 PM UTC] Getting txt records
[Wed 13 May 2020 06:56:22 PM UTC] GET
[Wed 13 May 2020 06:56:22 PM UTC] url='https://desec.io/api/v1/domains/fireburn.ru/rrsets/_acme-challenge/TXT/'
[Wed 13 May 2020 06:56:22 PM UTC] timeout=
[Wed 13 May 2020 06:56:22 PM UTC] Http already initialized.
[Wed 13 May 2020 06:56:22 PM UTC] _CURL='curl -L --silent --dump-header /var/lib/acme/http.header  --trace-ascii /tmp/tmp.T77iN0HRmA  -g  --insecure  '
[Wed 13 May 2020 06:56:22 PM UTC] ret='0'
[Wed 13 May 2020 06:56:22 PM UTC] http response code 404
[Wed 13 May 2020 06:56:22 PM UTC] response='{"detail":"Not found."}'
[Wed 13 May 2020 06:56:22 PM UTC] txtvalues='"\"XlqQCPBE5bljbGjM5_Ji1OfIAQXPFQDtDA_iYW3zyKE\""'
[Wed 13 May 2020 06:56:22 PM UTC] Adding record
[Wed 13 May 2020 06:56:22 PM UTC] data='[{"subname":"_acme-challenge", "type":"TXT", "records":["\"XlqQCPBE5bljbGjM5_Ji1OfIAQXPFQDtDA_iYW3zyKE\""], "ttl":60}]'
[Wed 13 May 2020 06:56:22 PM UTC] PUT
[Wed 13 May 2020 06:56:22 PM UTC] _post_url='https://desec.io/api/v1/domains/fireburn.ru/rrsets/'
[Wed 13 May 2020 06:56:22 PM UTC] body='[{"subname":"_acme-challenge", "type":"TXT", "records":["\"XlqQCPBE5bljbGjM5_Ji1OfIAQXPFQDtDA_iYW3zyKE\""], "ttl":60}]'
[Wed 13 May 2020 06:56:22 PM UTC] _postContentType
[Wed 13 May 2020 06:56:22 PM UTC] Http already initialized.
[Wed 13 May 2020 06:56:22 PM UTC] _CURL='curl -L --silent --dump-header /var/lib/acme/http.header  --trace-ascii /tmp/tmp.T77iN0HRmA  -g  --insecure  '
[Wed 13 May 2020 06:56:22 PM UTC] _ret='0'
[Wed 13 May 2020 06:56:22 PM UTC] http response code 400
[Wed 13 May 2020 06:56:22 PM UTC] response='[{"ttl":["Ensure this value is greater than or equal to 3600."]}]'
[Wed 13 May 2020 06:56:22 PM UTC] Add txt record error.
[Wed 13 May 2020 06:56:22 PM UTC] Error add txt for domain:_acme-challenge.fireburn.ru
[Wed 13 May 2020 06:56:22 PM UTC] _on_issue_err
[Wed 13 May 2020 06:56:22 PM UTC] Please add '--debug' or '--log' to check more details.
[Wed 13 May 2020 06:56:22 PM UTC] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
<snip - irrelevant>

This line is particularly relevant:

[Wed 13 May 2020 06:56:22 PM UTC] response='[{"ttl":["Ensure this value is greater than or equal to 3600."]}]'

The bug will be reproducible on the latest version, since the problem - hardcoded 60 seconds of TTL in dns_desec.sh - is present on the latest version.

The workaround is to apply for a lower TTL when using your own domain, but I am not sure how eager are they to approve such requests.
@auto-comment
Copy link

auto-comment bot commented May 13, 2020

If this is a bug report, please upgrade to the latest code and try again:
如果有 bug, 请先更新到最新版试试:
acme.sh --upgrade
please also provide the log with --debug 2.
同时请提供调试输出 --debug 2
see: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Without --debug 2 log, your issue will NEVER get replied.
没有调试输出, 你的 issue 不会得到任何解答.

This was referenced May 13, 2020
Open
Closed
@PsychoG3R PsychoG3R mentioned this issue Sep 9, 2020
Closed
@wikt0r
Copy link

wikt0r commented Nov 7, 2020

I can confirm the hardcoded 60 seconds for TTL is too low for desec. Updated dns_desec.sh to ttl: 3600 works perfectly for me.

@tsoybe tsoybe mentioned this issue Nov 12, 2020
Merged
@Neilpang
Copy link
Member

fixed by #3253

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wikt0r @vikanezrimaya @Neilpang