Report bug to Technitium dns api

[qupfer]

This is the place to report bugs in the Technitium DNS API.

If you experience a bug, please report it in this issue.

Thanks!

[shrunbr]

I added the dns_technitium.sh file to my .acme.sh folder, very cool to see this listed.

However, it doesn't appear to work with self-signed certificates on the web interface. Here is the associated error I received from using --debug. I could see this being a problem, I would imagine most people who have a use for this are going to be using self-signed certificates on the web interface until one can get issued however this is preventing certificate(s) from being issued.

[Mon Dec  2 19:36:50 CST 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Mon Dec  2 19:36:50 CST 2024] Here is the curl dump log:
[Mon Dec  2 19:36:50 CST 2024] == Info: Host dns.lan.example.com:53443 was resolved.
== Info: IPv6: (none)
== Info: IPv4: 10.0.4.10
== Info:   Trying 10.0.4.10:53443...
== Info: Connected to dns.lan.example.com (10.0.4.10) port 53443
== Info: ALPN: curl offers h2,http/1.1
== Info: (304) (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 335 bytes (0x14f)
0000: ...K..7.......`...c...7.W..a..D...s.z. ...\...W....X...%...H.v.j
0040: 'W+.z...b.............0.,.(.$.......k.9...........=.5...../.+.'.
0080: #.......g.3...E...<./...A.......................+............3.&
00c0: .$... .'n....B..?....rU.....i3.3../..!...#.!...dns.lan
0100: .example.com...................................................
0140: ....h2.http/1.1
== Info:  CAfile: /Users/user/Documents/acme-sh/root-ca.pem
== Info:  CApath: none
== Info: (304) (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 122 bytes (0x7a)
0000: ...v.......A=.,@.}I......='.u...#m...< ...\...W....X...%...H.v.j
0040: 'W+.z........+.....3.$... FG..T.O ........h..".r..^.....U.
== Info: (304) (IN), TLS handshake, Unknown (8):
<= Recv SSL data, 15 bytes (0xf)
0000: .............h2
== Info: (304) (IN), TLS handshake, Certificate (11):
<= Recv SSL data, 740 bytes (0x2e4)
0000: ...........0...0...............u..i0...*.H........0)1'0%..U....e
0040: xample.lan.example.com0...240408200552Z..290408200552Z0)1
0080: '0%..U....dns.lan.example.com0.."0...*.H.............
00c0: 0.........t...@R.;.........l.--.z. ,..}.E....`z.3C.O....ng.4.4..
0100: Z.K9..+C..\.}.v...Q...pa....J4U...(VD.|'BA.{Z}.+S..{.m4r7.......
0140: ]*B.I%.!.<..;...e.3.#........~.`.Y...rg.Yw....q9...1i..f,s.B..k.
0180: ..?.,j.....t.......r..V4.\...DG..z{..k...o]-..Q=}.$.I..G..ax....
01c0: .d.... .......0...*.H.............<..............R3.XY....;n.b..
0200: .......J.$....pn.w.H.A..&=J~.z..S..4.....g...3.K.....f.st.&KZ.,*
0240:  u.A}-=%Du.~.l`30.....m}....k...8.jl..l...ot...uU....>?..[...v..
0280: b..kh..~.......B&.......zV...,....`.doH.............f....[....S.
02c0: ..:0.s.|'/NSr.(c...A..(..C1.D3......
== Info: SSL certificate problem: self signed certificate
== Info: Closing connection

[qupfer]

Hi,
please check the "--ca-bundle" commandline flag from acme.sh
--ca-bundle <file> Specifies the path to the CA certificate bundle to verify api server's certificate.
If you use as file the public certificate of your technitium dns server, curl should accept the self signed certificate.

[shrunbr]

Hi, please check the "--ca-bundle" commandline flag from acme.sh --ca-bundle <file> Specifies the path to the CA certificate bundle to verify api server's certificate. If you use as file the public certificate of your technitium dns server, curl should accept the self signed certificate.

That is for a custom directory server, not the DNS server.

[qupfer]

That is for a custom directory server, not the DNS server.

I don't think so.
Take a look at the _inithttp() function (currently: https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L1861)
Ca-path (and ca-bundle) are used for curl generally. So it should be used for DNS too. Maybe you have to add both certs (your DNS and LetsEncrypt/ZeroSSL/whoever) to a single cert file and use this or use ca-path and add both certificates there.
You may also add your DNS Server to the global trust store, that curl is trust them by default.

However, I don't see how I can help within this dns_technitium plugin.
Due the coding guidelines, I have (and want) to use the _get() function. I'm also bound to posix sh There I can't see an usefull way to monkey patch the _get function.
With bash, I could do somehing like myGetCopy=$(declare -f _get) and some additional sed/string magic against the copy.
But not with sh

So, I think you can:

• use ca-bundle/ca-path commandline option (with certificates for ACME-Server and DNS)
• add your self signed certificate to your hosts trust store
• patch "your" acme.sh and add --insecure to the curl command
• patch "your" version of this plugin and replace _get() with a direct curl/wget command.

I would be delighted if you could report if you have success.