starred/acme-dns
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 04:45:48 +03:00
Code Issues 178 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #259] acme-dns returning a 401- error:forbidden message #130

New issue
Closed
opened 2026-03-13 15:52:15 +03:00 by kerem · 5 comments
kerem commented 2026-03-13 15:52:15 +03:00
Owner
Copy link

Originally created by @DutchForeigner on GitHub (Mar 2, 2021).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/259

Hi, I'm having a problem with updating the TXT record(s).
Hopefully someone can shed some light on this issue.
It used to be working ok when I initially set it up almost 3 months ago, and of course when the cert is about to expire, it now fails....

When I'm using sudo certbot renew --dry-run, it fails with an error:

</etc/letsencrypt/acme-dns-auth.py" returned error code 1>

<Encountered an error while trying to update TXT record in acme-dns.>
<------- Request headers:>
<{>
< "Content-Type": "application/json",>
< "X-Api-Key": "$2a$10$Ndg6bTFaIbgM7PazM8fdkO3uM77HC4VtHoIE1aI7fdi1.hRnigMd.",>
> "X-Api-User": "b2651f52-e31d-438e-8230-1bceefd51756">
<}>
<------- Request body:>
<{>
< "subdomain": "59932ad1-6332-4057-bee9-7c96ed003a64",>
< "txt": "bpUcVQE5Jl51EqME87gLatSZSwiZpe0dTZh9TxJVBXM">
<}>
<------- Response HTTP status: 401>
<------- Response body: {>
< "error": "forbidden">
<}>

Also when trying to do the update using curl, it fails with the same error: 401 - forbidden.

<curl --location --request POST 'https://auth-acme-dns.nexusnet.me:10443/update' \ --header 'X-Api-User: b2651f52-e31d-438e-8230-1bceefd51756' \ --header 'X-Api-Key: $2a$10$Ndg6bTFaIbgM7PazM8fdkO3uM77HC4VtHoIE1aI7fdi1.hRnigMd.' \ --header 'Content-Type: application/json' \ --data-raw '{ "subdomain": "59932ad1-6332-4057-bee9-7c96ed003a64", "txt": "___validation_token_received_from_the_ca___" }'>

  • I've the acme-dns client installed locally on a raspberry pi, on port 10443
  • The health check comes back with code 200:
    • <curl --location --request GET 'https://auth-acme-dns.nexusnet.me:10443/health'>
  • the created user for use with the service deamon, 'acme-dns', does have rights to the sqlite3 db, (I can update a record using sqlite3 from the command line)
Originally created by @DutchForeigner on GitHub (Mar 2, 2021). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/259 Hi, I'm having a problem with updating the TXT record(s). Hopefully someone can shed some light on this issue. It used to be working ok when I initially set it up almost 3 months ago, and of course when the cert is about to expire, it now fails.... When I'm using **sudo certbot renew --dry-run**, it fails with an error: `</etc/letsencrypt/acme-dns-auth.py" returned error code 1`> `<Encountered an error while trying to update TXT record in acme-dns.`> `<------- Request headers:`> `<{`> `< "Content-Type": "application/json",`> `< "X-Api-Key": "$2a$10$Ndg6bTFaIbgM7PazM8fdkO3uM77HC4VtHoIE1aI7fdi1.hRnigMd.",`> `> "X-Api-User": "b2651f52-e31d-438e-8230-1bceefd51756"`> `<}`> `<------- Request body:`> `<{`> `< "subdomain": "59932ad1-6332-4057-bee9-7c96ed003a64",`> `< "txt": "bpUcVQE5Jl51EqME87gLatSZSwiZpe0dTZh9TxJVBXM"`> `<}`> `<------- Response HTTP status: 401`> `<------- Response body: {`> `< "error": "forbidden"`> `<}`> Also when trying to do the update using curl, it fails with the same error: 401 - forbidden. `<curl --location --request POST 'https://auth-acme-dns.nexusnet.me:10443/update' \ --header 'X-Api-User: b2651f52-e31d-438e-8230-1bceefd51756' \ --header 'X-Api-Key: $2a$10$Ndg6bTFaIbgM7PazM8fdkO3uM77HC4VtHoIE1aI7fdi1.hRnigMd.' \ --header 'Content-Type: application/json' \ --data-raw '{ "subdomain": "59932ad1-6332-4057-bee9-7c96ed003a64", "txt": "___validation_token_received_from_the_ca___" }'`> - I've the acme-dns client installed locally on a raspberry pi, on port 10443 - The health check comes back with code 200: - `<curl --location --request GET 'https://auth-acme-dns.nexusnet.me:10443/health'`> - the created user for use with the service deamon, 'acme-dns', does have rights to the sqlite3 db, (I can update a record using sqlite3 from the command line)
kerem closed this issue 2026-03-13 15:52:20 +03:00
kerem commented 2026-03-13 15:52:26 +03:00
Author
Owner
Copy link

@deathsonic18 commented on GitHub (Mar 23, 2021):

I too am having this issue, with cert-manager

<!-- gh-comment-id:804728021 --> @deathsonic18 commented on GitHub (Mar 23, 2021): I too am having this issue, with cert-manager
kerem commented 2026-03-13 15:52:31 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Mar 23, 2021):

This must be due some kind of change from cert-manager end. More precisely due to how it handles the credentials. The X-Api-Key that has been passed looks like a bcrypt hash instead of the proper API key provided by acme-dns

<!-- gh-comment-id:804732579 --> @joohoi commented on GitHub (Mar 23, 2021): This must be due some kind of change from cert-manager end. More precisely due to how it handles the credentials. The `X-Api-Key` that has been passed looks like a bcrypt hash instead of the proper API key provided by `acme-dns`
kerem commented 2026-03-13 15:52:36 +03:00
Author
Owner
Copy link

@DutchForeigner commented on GitHub (Mar 23, 2021):

In my case, it was something wrong in the database (which I likely screwed up myself)
I 'fixed' it by:

  1. stop acme-dns (sudo systemctl stop acme-dns).
  2. delete the database file (rm /var/lib/acme-dns/acme-dns.db).
  3. start acme-dns client service again (sudo systemctl stop acme-dns).
  4. Do a new registration (https://auth-acme-dns.nexusnet.me:10443/register) Note: I have the port changed to 10443 as I've an automation webserver on the same box.
  5. Use the new registered details in the update command. -> this now worked for me.

Just as FYI:
While testing, I found it useful to stop the acme-dns service and run the acme-dns client directly (sudo /usr/local/bin/acme-dns/acme-dns). That way it is showing details on the command line while you're executing acme-dns client related commands via another box (like registering, updating, DNS query etc).
You can check the records in the database directly if need be by installing/using sqlite3:
sudo sqlite3 /var/lib/acme-dns/acme-dns.db
sqlite> .mode line
sqlite> select * from records; -> this will give you the registered account details.
sqlite> select * from txt; -> this will give you the TXT records.
.exit or Ctrl-D to exit

<!-- gh-comment-id:805349256 --> @DutchForeigner commented on GitHub (Mar 23, 2021): In my case, it was something wrong in the database (which I likely screwed up myself) I 'fixed' it by: 1. stop acme-dns (**sudo systemctl stop acme-dns**). 2. delete the database file (**rm /var/lib/acme-dns/acme-dns.db**). 3. start acme-dns client service again (**sudo systemctl stop acme-dns**). 4. Do a new registration (**https://auth-acme-dns.nexusnet.me:10443/register**) Note: I have the port changed to 10443 as I've an automation webserver on the same box. 5. Use the new registered details in the update command. -> this now worked for me. Just as FYI: While testing, I found it useful to stop the acme-dns service and run the acme-dns client directly (**sudo /usr/local/bin/acme-dns/acme-dns**). That way it is showing details on the command line while you're executing acme-dns client related commands via another box (like registering, updating, DNS query etc). You can check the records in the database directly if need be by installing/using sqlite3: **sudo sqlite3 /var/lib/acme-dns/acme-dns.db** sqlite> **.mode line** sqlite> **select * from records;** -> this will give you the registered account details. sqlite> **select * from txt;** -> this will give you the TXT records. **.exit** or **Ctrl-D** to exit
kerem commented 2026-03-13 15:52:41 +03:00
Author
Owner
Copy link

@deathsonic18 commented on GitHub (Apr 1, 2021):

For me, I am trying to host it on GCP. I used the READ.ME on github and then turned to this
https://medium.com/emvi/wildcard-ssl-certificates-on-kubernetes-using-acme-dns-fde583a69eb5.
With version 0.7.2 i get a ssl wrong version and with 0.8 i just get a connection refused.
When I check the the acme-dns.db tables in my /data folder, it doesnt seem to be storing any information in the .tables

<!-- gh-comment-id:811952948 --> @deathsonic18 commented on GitHub (Apr 1, 2021): For me, I am trying to host it on GCP. I used the READ.ME on github and then turned to this https://medium.com/emvi/wildcard-ssl-certificates-on-kubernetes-using-acme-dns-fde583a69eb5. With version 0.7.2 i get a ssl wrong version and with 0.8 i just get a connection refused. When I check the the acme-dns.db tables in my /data folder, it doesnt seem to be storing any information in the .tables
kerem commented 2026-03-13 15:52:46 +03:00
Author
Owner
Copy link

@leggewie commented on GitHub (Jan 17, 2022):

@DutchForeigner If your problem is solved, can you kindly close the ticket?

<!-- gh-comment-id:1014440595 --> @leggewie commented on GitHub (Jan 17, 2022): @DutchForeigner If your problem is solved, can you kindly close the ticket?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix_dockerhub
dockerhub
readme2.0
goreleaser_action
refactoring
linter_update_config
update_deps_122
dependabot/go_modules/github.com/valyala/fasthttp-1.34.0
deps_bump
update_goreleaser
update_golint
deps_update
update_dockerfile
v2.0.2
v2.0.1
v2.0
v1.1
v1.0
v0.8
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3.2
v0.3.1
v0.3
v0.2
v0.1
Labels
Clear labels   
Documentation

   
Documentation

   
bug

   
enhancement

   
feature request

   
feature request

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
security

   
security

   
testing
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns#130
No description provided.