mirror of
https://github.com/acme-dns/acme-dns.git
synced 2026-04-27 12:55:48 +03:00
[GH-ISSUE #167] (401) Unauthorized sending update request to acme-dns #66
Labels
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/acme-dns#66
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @SuperlativeIT on GitHub (May 17, 2019).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/167
After working with my domain name at home I was able to successfully receive a test cert from LE using the wacs.exe --test. I complete the same steps for a new domain name I registered for work for this sole purpose and now I no longer have the 400 error I was fighting yesterday with the other domain name I was using at the time but now I'm getting a 401 Unauthorized. I can do a curl and post a register successfully. The value disable_registration = false is set in the config.cfg file.
[EROR] Error sending update request to acme-dns for domain domain.tld
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
Anything I need to look at to see what is going on here? Windows firewall is disabled and port is open on the Cisco ASA firewall.
The win-acme starts generating port 53 connection errors afterwards which makes no sense as I am using a Windows AD DNS internally in my network. If my DNS server was having issues I'd have people screaming at me. but that is something I have to take up with them.
I can connect to the IP acme-dns is listening and I can successfully query for any SOA, NS, A, and PTR records I have set in the records section in the config.cfg. So I am having trouble understanding as to why win-acme is giving me so much damn grief.
Thank You
Sincerely
@Ajedi32 commented on GitHub (May 17, 2019):
Sounds like whatever ACME client you're using isn't properly sending the user & key headers to acme-dns? Can you manually update a DNS entry via curl? https://github.com/joohoi/acme-dns#testing-it-out
@SuperlativeIT commented on GitHub (May 17, 2019):
I manually added the A record for the subdomain.acmedns1.dnsserver.tld to point to the acmedns1.dnsserver.tld and that got me passed the 401 Unauthorized error so I guess it was failing to resolve for the subdomain A record which I thought was going to be handled by the database but I guess not. Once I added the A record along with the CNAME record into the DNS server authoritative for domain.tld then it validated successfully and issued me a test certificate from LetsEncrypt.
I am now going to try another domain and see how that goes but I think at this point I might be good to go but give me a bit to verify and if all looks good then I'll close the ticket.
Thank You
Sincerely
@SuperlativeIT commented on GitHub (May 17, 2019):
I tested another domain name and this time I was successful in being issued a new test cert from Let's Encrypt. I'm not sure why but along with the _acme-challenge cname pointing to acme-dns but I also needed to add an A record for subdomain.acmedns1.dnsserver.tld to the DNS for the domain name (domain.tld) for which I am requesting the cert on behalf and validation succeeds and I am successfully issued a test certificate. Seems weird as to why I would need to add the A record for the subdomain.acmedns1.dnsserver.tld under the domain.tld DNS but it seems to solve the (401) Unauthorized error and I am issued a test cert. Without the A record and the test cert fails validation.
Again weird but whatever.
Thank you for your assistance
Sincerely
@SuperlativeIT commented on GitHub (May 17, 2019):
For the record I was using the Win-Acme client.
@webprofusion-chrisc commented on GitHub (May 18, 2019):
@SuperlativeIT it would be interesting if you also managed to confirm https://certifytheweb.com (my app) can talk to a windows based amce-dns, I haven't tried it myself. If you were able to add windows specific instructions for getting acme-dns running that would be really useful for others.
@SuperlativeIT commented on GitHub (May 18, 2019):
Sure. I can do that. Give me some time as I'm actually doing Windows updates on the server now. I actually use Certify The Web with a couple of my machines performing http validations it won't be difficult to try dns now that I have acme-dns up and running now.
The steps I used were the same for WIndows 2016 and Windows 10. I'll write up something and post it back here.
Sincerely
@SuperlativeIT commented on GitHub (May 18, 2019):
Forgive my ASCII-ness as it's late and not feeling too fancy. :)
I still have to test certify the web but feeling too tired to continue tonight so I'll try it in the morning. In the meantime here is the rough guide steps I used to do my build-out.
AcmeDNS-Windows Setup Guide.txt
@SuperlativeIT commented on GitHub (May 18, 2019):
Also don't forget about Windows firewall. I usually set mine to Allowed since I am behind a Cisco ASA firewall but you might need rules to allow for ports 53-tcp/udp, 80-tcp, and 443-tcp.
One more thing about file permissions. Make sure User has the rights to write to the folder.
@SuperlativeIT commented on GitHub (May 18, 2019):
@webprofusion-chrisc
I tried Certify The Web against my acme-dns and it failed. The domain I was working with is in a Windows DNS and when using Manual Update I am able to get a cert. When I use acme-dns it tries to publish the _acme-challenge to acme-dns which is not correct as the domain's zone is on a different server and not on acme-dns. I have to manually add the cname record into the Windows dns pointing to acme-dns and then we can update with a token.
Sincerely
@webprofusion-chrisc commented on GitHub (May 18, 2019):
@SuperlativeIT thanks for trying it out, I'll need to investigate more, should work the same as a linux based acme-dns so maybe something else going on. Cheers.
@SuperlativeIT commented on GitHub (May 18, 2019):
@webprofusion-chrisc
The issue that I believe I saw was it appeared to try to publish the cname record to acme-dns server which is not where the domain.tld zone is located. In my case that zone resides in a separate DNS server.
When I use the win-acme, it pauses long enough for me to add the _acme-challenge cname that points to subdomain.acmedns1.dnsserver.tld. Once the record has been added then verification proceeds. Very much like how your Manual DNS code works but instead of checking the TXT record under domain.tld you would be checking instead a cname record that points to acme-dns and that returns the TXT. So even though _acme-challenge.domain.tld is a cname you can still retrieve the TXT value when it checks against acme-dns via cname.
@SuperlativeIT commented on GitHub (May 20, 2019):
Let me know if you would like for me to test any new versions as I really would like our tech support dept to use your client for cert issuance and renewals. Our primary DNS server is Windows based which is where all of our client domains are SOA'd at. So I'm figuring that I might be able to have it dump the record data into a script to update the primary DNS server with the supplied subdomain cname record that will point to the Acme-DNS server. Currently I am using your manual setting and manually publishing the txt record under the client domain. You can reach me directly at IT at Superlative dot com. I am in the US Pacific time.
Sincerely
@webprofusion-chrisc commented on GitHub (May 21, 2019):
@superlativeit will do!