starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 15:13:33 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

dns-01 not working #454

New Issue
Closed
opened 2025-12-29 01:25:33 +01:00 by adam · 4 comments
adam commented 2025-12-29 01:25:33 +01:00
Owner
Copy Link

Originally created by @TB1234 on GitHub (Jan 6, 2020).

I installed dehydrated on a Pi via apt-get and tried to get a cert via dns-01 like I do this on other systems multiple times. But on this system this will not work. I also tried the latest dehydrated script direct from GitHub which also brings the same result.

Here is my config:

dehydrated -e
# dehydrated configuration
#     INFO: Using main config file /etc/dehydrated/config
#     INFO: Using additional config file /etc/dehydrated/conf.d/config.sh
declare -- CA="https://acme-v02.api.letsencrypt.org/directory"
declare -- CERTDIR="/var/lib/dehydrated/certs"
declare -- ALPNCERTDIR="/var/lib/dehydrated/alpn-certs"
declare -- CHALLENGETYPE="dns-01"
declare -- DOMAINS_D=""
declare -- DOMAINS_TXT="/etc/dehydrated/domains.txt"
declare -- HOOK="/etc/dehydrated/hook.sh"
declare -- HOOK_CHAIN="yes"
declare -- RENEW_DAYS="30"
declare -- ACCOUNT_KEY="/var/lib/dehydrated/accounts/    aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_key.pem"
declare -- ACCOUNT_KEY_JSON="/var/lib/dehydrated/accounts/    aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/registration_info.json"
declare -- ACCOUNT_ID_JSON="/var/lib/dehydrated/accounts/    aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_id.json"
declare -- KEYSIZE="4096"
declare -- WELLKNOWN="/var/lib/dehydrated/acme-challenges"
declare -- PRIVATE_KEY_RENEW="yes"
declare -- OPENSSL_CNF="/usr/lib/ssl/openssl.cnf"
declare -- CONTACT_EMAIL=""
declare -- LOCKFILE="/var/lib/dehydrated/lock"

If I run the script, I got this result:

# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/config.sh
 + Creating chain cache directory /var/lib/dehydrated/chains
Processing openhab.tobias.bauer.network
 + Creating new directory /var/lib/dehydrated/certs/my.domain ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for my.domain
 + 1 pending challenge(s)
 + Deploying challenge tokens...

Why does the dns-01 method not work? It does also not work if I use explicit the -t dns-01 parameter.

Originally created by @TB1234 on GitHub (Jan 6, 2020). I installed dehydrated on a Pi via apt-get and tried to get a cert via dns-01 like I do this on other systems multiple times. But on this system this will not work. I also tried the latest dehydrated script direct from GitHub which also brings the same result. Here is my config: dehydrated -e # dehydrated configuration # INFO: Using main config file /etc/dehydrated/config # INFO: Using additional config file /etc/dehydrated/conf.d/config.sh declare -- CA="https://acme-v02.api.letsencrypt.org/directory" declare -- CERTDIR="/var/lib/dehydrated/certs" declare -- ALPNCERTDIR="/var/lib/dehydrated/alpn-certs" declare -- CHALLENGETYPE="dns-01" declare -- DOMAINS_D="" declare -- DOMAINS_TXT="/etc/dehydrated/domains.txt" declare -- HOOK="/etc/dehydrated/hook.sh" declare -- HOOK_CHAIN="yes" declare -- RENEW_DAYS="30" declare -- ACCOUNT_KEY="/var/lib/dehydrated/accounts/ aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_key.pem" declare -- ACCOUNT_KEY_JSON="/var/lib/dehydrated/accounts/ aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/registration_info.json" declare -- ACCOUNT_ID_JSON="/var/lib/dehydrated/accounts/ aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_id.json" declare -- KEYSIZE="4096" declare -- WELLKNOWN="/var/lib/dehydrated/acme-challenges" declare -- PRIVATE_KEY_RENEW="yes" declare -- OPENSSL_CNF="/usr/lib/ssl/openssl.cnf" declare -- CONTACT_EMAIL="" declare -- LOCKFILE="/var/lib/dehydrated/lock" If I run the script, I got this result: # dehydrated -c # INFO: Using main config file /etc/dehydrated/config # INFO: Using additional config file /etc/dehydrated/conf.d/config.sh + Creating chain cache directory /var/lib/dehydrated/chains Processing openhab.tobias.bauer.network + Creating new directory /var/lib/dehydrated/certs/my.domain ... + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 1 authorizations URLs from the CA + Handling authorization for my.domain + 1 pending challenge(s) + Deploying challenge tokens... Why does the dns-01 method not work? It does also not work if I use explicit the -t dns-01 parameter.
adam closed this issue 2025-12-29 01:25:34 +01:00
adam commented 2025-12-29 01:25:35 +01:00
Author
Owner
Copy Link

@TB1234 commented on GitHub (Jan 7, 2020):

I found the problem!

After starting the command with bash -x dehydrated -c I got a line which gave me the hint I need to fix it:

    + [[ -n /etc/dehydrated/hook.sh ]]
    + /etc/dehydrated/hook.sh this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script

There was a error in the hook script. Maybe there should be a error message if the hook script is broken and there is a fallback from dns-01 auf http-01.

@TB1234 commented on GitHub (Jan 7, 2020): I found the problem! After starting the command with `bash -x dehydrated -c` I got a line which gave me the hint I need to fix it: ```bash + [[ -n /etc/dehydrated/hook.sh ]] + /etc/dehydrated/hook.sh this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script ``` There was a error in the hook script. Maybe there should be a error message if the hook script is broken and there is a fallback from dns-01 auf http-01.
adam commented 2025-12-29 01:25:35 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Feb 5, 2020):

I'm not entirely sure what exactly the problem is.

Dehydrated calls all hook scripts with a this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script parameter, this was added because newly added hooks caused some hook scripts to repeatedly break. It got this name so that A) people who just used other peoples hooks knew that this wasn't a dehydrated problem and B) so that developers knew that they should simply ignore unknown hook calls.

I'm guessing your script failed and dehydrated aborted after that.
And if your script didn't give you an error, dehydrated would just silently stop, is that assumption correct?

I'll have a look at what I can do about adding a good error message for an actually failing hook script.

@lukas2511 commented on GitHub (Feb 5, 2020): I'm not entirely sure what exactly the problem is. Dehydrated calls all hook scripts with a `this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script` parameter, this was added because newly added hooks caused some hook scripts to repeatedly break. It got this name so that A) people who just used other peoples hooks knew that this wasn't a dehydrated problem and B) so that developers knew that they should simply ignore unknown hook calls. I'm guessing your script failed and dehydrated aborted after that. And if your script didn't give you an error, dehydrated would just silently stop, is that assumption correct? I'll have a look at what I can do about adding a good error message for an actually failing hook script.
adam commented 2025-12-29 01:25:36 +01:00
Author
Owner
Copy Link

@TB1234 commented on GitHub (Feb 5, 2020):

How you see above, dehydrated is not aborted.

I tries to run and it was very hard for me to find the problem. I unterstand the decision for the parameter but in this case the program should write a message that there is a problem with a hook sctip. If you ignore that ok then that's your problem but if you read the message you know that there is a problem and have to spend a lot of time to search for a problem which can be fixed in a view seconds.

@TB1234 commented on GitHub (Feb 5, 2020): How you see above, dehydrated is not aborted. I tries to run and it was very hard for me to find the problem. I unterstand the decision for the parameter but in this case the program should write a message that there is a problem with a hook sctip. If you ignore that ok then that's your problem but if you read the message you know that there is a problem and have to spend a lot of time to search for a problem which can be fixed in a view seconds.
adam commented 2025-12-29 01:25:36 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Dec 10, 2020):

Dehydrated now prints error messages if a hook script fails.

@lukas2511 commented on GitHub (Dec 10, 2020): Dehydrated now prints error messages if a hook script fails.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#454
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?