win-acme: GoDaddy plugin "Unauthorized"
Describe the bug When creating a certificate request with the GoDaddy plugin, I get an “Unauthorized” error. I believe this is because the plugin calls /v1/domains/host/records/txt instead of /v1/domains/domain/records/txt after looking at GoDaddy’s documentation.
Also related, the json might be missing the “name” field in the request.
https://developer.godaddy.com/doc/endpoint/domains#/v1/recordReplaceType
To Reproduce
- run wacs.exe with --verbose --validation godaddy -validationmode dns-01 --apikey XXX
- m
- 2 (manual)
- sub.domain.com
- enter
- 6 (verify with godaddy)
- 2 (rsa)
- 4 (windows store)
- 5 (no additional)
- 4 (no additional)
Expected behavior A certificate to be created with the selected host
Log DNS logs removed for simplicity
[VERB] Targeted convert into 1 order(s)
[VERB] Checking [Manual] sub.domain.com
[VERB] Handle order 1/1: Main
[VERB] Creating order for hosts: ["sub.domain.com"]
[VERB] Constructing ACME protocol client...
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
[DBUG] Loading account from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
[VERB] Using existing ACME account
[VERB] ACME client initialized
[DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/ORDERNUMBER created
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/AUTHNUMBER
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [sub.domain.com] Authorizing...
[VERB] [sub.domain.com] Initial authorization status: pending
[VERB] [sub.domain.com] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [sub.domain.com] Initial challenge status: pending
[INFO] [sub.domain.com] Authorizing using dns-01 validation (Godaddy)
[DBUG] [sub.domain.com] Attempting to create DNS record under _acme-challenge.sub.domain.com...
[INFO] Godaddy API with: v1/domains/sub.domain.com/records/TXT
[INFO] Godaddy Data with: [{"name":"_acme-challenge","ttl":3600,"data":"KEY"}]
[DBUG] Send PUT request to https://api.godaddy.com/v1/domains/sub.domain.com/records/TXT
[VERB] Request completed with status Unauthorized
[DBUG] [sub.domain.com] Failed to create record under _acme-challenge.sub.domain.com
[EROR] [sub.domain.com] Error preparing for challenge answer
ystem.Exception: [sub.domain.com] Unable to prepare for challenge answer
at PKISharp.WACS.Plugins.ValidationPlugins.DnsValidation`1.PrepareChallenge(ValidationContext context, Dns01ChallengeValidationDetails challenge)
at PKISharp.WACS.Plugins.ValidationPlugins.Validation`1.PrepareChallenge(ValidationContext context)
at PKISharp.WACS.RenewalValidator.PrepareChallengeAnswer(ValidationContext context, RunLevel runLevel)
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was succesful
Platform:
- OS: Server 2012r2
- Version: 2.1.16.1037.x64.pluggable, 2.1.16.1040.x64.pluggable
Additional context verified in firewall no ports blocked
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 17 (8 by maintainers)
Commits related to this issue
- try to fix #1794 — committed to win-acme/win-acme by WouterTinus 3 years ago
Yes! It was able to work with that workaround. The DNS entry was created and verified on the last retry 👍
The delete DNS entry is having a similar issue, as it was called with
/_acme-challenge.<subdomain>/instead of/<domain>/The other part of the issue I see during the deleting is at the end should be/TXT/_acme-challenge.<subdomain>Everything else seems to work great. Thanks!!!
Can you work around this by entering
<API-Key>:<API-Secret>when it askes for the API key?I’m still getting the Unauthorized error (same as above) when running the new build.
It seems there also needs to be a prompt for the API-Secret. See below for more info.
I was able to fire up Postman and with the help from a friend and the documentation, we found out what was needed to successfully create the DNS record.
Header:
Body: