Report Bugs to Schlundtech.de DNS API

[mod242]

This is the place to report bugs in the ddnss.de DNS API.

If you experience a bug, please report it in this issue.

[ArminXG]

Hello,
I try to use the dns_schlundtech api to create a wildcard certificate for my domain with
-d 'xxxxx.com' -d '*.xxxxx.com'.
It always fails with the message "invalid domain".
The debug log shows XML looks good with the first request for "xxxxx.com", but the
second request just has "com". Even with the response saying "success", the log shows

success
h
invalid domain

The issue #1261 seems to contain something similar.
Is it a bug, or am I doing something wrong.

Armin

[mod242]

Hi Armin,

so, you try the following command:
acme.sh --issue --dns dns_schlundtech -d domain.com -d *.domain.com

And this doesn't work? I just checked for myself (had an renewal for 20 Domains on May 1st) and they went through this way. Can you please send me the Full Log, because right now I can't comprehend what's going wrong here, since I can't reproduce.

Best,
Michael

[ArminXG]

Hi Michael,

that is the command I use.
Here is the log (sensitive data and domain altered).

acme.sh.log

regards
Armin

[mod242]

Hi Armin,

thanks for the log. While I still don't understand 100% what is going on, I can see some significant differences in the XML-Communication. The most notable would be that the result of your run within the setting of the TXT-Record comes with an Payload that says "

2

", which means, theree are 2 Messages (which should not be the case here).

Would you have the chance to send a full debug? Or do you have an idea where this might come from (do you have any Information in the user-panel or so?)

Regards
Michael

[ArminXG]

Hello Michael,

I used --debug (or --log). Is there another option to get even more debug?

I cannot tell where this is coming from. The user panel looks normal, but we do have
a lot of entries including other TXT records.

regards
Armin

[Neilpang]

https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

[ArminXG]

Ah okay.
I tried --debug 2 , but there is no real difference.

The script is doing two xml requests. The first xml request contains
<value>domain.com</value>
The second, which return invalid, contains
<value>com</value>

Why is it just com ? This looks wrong to me.

[mod242]

Hi Armin,

yep, this is the point where the problem happens. Normally you should have the zone-information, ns-information and so on in it (at least in my logs it appears). Instead your host (h) is set to com which isn't a valid domain. I'd need more of the communication insight to find out why this happens, i think. I was hoping that debug 2 delivers more information. What drives me insane is that I can't seem to reproduce this, no matter what i try.

Do you have an txt-entry with acme_challenge in the domain?

Regards
Michael

[mod242]

One thing to try:
Could you change line 126 in the dns_schlundtech.sh script from
if _contains "$autodns_response" "<summary>1</summary>" >/dev/null; then
to
if _contains "$autodns_response" "<summary>2</summary>" >/dev/null; then

Just to check, whether the message would work for the further process (although, as i stated, this is not the way it should go per specification)

[ArminXG]

Hi Michael,

no, there is no TXT entry for _acme-challenge.
I tried your patch. The TXT entry could not be added, but the second POST
now is very different:
<task> <code>0202001</code> <default> <rr_add> <name>_acme-challenge</name> <ttl>600</ttl> <type>TXT</type> <value>VtzlpIKRdWtdpVWtfTFE3v8uCojqF5HA7e3qY</value> </rr_add> </default> <zone> <name>domain.com</name> <system_ns>ns10.schlundtech.de</system_ns> </zone> </task>
The response says the hostname of the nameserver could not be resolved for ns.domain.com. But we do not have a nameserver for our domain. Why is ns.domain.com searched for?

[mod242]

Could you again send me the log?

[ArminXG]

Yes:

debug2.log

[mod242]

Thank you very much. So the root cause for your problem seems to be that the zones somehow are at least unexpected. As I pointed out earlier the very strange thing is that when asking for the zones instead of getting one dedicated message the API sends two (therefore the strange

2</... in your response). And this seems not to be an cosmetic issue. Unfortunately I can't tell exactly what the reason for this is in your case, but I assume that it has to do with the Nameserver-Configuration on Schlundtech side.

Could it be that you have an extra Name-Server Entry in your Zone-File on Schlundtech that isn't valid?

[mod242]

May I ask you to try the following and send me the resulting xml?
Take the attached file, rename it to request.xml and edit the content according to your environment (User,Pass and Domain). Afterwards do the following in the shell:
cat request.xml | curl -X POST -H 'Content-Type: application/xml' --data-binary @- 'https://gateway.schlundtech.de'

This is the request that results in the faulty response with summary=2. What I did in this request was to raise the limit for the result, so we can see, why there are 2 datasets, where there should be only one.

request.txt

[ArminXG]

No, there is no extra name server entry. At least none seen in my configuration.
Here is the response:
response.txt

Thank you.
Armin

[mod242]

Thanks a lot. This helped me understand what happens.
Somehow your Zone-Configuration is strange. If it's true that you get two different zones for the Same Domain, the Autodns-API will not work. This is a configuration that I even don't know how to generate on Schlundtech site.

Given the "change" and "create" attributes, I assume that the zone containing the ns10 Schlundtech-Server is somehow "historical" and that the one with nsa5 is the right one. That's why the try, with ignoring the summary tag doesn't work, because you get the information with the ns10 Nameserver which doesn't seem to be the correct one.

If you can't see those 2 Zones for the same domain in your webinterface I'd suggest to ask schlund-support about how to remove the first one (or merge it), so that you only get one zone for one given domain. Please let me know if this helped, I'm very curious to learn how this situation can happen.

[ArminXG]

Hello Michael,

thank you so much. I contacted Schlundtech Support because of those 2 zones. They said this is a leftover from old days and will be removed. 5 minutes later it worked!

Thanks and regards
Armin

[schroeb]

Hi,
I am experiencing issues while trying to get a certificate for my domain, no matter if for domain, (existing) subdomain or wildcard.
Message is also 'invalid domain' but I believe I have a different issue than Armin had :)

Anonymized standard output as follows (used staging here this but results on prod are identical)

# .acme.sh/acme.sh --test --issue --dns dns_schlundtech -d domain.de -d *.domain.de
[Fri May 17 22:24:35 CEST 2024] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 17 22:24:36 CEST 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 17 22:24:36 CEST 2024] Multi domain='DNS:domain.de,DNS:*.domain.de'
[Fri May 17 22:24:39 CEST 2024] Getting webroot for domain='domain.de'
[Fri May 17 22:24:39 CEST 2024] Getting webroot for domain='*.domain.de'
[Fri May 17 22:24:39 CEST 2024] Adding txt value: G-j0DyocjLCihpg_g6P3BlgFUF-3unKSVCUxktOzI_g for domain:  _acme-challenge.domain.de
[Fri May 17 22:24:39 CEST 2024] invalid domain
[Fri May 17 22:24:39 CEST 2024] invalid domain
[Fri May 17 22:24:39 CEST 2024] Error add txt for domain:_acme-challenge.domain.de
[Fri May 17 22:24:39 CEST 2024] Please add '--debug' or '--log' to check more details.
[Fri May 17 22:24:39 CEST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

So I added --debug and this seems to be a parser error, based on the response:

<?xml version="1.0" encoding="UTF-8" standalone="no"?><response><result><msg><text>Parser error.</text><code>EF00000</code><type>error</type><object><type>XML parser</type><value>The entity name must immediately follow the '&amp;' in the entity reference.</value></object></msg><status><code>E00000</code><text>Errors occurred during processing.</text><type>error</type></status></result><stid>20240517-app4-349075</stid></response>

Full (well, nearly) output of the error:

[Fri May 17 22:30:03 CEST 2024] POST
[Fri May 17 22:30:03 CEST 2024] _post_url='https://gateway.schlundtech.de'
[Fri May 17 22:30:03 CEST 2024] body='<?xml version="1.0" encoding="UTF-8"?>
  <request>
    <auth>
    <user>12345678</user>
    <password>********</password>
    <context>10</context>
  </auth>
    <task>
      <code>0205</code>
      <view>
        <children>1</children>
        <limit>1</limit>
      </view>
      <where>
        <key>name</key>
        <operator>eq</operator>
        <value>domain.de</value>
      </where>
    </task>
  </request>'
[Fri May 17 22:30:03 CEST 2024] _postContentType
[Fri May 17 22:30:03 CEST 2024] Http already initialized.
[Fri May 17 22:30:03 CEST 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.3CtRuYqWFd  -g '
[Fri May 17 22:30:03 CEST 2024] _ret='0'
[Fri May 17 22:30:03 CEST 2024] autodns_response='<?xml version="1.0" encoding="UTF-8" standalone="no"?><response><result><msg><text>Parser error.</text><code>EF00000</code><type>error</type><object><type>XML parser</type><value>The entity name must immediately follow the '&amp;' in the entity reference.</value></object></msg><status><code>E00000</code><text>Errors occurred during processing.</text><type>error</type></status></result><stid>20240517-app4-349075</stid></response>'
[Fri May 17 22:30:03 CEST 2024] invalid domain
[Fri May 17 22:30:03 CEST 2024] invalid domain
[Fri May 17 22:30:03 CEST 2024] Error add txt for domain:_acme-challenge.domain.de
[Fri May 17 22:30:03 CEST 2024] _on_issue_err
[Fri May 17 22:30:03 CEST 2024] Please add '--debug' or '--log' to check more details.
[Fri May 17 22:30:03 CEST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

Any idea where this goes wrong and/or what to do would be appreciated :)

Thanks,
Boris

edit
You would not believe it (or you will as that is probably what the error message tells us) - it was really simple, my password contained a stupid &ampersand and that seems to break things.

But funny enough, after changing the password I got the exact same issue as described above from Armin, and with the info provided here, I could verify that my domain also had 2 zones and I was able to resolve it - so thank you 👍