Acme.sh: Error, can not get domain token entry ... The supported validation types are: dns-01 , but you specified: http-01

Hi,

I am trying to configure some let's encrypt automation by using acme.sh, by using this quide: https://openwrt.org/docs/guide-user/services/tls/certs

I have:
Powered by LuCI openwrt-22.03 branch (git-22.288.45147-96ec0cd) / OpenWrt 22.03.2 r19803-9a599fee93

I am trying to get wildcard certificate, but getting this error:

Thu Dec 22 21:12:44 2022 daemon.err run-acme[30869]: Error, can not get domain token entry *.emuari.lv for http-01
Thu Dec 22 21:12:44 2022 daemon.err run-acme[30869]: The supported validation types are: dns-01 , but you specified: http-01

What could be wrong?

I got some *.key, *.csr, *.json, *.conf files under /etc/acme subdirectories, but there are not any *.crt or *.pem files.

you must use dns validation to get an wildcard cert. http validation is not enough for wildcard.

2 Likes

Is it the same "Chalenge Validation" ?

Jup: challenge Validation
Validation Method: DNS

Maybe you have to install acme-acmesh-dnsapi

Yes. I already noted that and installed.
But as I am just a kind o amateur or beginner, than I a m a bit confused about what is what in config and next steps.
My DNS provider doesn't provide API access, so it looks like I should follow this guide: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
, but I am quite confused what is what and what put where in LUCI or on my DNS provider DNS records page.

Currently I fond some info either about acme.sh script itself, but not yet info about how to configure in LUCI except basic info.

Could you recommend some links to tips, howtos, tips, etc?

Thanks in advance.

The basic premise of LE is to "prove" you are the owner of the domain. It can do this either by HTTP or DNS challenge.

for HTTP, ACME needs write access to a web server directory that is resolvable via your public domain name and that folder be publicly readable over port 80 (most ISPs block port 80). ACME will write a token file into that directory and LE will need to read that token file.

If port 80 is blocked by your ISP (I suspect yours will be if it is a home router) then you must use DNS challenge. If your DNS provider doesn't offer tokenized write-access to your sub-domain you could do it manually by writing the text record into your DNS but to do this every 90 days is going to be a real headache.

Another option is to create a static CNAME to some other domain name where you can do dynamic updates, and make acme update this name instead. I believe such alias names are supported by default in some of the acme dns scripts.

Thank you for your replays - it shed some light, but there is also some lack of info from my side.

So what I have:

  • Fixed IP address with no blocking ports
  • Access to my profile on my DNS provider web page where I can manage my DSN network records, but it has no DNS API (as I know so far)
  • I have A network record that links my IP to *.mydomain.name
  • nginx web server with one subdomain on router, but others on some other LAN resources

So q:

  • In HTTP challenge (Standalone - right?) and wildcard certificate case - how I tell which of my subdomain of *.mydomain.name should I use for challenge test? And - i it enough with one?
  • How could look CNAME in my DNS challenge case (*.mydomain.name)? And can I use DNS validation option on my OpenWRT router if my DNS provider has no DNS API?

See https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode

Don't know whether the OpenWrt package supports this. Haven't tried it

HTTP challenge doesn't support wildcards.