Apparent BUG with acme / dns_nsupdate

Hi all,

I'm trying to use acme-acmesh-dnsapi to get a LE cert for my router.

I've installed:
acme
acme-acmesh-dnsapi
luci-app-acme

I tried setup via luci and it accepted my configuration just fine, but did not seem to work.

Poking about in the logs and on the command line, I found that it keeps failing to use the dns_nsupdate script, and instead tries http based acme (which I have not configured and do not wish to use, as I host my own DNS servers, which can use dns-rfc2136 via certbot just fine).

Is this a known issue? or am I just being thick?

I checked enable debug, but the only logging is this:

Mon Nov 10 18:38:46 2025 daemon.info acme-acmesh: Running ACME for XXXX.org.uk with validation_method dns
Mon Nov 10 18:38:46 2025 daemon.info acme-acmesh: /usr/lib/acme/client/acme.sh --debug --ecc -d fort.weyr.org.uk --keylength ec-384 --accountemail sysadmin@XXXX.org.uk --server letsencrypt --dns dns_nsupdate --challenge-alias _acme-challenge.XXXX.org.uk. --issue --home /etc/acme

account.conf got created by luci and contains:

SAVED_NSUPDATE_SERVER='ns1.XXXX.org.uk'
SAVED_NSUPDATE_SERVER_PORT='XXX'
SAVED_NSUPDATE_KEY='/etc/acme/dns_rfc2136_key'
SAVED_NSUPDATE_ZONE='XXXX.org.uk'
SAVED_NSUPDATE_OPT=''

I tried also removing SAVED_ from the entries, but this did not help.

Is this just broken in 24.10.4 ?

Just a wild guess but do you have nsupdate installed and available?

Well, drat...

Thanks, that seems likely to be it - I had assumed the package manager would install dependencies, but I guess the deps are wrong on this one...

nice catch. It's giving a different error now, but I dont have time to look - I'll report back.

Check what kind of dependencies it is. Sometimes dependencies are only recommended but not strictly needed. Let's say if you use only http API then you do not need nsupdate....

I'd have expected the acme-acmesh-dnsapi package to have depended on nsupdate, tbf.

But no matter, it's installed.

It still doesn't work though. It still doggedly persists in trying to do acme over https using zerossl...

Is the following wrong? I've given up on trying to do this via luci, as it plainly doesn't work.

/usr/lib/acme/client/acme.sh --issue --dns dns_nsupdate --domain XXXX.org.uk --debug --config-home /etc/acme/

the debog log is extremely long, but this seems to be where it all goes wrong:

'''
Sat Nov 15 19:42:16 UTC 2025] Let's find the script directory.
[Sat Nov 15 19:42:16 UTC 2025] SCRIPT='/usr/lib/acme/client/acme.sh'
[Sat Nov 15 19:42:16 UTC 2025] _script='/usr/lib/acme/client/acme.sh'
[Sat Nov 15 19:42:16 UTC 2025] _script_home='/usr/lib/acme/client'
[Sat Nov 15 19:42:16 UTC 2025] Using default home: /root/.acme.sh
[Sat Nov 15 19:42:16 UTC 2025] Using config home: /etc/acme/
[Sat Nov 15 19:42:16 UTC 2025] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.1.1
[Sat Nov 15 19:42:16 UTC 2025] Running cmd: issue
[Sat Nov 15 19:42:16 UTC 2025] _main_domain='XXXX.org.uk'
[Sat Nov 15 19:42:16 UTC 2025] _alt_domains='no'
[Sat Nov 15 19:42:16 UTC 2025] Using config home: /etc/acme/
[Sat Nov 15 19:42:16 UTC 2025] Config file is empty, cannot read DEFAULT_ACME_SERVER
[Sat Nov 15 19:42:16 UTC 2025] default_acme_server
[Sat Nov 15 19:42:16 UTC 2025] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sat Nov 15 19:42:16 UTC 2025] _ACME_SERVER_HOST='acme.zerossl.com'
[Sat Nov 15 19:42:16 UTC 2025] _ACME_SERVER_PATH='v2/DV90'
[Sat Nov 15 19:42:16 UTC 2025] DOMAIN_PATH='/etc/acme//XXXX.org.uk_ecc'
[Sat Nov 15 19:42:16 UTC 2025] 'dns_nsupdate' does not contain 'dns'
[Sat Nov 15 19:42:16 UTC 2025] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90
[Sat Nov 15 19:42:16 UTC 2025] _init API for server: https://acme.zerossl.com/v2/DV90
[Sat Nov 15 19:42:16 UTC 2025] GET
[Sat Nov 15 19:42:16 UTC 2025] url='https://acme.zerossl.com/v2/DV90'
[Sat Nov 15 19:42:16 UTC 2025] timeout=
[Sat Nov 15 19:42:16 UTC 2025] _WGET='wget -q -d --content-on-error '
'''

Still looking for a solution for this... anyone?

Please read the output carefully. It seams as you have a config issue.