Error, can not get domain token entry *.domain.tld for dns-01

[Hossy]

Steps to reproduce

Honestly, not quite sure how to get the CA stuck in this pickle, but I can tell you the symptoms.
(note: strings have been randomized to look real and protect security)

[Tue Jan 30 00:45:18 CST 2024] acme.sh:issue:4671                       response='{"identifier":{"type":"dns","value":"domain.tld"},"status":"invalid","expires":"2024-02-24T07:05:50Z","challenges":[{"type":"dns-01","url":"https://acme.zerossl.com/v2/DV90/chall/Lt2qWPyV5nnHR8xZXClQHr","status":"invalid","error":{},"token":"pxFDt2QEktWOZsPIJq5r8H_cTasXmLBvUeJoQRRh4Y9D"}],"wildcard":true}#https://acme.zerossl.com/v2/DV90/authz/X8_yBrTW3uufk6DJb__mlt'

...

[Tue Jan 30 00:45:18 CST 2024] entry
[Tue Jan 30 00:45:18 CST 2024] Error, can not get domain token entry *.domain.tld for dns-01

The Problem

The problem that is happening is due to the code on line 4693: entry="$(echo "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"

where this is assuming the end of the challenge array item must be a } and the key:value pair of "error":{} is throwing a wrench in that.

The Solution (closer anyway, not perfect)

I have come up with a replacement for line 4693:
entry="$(echo "$response" | sed -n 's#"challenges":\[\([^]]*\)\]#\1#p' | sed 's#\(\}\),\({\)#\1\n\2#' | grep '"type":"'$vtype'"')"

It isn't perfect, but without a tool like jq and to remain POSIX compliant, it is extremely difficult to cover absolutely every case. For example, if, for some reason, the challenge array items start containing arrays themselves, we'll be back in the same boat. At least this should work until then. :-)

[Takalele]

Hi,
i'm also hitting this issue when using zerossl.com as CA.
@Hossy thank you for the workaround.
BR
Takalele

[Hossy]

Hi, i'm also hitting this issue when using zerossl.com as CA. @Hossy thank you for the workaround. BR Takalele

I'll pass your thanks onto my wife. lol. I was up until 4am reading 13.5k lines of bash debugging output. #insanethings

You can pull this if you use Docker: ghcr.io/hossy/acme.sh:jhtest-noautoupdate. Just be sure you want all my changes: master...Hossy:acme.sh:jhtest-noautoupdate

[daBee]

I am getting the same for http-01. This is not my forte, so I thought I would post all the same.

[Hossy]

[Tue Jan 30 00:45:18 CST 2024] entry

If you're running with --debug 2 and you're seeing lines similar to the ones below, this fix might help you. Couldn't hurt to try it, but if you do, please share your results.

[Tue Jan 30 00:45:18 CST 2024] entry
[Tue Jan 30 00:45:18 CST 2024] Error, can not get domain token entry *.domain.tld for [...]

[daBee]

acme.sh --upgrade
acme.sh --issue -d example.com -d www.example.com -w /home/user3/sites/example/public --debug 2

[Tue Jan 30 15:25:52 EST 2024] Error, can not get domain token "type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/pKJI6s74oF9vkw-kxJL_GQ","status":"invalid","error":{
[Tue Jan 30 15:25:52 EST 2024] pid
[Tue Jan 30 15:25:52 EST 2024] No need to restore nginx, skip.
[Tue Jan 30 15:25:52 EST 2024] _clearupdns
[Tue Jan 30 15:25:52 EST 2024] dns_entries
[Tue Jan 30 15:25:52 EST 2024] skip dns.
[Tue Jan 30 15:25:52 EST 2024] _on_issue_err
[Tue Jan 30 15:25:52 EST 2024] Please add '--debug' or '--log' to check more details.
[Tue Jan 30 15:25:52 EST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Tue Jan 30 15:25:52 EST 2024] _chk_vlist
[Tue Jan 30 15:25:52 EST 2024] Diagnosis versions:
openssl:openssl
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
apache:
apache doesn't exist.
nginx:
nginx version: nginx/1.22.1
built by gcc 11.3.1 20221121 (Red Hat 11.3.1-4) (GCC)
built with OpenSSL 3.0.7 1 Nov 2022
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-compat --with-debug --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-openssl-opt=enable-ktls --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-cc-opt='-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,-E'
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.1 on Aug 10 2021 00:00:00
   running on Linux version #1 SMP PREEMPT_DYNAMIC Tue Aug 8 04:07:27 EDT 2023, release 5.14.0-284.25.1.el9_2.x86_64, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_VSOCK 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #define WITH_READLINE 1
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #undef WITH_LIBWRAP
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/

[Hossy]

@daBee So, --upgrade won't get you this fix. You'll either need to manually edit acme.sh, grab it off my branch, or something like that. Try replacing that line and retry your --issue command.

EDIT: But thanks. You made me look and I found a second instance of that bad line and updated it in my PR #4973.

[dreyTee]

@daBee So, --upgrade won't get you this fix. You'll either need to manually edit acme.sh, grab it off my branch, or something like that. Try replacing that line and retry your --issue command.

EDIT: But thanks. You made me look and I found a second instance of that bad line and updated it in my PR #4973.

Thanks for fix, saved me some precious time!

[daBee]

OK, that worked for domain 1 and 2. I have a third domain that won't even issue.

[Tue Feb  6 09:56:39 EST 2024] get authz objec with invalid status, please try again later.
[Tue Feb  6 09:56:39 EST 2024] _authorizations_seg='https://acme.zerossl.com/v2/DV90/authz/65bT0SA33XvgrOJgtXPViA,https://acme.zerossl.com/v2/DV90/authz/i1VXtCl26I9vEvubNbvvcQ'
[Tue Feb  6 09:56:39 EST 2024] {"identifier":{"type":"dns","value":"example.com"},"status":"invalid","expires":"2024-03-06T07:47:20Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/crtE5jbLzNCGstbjH4LA-Q","status":"invalid","error":{},"token":"7UlRFrMDUzKrugN8V1N4xB9ghcb2xoOXKjtFtyVi98o"}]}
[Tue Feb  6 09:56:39 EST 2024] pid

Not sure if this is related. I'm also having security issues with domain 2 after a successful installation. I've had a look and it's not clear why it's not secure. Another issue, I'm thinking, as issuance and installation have cleared.

[Hossy]

OK, that worked for domain 1 and 2. I have a third domain that won't even issue.

[Tue Feb  6 09:56:39 EST 2024] get authz objec with invalid status, please try again later.
[Tue Feb  6 09:56:39 EST 2024] _authorizations_seg='https://acme.zerossl.com/v2/DV90/authz/65bT0SA33XvgrOJgtXPViA,https://acme.zerossl.com/v2/DV90/authz/i1VXtCl26I9vEvubNbvvcQ'
[Tue Feb  6 09:56:39 EST 2024] {"identifier":{"type":"dns","value":"example.com"},"status":"invalid","expires":"2024-03-06T07:47:20Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/crtE5jbLzNCGstbjH4LA-Q","status":"invalid","error":{},"token":"7UlRFrMDUzKrugN8V1N4xB9ghcb2xoOXKjtFtyVi98o"}]}
[Tue Feb  6 09:56:39 EST 2024] pid

Not sure if this is related. I'm also having security issues with domain 2 after a successful installation. I've had a look and it's not clear why it's not secure. Another issue, I'm thinking, as issuance and installation have cleared.

It seems to be a problem with resolving the challenge. I would post in Discussions and include a full debug log. Also, I would check your DNS to ensure the challenge entry doesn't already exist from a previously failed run. You might need to delete it manually.

[daBee]

OK, just to be clear, this is not dns but http. I will post in discussions.

[nmartinho]

Same problem here.
"get authz objec with invalid status, please try again later."

I had to switch from Zerossl to Letsencrypt, and renew now is ok, without errors.

[daBee]

OK good to know. I was going to try switching providers today.