Acme.sh with inwx dns validation

Software SW help
, , ,
1

Hello :slight_smile:
i am atm integrating letsencrypt as my cert provider for my turris.

Feature: Automated SSL Certificate Management with ACME.sh
As a system administrator
I want to automate SSL certificate management using ACME.sh
So that I can maintain valid SSL certificates for my domains

Background:
Given I have installed ACME.sh on my OpenWrt system
And I have configured my domain with INWX as DNS provider
And I have set the key size to ā€œecc-384ā€
And my DNS records are automatically updating via INWX DynDNS

Scenario: Certificate Issuance Fails Due to Incorrect Renewal Settings
Given I have the following configuration in LuCI:
| Setting | Value |
| Key Type | ECC |
| Key Size | 384 bits |
| DNS Provider | INWX |
| Challenge Type | dns-01 |
| Auto Renewal | never |
When I attempt to issue a new certificate using ACME.sh
Then the system should indicate a configuration error
And display ā€œRenewal setting must be configured for automatic certificate managementā€
And suggest the following remediation steps:
| Step | Action |
| 1 | Change renewal setting from ā€˜neverā€™ to ā€˜autoā€™ |
| 2 | Verify INWX DNS API credentials |
| 3 | Ensure DNS challenge validation is enabled |
But the certificate issuance process should not proceed

2

I must admit that I find your description confusing. Issuing a certificate fails but you donā€™t get the error message(s) you expect? What are the messages (if any) you see in the log?

What I can say: Iā€™m using acme.sh on my TO without issues (with dns.he.net as DNS provider). However, Iā€™ve installed it directly using SSH without any integration into OpenWRT/Foris/LUCI (instead, certificates get created via CLI and the update process gets triggered via cron). I donā€™t see why a similar configuration should not work with INWX.

3

Hi,

I do read that you use www.inwx.de as DynDNS. So you try to get a certificate and validation fails. If you search in the forum, you might find that in some cases sentinel blocks the requests and there are soultions that deal with this issue. But if you are using ā€œplainā€ OpenWRT you might be wrong hereā€¦

Greetz,
Vienna

4

@Vienna DNS validation doesnt need any open ports. So Sentinel wont block it. With DNS validation you make a proof that you own domain by TXT record in your DNS zone. And get a cert like that.

5

since he is using it as certificate authorityā€¦

since I do understand the acme instance needs counterproof, but maybe I am wrong.