Trouble Adding Certificate

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
That being said @silverback I just pushed our 21.04 release of TrueCharts to Master, so you should be able to deploy that in accordance with the Wiki guides and it should(tm) work with ix Certificates out of the box :)
 

ksimm1

Dabbler
Joined
Dec 7, 2020
Messages
42
return f(*args, **kwargs)
File "/usr/lib/python3/dist-packages/middlewared/plugins/crypto.py", line 1639, in __create_acme_certificate
final_order = self.middleware.call_sync('acme.issue_certificate', job, 25, data, csr_data)
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1266, in call_sync
return methodobj(*prepared_call.args)
File "/usr/lib/python3/dist-packages/middlewared/plugins/acme_protocol_/issue_cert.py", line 117, in issue_certificate
raise CallError(f'Certificate request for final order failed: {msg}')
middlewared.service_exception.CallError: [EFAULT] Certificate request for final order failed:
Authorization for identifier Identifier(typ=IdentifierType(dns), value=‘blabla.xyz') failed.
Here are the challenges that were not fulfilled:
Challenge Type: dns-01

Error information:
- Type: urn:ietf:params:acme:error:unauthorized
- Details: No TXT record found at _acme-challenge.blabla.xyz


I encountered the same 'no txt record found' issue when attempting to create a LE certificate with Cloudflare authenticator in the UI on the TrueNAS-SCALE-21.04-MASTER-20210409-132917 release. That error appears in the certificates screen so (I'm assuming) it's independent of the TrueCharts release. Regardless, I pulled in the new stable/incubator train as well before I began just to be sure. Gave up after about an hour or so. Going to wait & try again after the official 21.04 release.
 

silverback

Contributor
Joined
Jun 26, 2016
Messages
134
I encountered the same 'no txt record found' issue when attempting to create a LE certificate with Cloudflare authenticator in the UI on the TrueNAS-SCALE-21.04-MASTER-20210409-132917 release. That error appears in the certificates screen so (I'm assuming) it's independent of the TrueCharts release. Regardless, I pulled in the new stable/incubator train as well before I began just to be sure. Gave up after about an hour or so. Going to wait & try again after the official 21.04 release.

Ok, thanks. Maybe it is not a configuration problem with my setup. I will wait as well before reporting a bug.
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
That error appears in the certificates screen so (I'm assuming) it's independent of the TrueCharts release. Regardless, I pulled in the new stable/incubator train as well before I began just to be sure.
Don't assume.
The old version of TrueCharts should NOT be used with 21.02, as it contains it's own ACME system which might in fact conflict with the one integrated into TrueNAS.

Gave up after about an hour or so. Going to wait & try again after the official 21.04 release.
Unless there is an emergency patch because people ACTIVELY report this right away, there is NOT going to be any change to this on official 21.04. The release is in codefreeze, so unless you can convince iX with bugreports that this is a priority issue that needs to be fixed, it is NOT going to be fixed at 21.04ALPHA release.


Ok, thanks. Maybe it is not a configuration problem with my setup. I will wait as well before reporting a bug.
If you want ANY chance of a fix before 21.04, I would submit a bugreport ASAP!

---

I've manually gone through the iX code and compared it to other implementations of Certbot using Python.

I've found some "not-so-nice" code, which I already know because I wrote the errors you guys are getting :P
But nothing majorly wrong.

The problem is that these issues tend to magically fix themselves.
So the hard part is getting debugs, so PLEASE submit as many debugs about this to iX as possible.
If you can also try to add screenshots of your settings so iX can cross reference those with the Debug.

In the defence of iX:
The documentation for certbot and, primarily, the lack of any "reference deployments", is complete and utter crap.

---

I've also updated the TrueCharts certificate documentation to now include some general advice and troubleshooting steps if Letsencrypt/ACME instabilities hit you.
 
Last edited:

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
@ksimm1 You might want to add a screenshot of your cloudflare DNS page in the private upload section too :)
Awesome bugreport btw :)
 

ksimm1

Dabbler
Joined
Dec 7, 2020
Messages
42
@ksimm1 Btw when i used the api token i put my ZoneID in email field (IIRC)

Interesting - I have a working ACME setup in pfsense that uses the zone ID credential, but in SCALE there is validation that prevents email address field from being filled out alongside API Token:

[EINVAL] cloudflare_email: Should not be specified when using "api_token".

Maybe that validation was added recently?
 

stavros-k

Patron
Joined
Dec 26, 2020
Messages
231
Interesting - I have a working ACME setup in pfsense that uses the zone ID credential, but in SCALE there is validation that prevents email address field from being filled out alongside API Token:

[EINVAL] cloudflare_email: Should not be specified when using "api_token".

Maybe that validation was added recently?
Hmm i might be wrong i just edited my ACME authenticator, and i only have used api token.
I could swear i used zoneid somewhere, but cant really remember
 
Top