Namecheap dns replaces '+' with ' ' in existing txt records

[Duckle29]

Steps to reproduce

• Have a TXT record that has '+' characters in the value
• Acquire wildcard certificate with NameCheap DNS
• '+' characters are now replaced with space (' ') characters

[Neilpang]

any logs?

[Duckle29]

I'm running into some issues getting logs because I have since set up CAA records, and I'm running in to new issues with those:

[Fri Jan 25 09:42:46 EST 2019] POST
[Fri Jan 25 09:42:46 EST 2019] _post_url='https://api.namecheap.com/xml.response'
[Fri Jan 25 09:42:46 EST 2019] body='ApiUser=XXXX&ApiKey=XXXX&ClientIp=XXXX&UserName=XXXX&Command=namecheap.domains.dns.setHosts&SLD=mikkel&TLD=cc&HostName1=contabo1&RecordType1=A&Address1=173.249.39.75&MXPref1=10&TTL1=1799&HostName2=home&RecordType2=A&Address2=85.191.207.221&MXPref2=10&TTL2=1799&HostName3=mikrovps1&RecordType3=A&Address3=185.112.158.144&MXPref3=10&TTL3=1799&HostName4=openvz1&RecordType4=A&Address4=107.161.172.35&MXPref4=10&TTL4=1799&HostName5=@&RecordType5=CAA&Address5=0 issuewild "letsencrypt.org"&MXPref5=10&TTL5=1799&HostName6=_acme-challenge&RecordType6=CAA&Address6=0 issuewild "letsencrypt.org"&MXPref6=10&TTL6=1799&HostName7=www&RecordType7=CNAME&Address7=example.com.&MXPref7=10&TTL7=1800&HostName8=@&RecordType8=TXT&Address8=protonmail-verification=3e048e1a8eab9edec7aa4e47cd95edc44f3f2530&MXPref8=10&TTL8=1799&HostName9=@&RecordType9=TXT&Address9=v=spf1 include:_spf.protonmail.ch mx ~all&MXPref9=10&TTL9=1799&HostName10=_dmarc&RecordType10=TXT&Address10=v=DMARC1; p=none; rua=mailto:abuse@mikkel.cc&MXPref10=10&TTL10=1799&HostName11=@&RecordType11=MX&Address11=mail.protonmail.ch.&MXPref11=10&TTL11=1799&HostName12=@&RecordType12=MX&Address12=mailsec.protonmail.ch.&MXPref12=20&TTL12=1799&HostName13=autotorrent&RecordType13=CNAME&Address13=contabo1.mikkel.cc.&MXPref13=10&TTL13=1799&HostName14=lounge&RecordType14=CNAME&Address14=contabo1.mikkel.cc.&MXPref14=10&TTL14=1799&HostName15=ubnt&RecordType15=CNAME&Address15=contabo1.mikkel.cc.&MXPref15=10&TTL15=1799&HostName16=ts&RecordType16=CNAME&Address16=contabo1.mikkel.cc.&MXPref16=10&TTL16=1799&HostName17=nextcloud&RecordType17=CNAME&Address17=contabo1.mikkel.cc.&MXPref17=10&TTL17=1799&HostName18=protonmail._domainkey&RecordType18=TXT&Address18=v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlwzc8dopjqgzYt/ehG3g4Cug+jFzuzpwQ2Dkb3zmj4VJzzxEeoGH6tWMsVyezfN1X0LpT86CuaG0YvOhcpaoseiHQgZQeT93de4DoNmVDckpKpBgGC0zZiuFiYb/oelzFGO1XF4rdy5AE+Ck6bg3VNkqUm0DYofkjRHMKYoVdOQIDAQAB&MXPref18=10&TTL18=1799&HostName19=_acme-challenge&RecordType19=TXT&Address19=AFbvq_TMEoUH080LXbbYIxaXYrKVLCHSuI6pEHwhcwg&MXPref19=10&TTL19=120'
[Fri Jan 25 09:42:46 EST 2019] _postContentType
[Fri Jan 25 09:42:46 EST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.JKTHkNZ3oJ  -g '
[Fri Jan 25 09:42:51 EST 2019] _ret='0'
[Fri Jan 25 09:42:51 EST 2019] response='<?xml version="1.0" encoding="utf-8"?>
<ApiResponse Status="ERROR" xmlns="http://api.namecheap.com/xml.response">
  <Errors>
    <Error Number="2050900">The CAA record is invalid.</Error>
  </Errors>
  <Warnings />
  <RequestedCommand>namecheap.domains.dns.sethosts</RequestedCommand>
  <CommandResponse Type="namecheap.domains.dns.setHosts">
    <DomainDNSSetHostsResult Domain="mikkel.cc" EmailType="" IsSuccess="false">
      <Warnings />
    </DomainDNSSetHostsResult>
  </CommandResponse>
  <Server>PHX01APIEXT03</Server>
  <GMTTimeDifference>--5:00</GMTTimeDifference>
  <ExecutionTime>1.851</ExecutionTime>
</ApiResponse>'
[Fri Jan 25 09:42:51 EST 2019] error The CAA record is invalid.
[Fri Jan 25 09:42:51 EST 2019] The CAA record is invalid.
[Fri Jan 25 09:42:51 EST 2019] Error add txt for domain:_acme-challenge.mikkel.cc
[Fri Jan 25 09:42:51 EST 2019] _on_issue_err
[Fri Jan 25 09:42:51 EST 2019] Please add '--debug' or '--log' to check more details.
[Fri Jan 25 09:42:51 EST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

[Duckle29]

I have contacted namecheap as that error code isn't documented.
edit: namecheap is aware of the issue and will update their docs. I'll wait for the ttl to die on my caa records and re-test

[Duckle29]

Sad update:

It is currently not possible to add CAA records via API

[Duckle29]

Okay, CAA records gone reran it with debug2. I have the log file now, but it contains sensitive data like API keys and such.

How would I best submit this?

[Duckle29]

I put the debug file here: https://nextcloud.mikkel.cc/s/M5APkSF3gQBr5x4 with pass: debugacme15
The file expires in a week.

I have no clue how private these details are, so I'm probably being over cautious, but yea :)

Notice how the DKIM value has it's '+' stripped and replaced with ' '

[Neilpang]

@Duckle29
Thanks for your logs.
I was not the original author of the namecheap api hook. but I just made a fix for you.

please upgrade to the latest dev branch:

acme.sh --upgrade  -b dev

And then try again.

Sorry for the trouble.

[Duckle29]

Hey man, no issues. It's an awesome script and I'm just happy NameCheap is supported at all :)

I tried out the new changes, and the issue no longer shows up in the debug output, however it still replaces + with spaces, however, it doesn't do that when adding the acme challenge, it only does so after when removing the acme challenge.

From what I could read on NameCheaps API, apparently, the "setHost" command completely wipes all hosts, and then sets it to what's provided, effectively deleting hosts that you don't set.

This leads me to believe the problem now happens in dns_namecheap_rm()?

[Neilpang]

yes, you are right.

I just made another fix.
please try again.

acme.sh --upgrade -b dev

[Duckle29]

That fixed it, and no issues encountered.
Thanks for fixing the --staging as well, as I just ran into my rate-limit on non-staging, and I saw you changed the API to not use the API sandbox along with the --staging variable

awesome :D