Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No correct error handling if acme-dns hostname cannot resolved by dns #1447

Closed
oregano87 opened this issue Mar 12, 2020 · 1 comment
Closed

No correct error handling if acme-dns hostname cannot resolved by dns #1447

oregano87 opened this issue Mar 12, 2020 · 1 comment
Labels
confirmed bug
Milestone
2.1.6

Comments

@oregano87
Copy link

I am testing win-acme in my environment and I found out, that there is no correct error handling if you are using acme-dns but the hostname cannot be resolved.

C:\acme-clients\win-acme.v2.1.5.742.x64.pluggable>wacs.exe --verbose
 [VERB] Verbose mode logging enabled
 [VERB] Looking for settings.json in C:\acme-clients\win-acme.v2.1.5.742.x64.pluggable
 [DBUG] Config folder: C:\ProgramData\win\pgwy.company.testacmedirectory
 [DBUG] Log path: ./logs\pgwy.company.testacmedirectory
 [DBUG] Cache path: C:\ProgramData\win\pgwy.company.testacmedirectory\Certificates
 [VERB] Arguments: --verbose
 [DBUG] Renewal period: 55 days

 [INFO] A simple Windows ACMEv2 client (WACS)
 [INFO] Software version 2.1.5.742 (RELEASE, PLUGGABLE)
 [INFO] ACME server https://pgwy.company.test/acme/directory
 [VERB] SecurityProtocol setting: SystemDefault
 [DBUG] Connection OK!
 [INFO] IIS version 10.0
 [INFO] Running with administrator credentials
 [WARN] Scheduled task not configured yet
 [INFO] Please report issues at https://github.com/win-acme/win-acme
 [VERB] Test for international support: 語言 язык لغة

 N: Create new certificate (simple for IIS)
 M: Create new certificate (full options)
 R: Run scheduled renewals (0 currently due)
 A: Manage renewals (0 total)
 O: More options...
 Q: Quit

 Please choose from the menu: M

 [INFO] Running in mode: Interactive, Advanced

  Please specify how the list of domain names that will be included in the
  certificate should be determined. If you choose for one of the "all bindings"
  options, the list will automatically be updated for future renewals to
  reflect the bindings at that time.

 1: IIS
 2: Manual input
 3: CSR created by another program
 C: Abort

 How shall we determine the domain(s) to include in the certificate?: <Enter>

 [DBUG] Scanning IIS sites
 [DBUG] Scanning IIS site bindings for hosts

  Please select which website(s) should be scanned for host names. You may
  input one or more site identifiers (comma separated) to filter by those
  sites, or alternatively leave the input empty to scan *all* websites.

 1: win.company.test (1 binding)

 Site identifier(s) or <ENTER> to choose all: <Enter>

 [VERB] 1 named bindings found in IIS
 [VERB] No site filter applied
 [VERB] No host filter applied
 [VERB] 1 matching binding found

 1: win.company.test (Site 1)

  You may either choose to include all listed bindings as host names in your
  certificate, or apply an additional filter. Different types of filters are
  available.

 1: Pick specific bindings from the list
 2: Pick bindings based on a search pattern
 3: Pick bindings based on a regular expression
 4: Pick *all* bindings

 How do you want to pick the bindings?: <Enter>

 [VERB] 1 named bindings found in IIS
 [VERB] No site filter applied
 [VERB] No host filter applied
 [VERB] 1 matching binding found
 [VERB] 1 named bindings found in IIS
 [VERB] No site filter applied
 [VERB] No host filter applied
 [VERB] 1 matching binding found

 1: win.company.test (Site 1)

 Continue with this selection? (y*/n)  - <Enter>

 [DBUG] Scanning IIS site bindings for hosts
 [VERB] 1 named bindings found in IIS
 [VERB] No site filter applied
 [VERB] No host filter applied
 [VERB] 1 matching binding found
 [INFO] Target generated using plugin IIS: win.company.test

 Suggested friendly name '[IIS] (any site), (any host)', press <ENTER> to accept or type an alternative: <Enter>

  The ACME server will need to verify that you are the owner of the domain
  names that you are requesting the certificate for. This happens both during
  initial setup *and* for every future renewal. There are two main methods of
  doing so: answering specific http requests (http-01) or create specific dns
  records (dns-01). For wildcard domains the latter is the only option. Various
  additional plugins are available from https://github.com/win-acme/win-acme/.
 [VERB] Adding 10.9.6.44 as DNS server

 1: [http-01] Save verification files on (network) path
 2: [http-01] Serve verification files from memory
 3: [http-01] Upload verification files via FTP(S)
 4: [http-01] Upload verification files via SSH-FTP
 5: [http-01] Upload verification files via WebDav
 6: [dns-01] Create verification records manually (auto-renew not possible)
 7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
 8: [dns-01] Create verification records with your own script
 9: [tls-alpn-01] Answer TLS verification request from win-acme
 C: Abort

 How would you like prove ownership for the domain(s) in the certificate?: 7

 URL of the acme-dns server: https://acme-dns.company.test

 [DBUG] Using C:\ProgramData\win\acme-dns\acme-dns.company.test for acme-dns configuration
 [INFO] Creating new acme-dns registration for domain win.company.test
 [EROR] Error creating acme-dns registration
System.Net.Http.HttpRequestException: The requested name is valid, but no data of the requested type was found.
 ---> System.Net.Sockets.SocketException (11004): The requested name is valid, but no data of the requested type was found.
   at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at PKISharp.WACS.Clients.AcmeDnsClient.Register()

  After ownership of the domain(s) has been proven, we will create a
  Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
  determines properties of the certificate like which (type of) key to use. If
  you are not sure what to pick here, RSA is the safe default.

 1: Elliptic Curve key
 2: RSA key

 What kind of private key should be used for the certificate?:
@WouterTinus
Copy link
Member

Thanks, you are right, the creation process is doomed for failure that point so we should stop asking questions like nothing happened.

@WouterTinus WouterTinus added this to the 2.1.6 milestone Mar 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
confirmed bug
Projects
None yet
Milestone
2.1.6
Development

No branches or pull requests
2 participants
@oregano87 @WouterTinus