作者: 白翼

发布于

Haven’t visited NameSilo in a while, ever since I transferred all my domains out following their last .com price hike. Somehow, they’ve managed to increase the price again to a staggering $17.29.

Yes, I know they have a discount program where you can deposit a minimum of $50 for a .com renewal price of $11.05, but it’s still absurd that not making a deposit results in a difference of over $6.

发布于

Weird issue for Let’s Encrypt DNS-01 resolution cache

Recently I find that my acme.sh automatic renewals had been failing over the past monthh, so I manually ran the cron job to find out what is going wrong.

By default, acme.sh waits 20 seconds after setting TXT records on DNS, then do a confirmation using CloudFlare DNS before contacting LE for challenge. However, the process was failing during the verification step with the following error:

original='{
"identifier": {
"type": "dns",
"value": "[redacted-domain]"
},
"status": "invalid",
"expires": "2024-11-27T16:02:48Z",
"challenges": [
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/[redacted]/LL1-zA",
"status": "invalid",
"validated": "2024-11-20T16:03:17Z",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.[redacted-domain] - check that a DNS record exists for this domain",
"status": 400
},
"token": "[redacted]"
}

To diagnose the problem, I manually confirmed that:

1) _acme-challenge was added to the right place,
2) both Cloudflare and Google DNS confirmed the existence of _acme-challenge.[redacted-domain],
3) I later try to renew each domain individually, and they can succeed with additional retries.

Observation 3) gives me an idea to allow more time for Let’s Encrypt’s DNS server to properly fetch my DNS records, so I set acme.sh DNS sleep time to 60s. With that, this issue did not reoccur, and all renewal operations completed successfully.

As my domain usually renews every 2 month, judging from my last issued date, it seems this issue began sometime after October, as the cron job runs daily but does not attempt renewal unless the certificate is within one month of expiration.

Disclaimer: While I understand that there is the possibility of my Anycast DNS failing to propagate the server closest to Let’s Encrypt’s DNS server, test results from DNS propagation site shows that my Anycast DNS updated the record instantly, let alone with a 20 second delays. As such, I do not find evidence on this being an issue on my DNS side, yet.

References:
https://community.letsencrypt.org/t/dns01-validation-timeouts/116844/2

发布于

隨記 AMH php-7.4 編譯版在 Ubuntu 22 下的 OpenSSL 動態庫問題

Error: PHP 無法進行 ssl:// 的 fsocketopen,但 PHP 編譯版帶有 –with-openssl

/usr/local/php-7.4/bin# ./php -i | grep ssl
Openssl default config => /usr/local/openssl-1.1.1w/openssl.cnf

/usr/local/openssl-1.1.1w/bin# ./openssl version -a
./openssl: symbol lookup error: ./openssl: undefined symbol: EVP_mdc2, version OPENSSL_1_1_0

References:

https://github.com/openssl/openssl/issues/11227
https://blog.csdn.net/hhd1988/article/details/125563134

使用 echo “/usr/local/openssl-1.1.1w/lib” >> /etc/ld.so.conf.d/libc.conf && ldconfig 後,./openssl version -a 可以跑了,但 PHP 的 fsocketopen 依然不行,不確定何以繼續 debug,暫且改用非 SSL 端口並優先考慮環境升級。

想法來説估計把 AMH 的安裝脚本 –with-openssl 改成 3.0.2(系統版本)是最簡單的。

发布于

Security Bulletin 2024-07-02

a) regreSSHion, CVE-2024-6387, is an unauthenticated remote code execution in OpenSSH’s server (sshd) that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant exploit risk. [link]

Debian 12 users are advised to upgrade to 1:9.2p1-2+deb12u3 immediately. [link]

b) NGINX PGP Signing Key is updated, all NGINX repository users are required to import the new keys. [link]