作者： 白翼

Haven’t visited NameSilo in a while, ever since I transferred all my domains out following their last .com price hike. Somehow, they’ve managed to increase the price again to a staggering $17.29.

Yes, I know they have a discount program where you can deposit a minimum of $50 for a .com renewal price of $11.05, but it’s still absurd that not making a deposit results in a difference of over $6.

Recently I find that my acme.sh automatic renewals had been failing over the past monthh, so I manually ran the cron job to find out what is going wrong.

By default, acme.sh waits 20 seconds after setting TXT records on DNS, then do a confirmation using CloudFlare DNS before contacting LE for challenge. However, the process was failing during the verification step with the following error:

original='{
"identifier": {
"type": "dns",
"value": "[redacted-domain]"
},
"status": "invalid",
"expires": "2024-11-27T16:02:48Z",
"challenges": [
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/[redacted]/LL1-zA",
"status": "invalid",
"validated": "2024-11-20T16:03:17Z",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.[redacted-domain] - check that a DNS record exists for this domain",
"status": 400
},
"token": "[redacted]"
}

To diagnose the problem, I manually confirmed that:

1) _acme-challenge was added to the right place,
2) both Cloudflare and Google DNS confirmed the existence of _acme-challenge.[redacted-domain],
3) I later try to renew each domain individually, and they can succeed with additional retries.

Observation 3) gives me an idea to allow more time for Let’s Encrypt’s DNS server to properly fetch my DNS records, so I set acme.sh DNS sleep time to 60s. With that, this issue did not reoccur, and all renewal operations completed successfully.

As my domain usually renews every 2 month, judging from my last issued date, it seems this issue began sometime after October, as the cron job runs daily but does not attempt renewal unless the certificate is within one month of expiration.

Disclaimer: While I understand that there is the possibility of my Anycast DNS failing to propagate the server closest to Let’s Encrypt’s DNS server, test results from DNS propagation site shows that my Anycast DNS updated the record instantly, let alone with a 20 second delays. As such, I do not find evidence on this being an issue on my DNS side, yet.

References:
https://community.letsencrypt.org/t/dns01-validation-timeouts/116844/2

Error: PHP 無法進行 ssl:// 的 fsocketopen，但 PHP 編譯版帶有 –with-openssl

/usr/local/php-7.4/bin# ./php -i | grep ssl
Openssl default config => /usr/local/openssl-1.1.1w/openssl.cnf

/usr/local/openssl-1.1.1w/bin# ./openssl version -a
./openssl: symbol lookup error: ./openssl: undefined symbol: EVP_mdc2, version OPENSSL_1_1_0

References:

https://github.com/openssl/openssl/issues/11227
https://blog.csdn.net/hhd1988/article/details/125563134

使用 echo “/usr/local/openssl-1.1.1w/lib” >> /etc/ld.so.conf.d/libc.conf && ldconfig 後，./openssl version -a 可以跑了，但 PHP 的 fsocketopen 依然不行，不確定何以繼續 debug，暫且改用非 SSL 端口並優先考慮環境升級。

想法來説估計把 AMH 的安裝脚本 –with-openssl 改成 3.0.2（系統版本）是最簡單的。

分享：内網測速利器 – OpenSpeedTest，HTML5 網頁訪問，簡單易用

https://openspeedtest.com/selfhosted-speedtest

爲什麽 SMS 二次驗證並不安全的説明視頻。

Exposing The Flaw In Our Phone System – https://youtu.be/wVyu7NB7W6Y?si=vpdy_YKWUvwxwYm7

a) regreSSHion, CVE-2024-6387, is an unauthenticated remote code execution in OpenSSH’s server (sshd) that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant exploit risk. [link]

Debian 12 users are advised to upgrade to 1:9.2p1-2+deb12u3 immediately. [link]

b) NGINX PGP Signing Key is updated, all NGINX repository users are required to import the new keys. [link]

自從之前 bgp.he.net 服務變得不穩定以來，我就一直在想自己部署一個簡單的域名 DNS 查詢工具自用。今天終於用 Svelte 和 Github Pages 簡簡單單做了個。

Credit: https://twitter.com/Strangestone/status/1741474548191764967