Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNSonly - Manage API Tokens, api creation fail

Discussion in 'Bind / DNS / Nameserver Issues' started by splaquet, Oct 17, 2017.

  1. splaquet

    splaquet Member

    Joined:
    Sep 24, 2008
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    53
    Location:
    Springfield, Massachusetts, United States
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've had an incredibly difficult time trying to correctly create a DNS cluster, although I do believe that I've finally figured it out. hah... I can only hope that's the case this time!

    A few days ago when I first set this up, I had my DNSonly server at the top tier. Unless I'm mistaken, the DNSonly server should actually be on the tail end of the sync. (am I correct there?) All of the cPanel diagrams confused me a little, but then I finally noticed "web server" and "name server" labels. I'm really not sure how that didn't click until now, but it just didn't.

    One of my big questions what the "be very afraid of WHM to WHM sync" line. I'm actually still unsure of the solid answer. I can understand the obvious of what that's saying, but does that imply that WHM to DNSonly 2 way sync is 100% safe? If not, what is the most ideal sync hierarchy?

    So, my issue developed from what looks like the cPanel upgrade, to v68+. The other day, if I'm remembering correctly, I was able to create the API Token easily enough on my DNSonly server, but I'm just not able to since the upgrade yesterday. The error below is what I'm seeing (see copy/paste text & screenshot of same). Also worth noting, I tried deselecting all options, selecting all options, some, etc. Nothing seemed to work. It's working totally fine on my cPanel servers. Only seems to be a problem on the DNSonly server.

    The server is a Google Cloud VM. I was thinking that their promo would probably get me 1 free year of the DNSonly server, then under $7/mo afterwards. Can't go wrong with that price!

    Code:
    The system failed to create the API token: Invalid or unauthorized ACLs specified: cpanel-api, add-pkg-ip, acct-summary, list-accts, edit-account, limit-bandwidth, demo-setup, kill-acct, upgrade-account, manage-oidc, allow-shell, allow-unlimited-pkgs, quota, ssl-buy, edit-dns, allow-parkedcreate, allow-emaillimits-pkgs, cors-proxy-get, digest-auth, edit-mx, viewglobalpackages, allow-unlimited-bw-pkgs, show-bandwidth, allow-addoncreate, news, park-dns, list-pkgs, suspend-acct, add-pkg-shell, resftp, rearrange-accts, edit-pkg, public-contact, cpanel-integration, add-pkg, create-acct, thirdparty, track-email, generate-email-config, locale-edit, mysql-info, allow-unlimited-disk-pkgs, ssl-gencrt, and mailcheck
    Screenshot 2017-10-17 17.23.21.jpg

    As a side note, I'd like to suggest having a few more example diagrams of how NOT to set up a DNS cluster. As well, having a diagram of what the cluster looks like on the "name server" AND what it looks like on the "web server" would probably take a little bit more of the puzzle out of it. Even if it looks exactly the same on both of them, at least the user can feel comfortable knowing that they're headed in the right direction. I searched and searched online, but I really couldn't find much, other than people having issues. I wasn't able to find enough success stories for me to feel comfortable thinking, "oh wow, so THAT'S how you do it!"

    I have waaaay too many people relying on me at this point, hosting wise. I just haven't had the time to truly get caught up on every area of sysadmin knowledge. I love learning, it's just that my client base has grown faster than I can keep up. I might have been confusing myself when it came down to proper DNS cluster setup, as I couldn't help but think how horrible of an effect that the wrong move could potentially have on a few hundred clients.

    ...so anyhow, thank you all for your help and time :)

    - splaquet
     
    #1 splaquet, Oct 17, 2017
    Last edited: Oct 17, 2017
  2. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    Hi @splaquet,

    As the error suggests, this is likely because the token doesn't have the necessary permissions, probably 'create-dns'.

    I'm assuming you're referring to "Do not use WHM-to-WHM two-way sync configurations" at:
    DNS Cluster - Version 64 Documentation - cPanel Documentation

    Often times we see users trying to use DNS clustering as a load balancer. This just means you shouldn't have two WHM server's syncing to each other, especially if they have the same domain on each server. Even with domains exclusive to each WHM server, you're adding DNS zones to a "master" server which it doesn't actually manage. It's okay to have two WHM server's sharing a DNSonly server, but they shouldn't be connected in a way that WHM syncs to WHM.

    Thanks,
     
  3. splaquet

    splaquet Member

    Joined:
    Sep 24, 2008
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    53
    Location:
    Springfield, Massachusetts, United States
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just for clarification, when you say "it's okay to have to WHM server's sharing a DNSonly server", are you saying that it's 100% okay to 2 way sync WHM 2 DNSonly? Everything kind of "implies" that, but I'd suggest actually defining that for people.

    I mean, I don't know everything that I should really know about cPanel/WHM (obviously), but I know more than most... and I had a hell of a time getting this understood and (hopefully) squared away.

    Also worth noting, I rewrote this and submitted to cPanel Support. TIX ID# 8957101

    What we've concluded so far is that your support staff has been able to reproduce the issue. It seems as though it's something that's v68 specific. The DNSonly API token has more API call limitations in the recent version. Support staff was able to create 1 API Token, with ONLY "DNS > create dns zones" checked off. I wasn't able to reproduce it, so I replied back. We're still working on it.
     
  4. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    If you two-way sync with 2 WHM servers' sharing a DNSonly server, you will end up with records for WHM2 on your WHM1 server via your DNSonly server. This isn't so much an issue until you have thousands of domains in the cluster. I would not recommend a two-way sync when multiple WHM servers are connected to the same DNSonly server. Otherwise, there is no issue with two-way sync.

    To follow up on this issue, a case(CPANEL-16510) has been filed for API Token creation failing on cPanel DNSonly server on 68. The current workaround is to use the command line to create the tokens:
    Code:
    # whmapi1 api_token_create token_name=$name acl-1=all
    --- 
    data: 
      acls: 
        - all
      create_time: '1508373967'
      name: $name
      token: IA32KUILAVQCCDDFUE9VM8WLK3KERARP
    metadata: 
      command: api_token_create
      reason: OK
      result: 1
      version: 1
    
     
  5. splaquet

    splaquet Member

    Joined:
    Sep 24, 2008
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    53
    Location:
    Springfield, Massachusetts, United States
    cPanel Access Level:
    Root Administrator
    Twitter:
    @cPWilliamL , quick question for you. so.... say I've made a few mistakes along the way and now i have all of those records scattered everywhere? :/ Is there an easy way to clean up those records, or at least get them synced up together?

    Another quick question for you... Other than being recommended, is it a necessity to create a unique API token for each connection or can you use the same one (generated on the nameserver) on each cPanel/WHM server (web server)?

    ****

    Let's just say that some of the greatest knowledge that I've acquired over the years of life have been from some of my greatest mistakes. While I cannot consider this one of my greatest mistakes, I've definitely spent more time on this one process than most other learning. I just hope that through my mistakes, i've tagged and used enough keywords in this thread for others to easily be able to find it. LOL... or maybe everyone else just figures it out right away and I've waaaaaay over complicated it on myself :/

    I've scoured the web and just cannot find the answers that I seek, and the cPanel diagrams just aren't putting it together enough for me.

    I'm not sure how i've missed this thread until just now, but this is the first "case use" example that I've been able to find online:
    DNS Cluster with DNS ONLY

    as a side note, i feel as though this is making me sound as though I'm *special*, but maybe coloring "web host" one color and "name server" another on your example diagrams? i have it now, but apparently my attention skipped over those small, yet so very important details at first.

    thank you all very kindly for your help!

    -shannon
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,763
    Likes Received:
    1,710
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The synchronization feature in "WHM Home » DNS Functions » Synchronize DNS Records" will sync zones, but it won't delete any existing DNS zones. Thus, you'd need to delete any DNS zones you want removed from a specific server after updating your cluster configuration.

    You can use the same API token.

    Thank you.
     
Loading...

Share This Page