search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.27k stars 418 forks source link

certbot acme-challenge 404 #612

Closed brainfish closed 1 year ago

brainfish commented 1 year ago

I am trying to setup technetium using docker on ubuntu. DNS-over-HTTP is enabled however when I try to run certbot certonly it fails due to 404 on the acme-challenge. Example output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for REDACTED
Performing the following challenges:
http-01 challenge for REDACTED
Using the webroot path /opt/technitium/dns/dohwww for all unmatched domains.
Waiting for verification...
Challenge failed for domain REDACTED
http-01 challenge for REDACTED
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: REDACTED
   Type:   unauthorized
   Detail: REDACTED-IP-ADDRESS: Invalid response from
   http://REDACTED/.well-known/acme-challenge/kuWl3AtYHjMZvBjP9JGRPLWQCh6tdbOmZD2ScUV1yGo:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I have tried putting a couple of test files in /opt/technitium/dns/dohwww/.well-known/acme-challenge and it appears it's a filename issue; I can load http://REDACTED/.well-known/acme-challenge/test.html in the browser, however http://REDACTED/.well-known/acme-challenge/test2 responds with a 404. Using watch ls in that directory, I can see certbot putting the challenge file there with appropriate contents.

How can I configure technetium to serve all files from this directory, instead of requiring an (e.g.) .html extension?

ShreyasZare commented 1 year ago

Thanks for reporting this issue. The last major update had its web server replaced with Kestrel and by default its only serving known file types. Will get this fixed in the upcoming update.

There is no workaround to make this work. You can though use DNS challenge if that is possible. Take a look at this blog post which explains how to configure DNS challenge with certbot.

ShreyasZare commented 1 year ago

There is one mitigation that can be done to allow HTTP challenge meanwhile this issue is fixed. You can setup a reverse proxy like nginx and add the following config to make it work.

location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /opt/technitium/dns/dohwww/;
  default_type "text/plain";
  try_files $uri =404;
}
ShreyasZare commented 1 year ago

Technitium DNS Server v11.1 is now available that fixes this issue. Do update and let me know your feedback.