search

caddy-dns / cloudflare

Caddy module: dns.providers.cloudflare
Apache License 2.0
468 stars 60 forks source link

Let's Encrypt Certificate Challenge Failing for Subdomain with Docker Caddy #87

Closed depfryer closed 5 hours ago

depfryer commented 5 hours ago

Hi, I'm encountering an issue with obtaining a Let's Encrypt SSL certificate for the subdomain grafana.home.max97.eu while using Caddy in a rootless Docker environment. The error logs indicate that there are "no valid A records found" for the subdomain, despite having configured an A record pointing to a private IP address (192.168.1.231).

Current Configuration:

(tls_cloudflare) {
    tls {
        dns cloudflare {
            zone_token {env.CF_ZONE_TOKEN}
            api_token {env.CF_API_TOKEN}
        }
    }
}

*.home.domain.com {
    import tls_cloudflare
}

grafana.home.domain.com {
    reverse_proxy 192.168.1.231:3000 // on another machine
}

Logs:

............
caddy-1  | {"level":"info","ts":1730825893.5759928,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"grafana.home.domain.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy-1  | {"level":"error","ts":1730825893.656716,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"grafana.home.domain.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for grafana.home.domain.com; no valid AAAA records found for grafana.home.domain.com","instance":"","subproblems":[]}}
......

but if i do my config like this:

(tls_cloudflare) {
    tls {
        dns cloudflare {
            zone_token {env.CF_ZONE_TOKEN}
            api_token {env.CF_API_TOKEN}
        }
    }
}
*.home.domain.com {
    import tls_cloudflare
}
(home_internal_http) {
    reverse_proxy {args[:]}
    import tls_cloudflare

}
grafana.home.domain.com {
    import home_internal_http 192.168.1.231:3000
}

it's working pretty much perfectly (ask for a lot of certificat because i have a lot of subdomain) but if i take a look at ma cert i have commun Name(CN) *home.domain.com

logs

caddy-1  | {"level":"info","ts":1730827151.2705302,"logger":"tls.issuance.acme.acme_client","msg":"authorization finalized","identifier":"grafana.home.domain.com","authz_status":"valid"}
caddy-1  | {"level":"info","ts":1730827151.2706106,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/2040122667/320296781477"
caddy-1  | {"level":"info","ts":1730827152.9056764,"logger":"tls.issuance.acme.acme_client","msg":"got renewal info","names":["grafana.home.max97.eu"],"window_start":1735922410.3333333,"window_end":1736095210.3333333,"selected_time":1736084804,"recheck_after":1730848752.905669,"explanation_url":""}
ECT

version 

Docker version 27.3.1, build ce12230 (rootless)
Caddy latest (2.8.4)

thanks you

mholt commented 5 hours ago

*home.domain.com isn't really a valid CN; wildcards have to be their own label.

That's about all the help I can give, since the domain seems to have been redacted, I can't actually look into what the issue may be.

In any case, this doesn't appear to be a bug in the Cloudflare module. Please ask your questions on our forum and we'll be able to help you with more eyes on it. (Fill out the help template.)

depfryer commented 2 hours ago

hi, i found what i was doing wrong i added a dns record A *.home.max97.eu to my internal IP and the caddyfile look like this

(tls_cloudflare) {
    tls {
        dns cloudflare {
            zone_token {env.CF_ZONE_TOKEN}
            api_token {env.CF_API_TOKEN}
        }
    }
}

*.home.domain.com {
    import tls_cloudflare
   # Grafana
   @grafana {
        host grafana.home.domain.cm
    }
    handle @grafana {
        reverse_proxy 192.168.1.230:3000
    }
  ....