znkr
commented
1 month ago I don't know for sure what's going on here, but I suspect that you need to create a zone for local.domain.tld.
Closed aDivineDragoness closed 1 month ago
znkr
commented
1 month ago I don't know for sure what's going on here, but I suspect that you need to create a zone for local.domain.tld.
aDivineDragoness
commented
1 month ago I don't know for sure what's going on here, but I suspect that you need to create a zone for local.domain.tld.
You mean on desec? I tried that and in that situation the module did not successfully create the _acme-challenge TXT records. I think either the module or the desec API cannot properly handle a zone that is a subdomain of another zone.
If you mean on my local dns server; I already have a zone there.
Either way, other tools like acme.sh have no problem. So I suspect some unnecessary checks/validations are being done.
znkr
commented
1 month ago adding temporary record for zone \"local.domain.tld.\": writing RRSets: unexpected status code 404: {\"detail\":\"Not found.\"}means that local.domain.tld is used as the zone for your request. The response means that the zone doesn't exist. You said that you tried adding a zone. Did that fail in the same way, or in a different way?
aDivineDragoness
commented
1 month ago You said that you tried adding a zone. Did that fail in the same way, or in a different way?
In contrary to my previous try, the module was able to create the txt records this time, so that may have been previously an error on my end.
(I'm going to not redact domain this time for convencience.)
Sep 16 18:01:54 web01 caddy[3644]: {"level":"info","ts":1726502514.2776566,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/161682943","account_contact":[]}
Sep 16 18:01:54 web01 caddy[3644]: {"level":"info","ts":1726502514.2837684,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"4de23565-e7be-40b2-b703-9338c47028c7","try_again":1726588914.2837667,"try_again_in":86399.999999547}
Sep 16 18:01:54 web01 caddy[3644]: {"level":"info","ts":1726502514.2840612,"logger":"tls","msg":"finished cleaning storage units"}
Sep 16 18:01:55 web01 caddy[3644]: {"level":"info","ts":1726502515.3680348,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.local.der.gs","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Sep 16 18:13:56 web01 caddy[3644]: {"level":"error","ts":1726503236.8059382,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"test.local.der.gs","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[test.local.der.gs] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/161682943/19156300723) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
Sep 16 18:13:56 web01 caddy[3644]: {"level":"error","ts":1726503236.8065546,"logger":"tls.obtain","msg":"will retry","error":"[test.local.der.gs] Obtain: [test.local.der.gs] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/161682943/19156300723) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":722.529579387,"max_duration":2592000}
Sep 16 18:14:56 web01 caddy[3644]: {"level":"info","ts":1726503296.8068588,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"test.local.der.gs"}
Sep 16 18:14:56 web01 caddy[3644]: {"level":"info","ts":1726503296.807419,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/161682943","account_contact":[]}
Sep 16 18:14:57 web01 caddy[3644]: {"level":"info","ts":1726503297.3830533,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"test.local.der.gs","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
Sep 16 18:26:58 web01 caddy[3644]: {"level":"error","ts":1726504018.9719977,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"test.local.der.gs","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[test.local.der.gs] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/161682943/19156539563) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
Sep 16 18:26:58 web01 caddy[3644]: {"level":"error","ts":1726504018.9727123,"logger":"tls.obtain","msg":"will retry","error":"[test.local.der.gs] Obtain: [test.local.der.gs] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/161682943/19156539563) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":1504.695736627,"max_duration":2592000}$ dig @1.1.1.1 _acme-challenge.test.local.der.gs txt +short
"O2BjT5YqBvgn5bgahEuAPfbY78DVY38QvQpTZ92fuOg"I have intentionally set the propagation_delay really high, just to make sure that propagation isn't the issue.
[...] means that local.domain.tld is used as the zone for your request
I don't like this behavior. Having to create zones for lower level subdomains makes everything more complicated. But again, i'm unsure if this is correctly placed here or better somewhere upstream.
znkr
commented
1 month ago [...] means that local.domain.tld is used as the zone for your request
I don't like this behavior. Having to create zones for lower level subdomains makes everything more complicated. But again, i'm unsure if this is correctly placed here or better somewhere upstream.
IIRC, we get the zone information from Caddy, this module doesn't have any control over it. So I think that needs to be a Caddy issue.
aDivineDragoness
commented
1 month ago oh, forgot to specifically mention it: while the TXT records now get created, it ultimately still doesn't work for me.
znkr
commented
1 month ago I think I remember now where Caddy gets the zone from: I think it uses the SOA record. With that, both of the failures you describe would be consistent with Caddy using a local DNS server that overrides the local.domain.tld zone. The first one, because your local DNS server would have a different zone than desec. The second one, because it's polling for the TXT record on the wrong server.
aDivineDragoness
commented
1 month ago That is more or less what my suspicion was.
Ok, now I feel dumb :woman_facepalming: Now that I have a better grasp about how caddy detects the zone and had a few better keywords to search the upstream repos, I realized that I totally missed the "resolvers"-Option in the tls directive. This can fix both cases.
I should just have RTFM more thouroughly...
Still, thank you very much for the help @znkr.
(a way to set it in the acme_dns option / globally instead of the tls directive would be nice tho :thinking: )
I don't know if this is the right place or better placed somewhere upstream.
Current Situation I have my domain "domain.tld" on desec. (redacted my actual domain in this issue for privacy) For internal use, I have "local.domain.tld" on a local dns server.
The Problem Requesting a certificate for domain.tld or any other subdomain other than local.domain.tld works perfectly fine. But when I try to request a certificate for any subdomain under local.domain.tld, it doesn't create an _acme-challenge record and fails subsequently.
If it is relevant, there is a wildcard on the public domain (*.domain.tld).
The Logs:
My Config:
Caddy Version: v2.8.4
I can issue a cert using acme.sh, so I doubt I misunderstand something fundamental about DNS.