search

caddy-dns / duckdns

Caddy module: dns.providers.duckdns
46 stars 11 forks source link

override_domain and multiple subdomains #5

Closed conrad82 closed 3 years ago

conrad82 commented 3 years ago

Regarding https://github.com/caddy-dns/duckdns#challenge-delegation

This is maybe not a bug, but I migrated from local certs to let's encrypt using a new domain, CNAME to duckdns, and override_domain like so:

(duckdns) {
        tls {
            dns duckdns {
                 api_token <TOKEN>
                 override_domain <duckdns-domain>.duckdns.org
            }
        }
}

This resulted in a lot of Incorrect TXT record errors, which I suspect is due to all my subdomains trying to register with let's encrypt at the same time, resulting in overwrites of the TXT records.

Is this something that can be fixed by either some wildcard certificate request, or by staggering the requests, or adding different timeouts?

The subdomain seem to be trickling in, after 10-20 minutes about 5 of 8 subdomains are working.

{"level":"error",
"ts":1614241722.1536422,
"logger":"tls.issuance.acme.acme_client",
"msg":"challenge failed",
"identifier":"<subdomain>.<domain>",
"challenge_type":"dns-01",
"status_code":403,
"problem_type":"urn:ietf:params:acme:error:unauthorized",
"error":"Incorrect TXT record \"<token>\" found at _acme-challenge.<subdomain>.<domain>"}
francislavoie commented 3 years ago

Ah, yeah that's unfortunately a limitation of duckdns, you can only set up TXT records on the main subdomain (not on any sub-subdomains) which also means only one acme challenge record at a time.

To fetch a wildcard cert, you'll need to write your config like this:

*.your.duckdns.org {
    tls {
        dns duckdns {env.DUCKDNS_TOKEN}
    }

    @foo host foo.your.duckdns.org
    handle @foo {
        # do whatever
    }

    @bar host bar.your.duckdns.org
    handle @bar {
        # do whatever
    }

    handle {
        # fallback for otherwise unhandled domains
    }
}

I haven't tried that with challenge delegation yet but the same concept should apply.

conrad82 commented 3 years ago

Thanks for your reply, I will give it a try later on!

I am using duckdns since it is supported by caddy out of the box, while the domain is different, so my.example.com CNAME my.duckdns.org - but that should not change your example code. Maybe a different nameserver provider would be a better solution

Closing the issue