search

caddy-dns / hetzner

Caddy module: dns.providers.hetzner
MIT License
29 stars 9 forks source link

Unable to get wildcard letsencrypt certificate #9

Open tankuanhong opened 1 year ago

tankuanhong commented 1 year ago

Hi,

My DNS is hosted on Cloudflare. I have NS records for _acme-challenge pointing to Hetzner DNS to enable automated cert management for load balancer. I have a standalone VM requiring its own certificate so I am using Caddy with dns.providers.hetzner to perform dns-01 challenge.

I can confirm that _acme-challenge.mydomain.com is created but somehow caddy is not getting the cert.

{"level":"info","ts":"2023-07-06T16:10:32.308+0800","logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.mydomain.com"}
{"level":"debug","ts":"2023-07-06T16:10:32.309+0800","logger":"tls.obtain","msg":"trying issuer 1/1","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"error","ts":"2023-07-06T16:12:36.836+0800","logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":".mydomain.com","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[.mydomain.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/<redacted>/<redacted>) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":"2023-07-06T16:12:36.838+0800","logger":"tls.obtain","msg":"will retry","error":"[.mydomain.com] Obtain: [.mydomain.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/<redacted>/<redacted>) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":124.530103601,"max_duration":2592000}
tankuanhong commented 1 year ago

After further testing seems like the challenge token does not match. Caddy could be using the wrong identifier to hash the challenge token (there is an extra period at the start of the domain). To be confirmed.