Gandi dns-01 challenge fail: 400 Absolute rrset_name must end with mydomain.org

[onny]

Describe the bug

Getting following error trying to renew tls cert with dns-01 challenge and Gandi: could not get certificate from issuer {"error":"[example.org] solving challenges: presenting for challenge: adding temporary record for zone \"example.org.\": LiveDNS returned a 400 (Absolute rrset_name must end with example.org. (_acme-challenge.)

Was already using it for a while like this but renewing the cert seems to fail

Log files

$(hostname) = mx1.example.org
$(primary_domain) = example.org
$(local_domains) = $(primary_domain)
hostname mx1.example.org

tls {
  loader acme {
    email onny@project-insanity.org
agreed
hostname mx1.example.org
challenge dns-01
dns gandi {
  api_token "{env:GANDI_API_KEY}"
}

  }
}

Configuration file

Aug 17 15:07:56 piproxy maddy[759807]: tls.loader.acme/acme_client: trying to solve challenge        {"ca":"https://acme-v02.api.letsencrypt.org/directory","challenge_type":"dns-01","identifier":"example.org"}
Aug 17 15:07:57 piproxy maddy[759807]: tls.loader.acme/acme_client: cleaning up solver        {"challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.example.org\" (usually OK if presenting also failed)","identifier":"example.org"}
Aug 17 15:07:57 piproxy maddy[759807]: tls.loader.acme/obtain: could not get certificate from issuer        {"error":"[example.org] solving challenges: presenting for challenge: adding temporary record for zone \"example.org.\": LiveDNS returned a 400 (Absolute rrset_name must end with example.org. (_acme-challenge.)) (order=https://acme-v02.api.letsencrypt.org/acme/order/1114545927/202211442616) (ca=https://acme-v02.api.letsencrypt.org/directory)","identifier":"example.org","issuer":"acme-v02.api.letsencrypt.org-directory"}

Environment information

• maddy version: 0.7

[nustiueudinastea]

Hitting the same issue

[foxcpp]

d9920f0 might fix it, but not sure tbh.

Somehow identifier end ups empty and libdns attempts to create a DNS record for _acme-challenge. (without example.org). No idea why this happens, might be a bug in Certmagic.

[nustiueudinastea]

hey @foxcpp , I just tried master and the issue continues to manifest itself unfortunately.

[nustiueudinastea]

I upgraded to certmagic v0.18.2 and the problem still exists. v0.19.x has breaking API changes so it was more difficult to test.

[nustiueudinastea]

Hey folks, finally had some time to look deeper into the problem. The issue most likely was caused by a change in what kind of data the Gandi API accepts. I created a PR that fixes the issue, in the gandi libdns repo: https://github.com/libdns/gandi/pull/12

Things are moving quite slow in those repo's so in the meantime I created a temporary Docker build base on that libdns PR and this branch on my Maddy fork: https://github.com/nustiueudinastea/maddy/tree/fix-gandi-cert

You can get it from nustiueudinastea/maddy:gandi-fix. This image has been tested and working.

[onny]

there's a new release of libdns/gandi plugin, has someone tested it? might fix the problem 👀 https://github.com/libdns/gandi/releases/tag/v1.0.3

[nustiueudinastea]

That’s the fix I submitted, and it does fix it. Will make a maddy PR with the library upgrades today or tomorrow.

[nustiueudinastea]

@foxcpp, I created a PR with the fix for this issue. Hopefully you will be able to create a new release as well once it's merged. Thanks!