search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
7.99k stars 1.02k forks source link

rfc2136: My provider supports add and delete but not finding the SOA #1186

Closed mlilien closed 4 years ago

mlilien commented 4 years ago

RFC2136_NAMESERVER is used for finding the SOA record. In my case I can use the configured RFC2136_NAMESERVER to add and delete the _acme-challenge.mydomain.com entry. But this server is not a real nameserver. So finding the SOA record fails, before even trying to add the _acme-challenge.mydomain.com entry.

what works in my case is:

diff --git a/providers/dns/rfc2136/rfc2136.go b/providers/dns/rfc2136/rfc2136.go
index 059c9e4..e1e06c1 100644
--- a/providers/dns/rfc2136/rfc2136.go
+++ b/providers/dns/rfc2136/rfc2136.go
@@ -150,7 +150,8 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {

 func (d *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error {
        // Find the zone for the given fqdn
-       zone, err := dns01.FindZoneByFqdnCustom(fqdn, []string{d.config.Nameserver})
+       // zone, err := dns01.FindZoneByFqdnCustom(fqdn, []string{d.config.Nameserver})
+       zone, err := dns01.FindZoneByFqdn(fqdn)
        if err != nil {
                return err
        }
ldez commented 4 years ago

hello,

the difference between FindZoneByFqdn and FindZoneByFqdnCustom is that FindZoneByFqdn use your resolv.conf file to define the nameservers.

dmke commented 4 years ago

Indeed, by using FindZoneByFqdn, you'll send the create/delete queries to a different nameserver. This is probably in violation of RFC2136.

@mlilien, what's the name of your provider? Do you know what kind of DNS (pseudo) server they use?

Can you investigate, how the value of RFC1236_NAMESERVER and the entries in /etc/resolv.conf relate (those lines starting with the server keyword)? Depending on your system, you may need to fiddle with systemd-resolvd to get the server entries.

mlilien commented 4 years ago

@dkme I have an old dyndns pro account at dyn.com. (So I can't use the dyn acme-lego provider.) The RFC2136_NAMESERVER I use is update.dyndns.com. Server in my resolv.conf is my router, which itself uses 8.8.8.8 and 1.1.1.1.

dmke commented 4 years ago

@mlilien: Can you check whether #1190 works for you?

You'll need to provide the SOA MNAME/DNS primary server as RFC2136_PRIMARY environment variable.

mlilien commented 4 years ago

@dmke Thank you for looking into this. Unfortunately that seems not to work:


RFC2136_NAMESERVER=update.dyndns.com \
RFC2136_PRIMARY=nsXXXX.dns.dyn.com \
RFC2136_RFC2136_TSIG_KEY=my_key 
RFC2136_TSIG_SECRET=my_secret \
dist/lego -s https://acme-staging-v02.api.letsencrypt.org/directory -d example.com -a --dns=rfc2136 -m postmaster@example.com  run 

2020/06/18 19:18:07 [INFO] [example.com] acme: Obtaining bundled SAN certificate
2020/06/18 19:18:07 [INFO] [example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/66636778
2020/06/18 19:18:07 [INFO] [example.com] acme: Could not find solver for: tls-alpn-01
2020/06/18 19:18:07 [INFO] [example.com] acme: Could not find solver for: http-01
2020/06/18 19:18:07 [INFO] [example.com] acme: use dns-01 solver
2020/06/18 19:18:07 [INFO] [example.com] acme: Preparing to solve DNS-01
2020/06/18 19:18:08 [INFO] [example.com] acme: Cleaning DNS-01 challenge
2020/06/18 19:18:08 [WARN] [example.com] acme: cleaning up failed: rfc2136: failed to remove: DNS update failed: server replied: REFUSED 
2020/06/18 19:18:08 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/66636778
2020/06/18 19:18:08 Could not obtain certificates:
    error: one or more domains had a problem:
[example.com] [example.com] acme: error presenting token: rfc2136: failed to insert: DNS update failed: server replied: REFUSED
dmke commented 4 years ago

Hm... Is nsXXXX.dns.dyn.com really the primary? "DNS update failed: server replied: REFUSED" indicates this might be the wrong address.

You can confirm that by running:

$ host -t soa example.com
example.com has SOA record ns.icann.org. noc.dns.icann.org. 2019121416 7200 3600 1209600 3600

The primary nameserver here is ns.icann.org.

mlilien commented 4 years ago

Interesting, seems my primary is ns1.mydyndns.org.. But the result is the same.

dmke commented 4 years ago

I'm an idiot... :stuck_out_tongue:

Turns out, the FindZoneByFqdn call does not return the primary nameserver (SOA MNAME), but the domain name the SOA belongs to.

For example: if you have a domain foo.bar.example.com, you can have the SOA record attached to the example.com domain. A (recursive) lookup of the SOA record for foo.bar.example.com would first query foo.bar.example.com (and find no SOA record here), then bar.example.com (again no result) and finally example.com:

$ host -t soa foo.bar.example.com
Host foo.bar.example.com not found: 3(NXDOMAIN)
$ host -t soa bar.example.com
Host bar.example.com not found: 3(NXDOMAIN)
$ host -t soa example.com
example.com has SOA record ns.icann.org. noc.dns.icann.org. 2019121416 7200 3600 1209600 3600

In technical terms, example.com is the zone apex for foo.bar.example.com.

It is this zone apex that is required as value for RFC2136_PRIMARY (which is now inadequately named). Would you mind checking this again?

mlilien commented 4 years ago

Hi, now I'm getting another error:


RFC2136_NAMESERVER=update.dyndns.com \
RFC2136_PRIMARY=example.com \
RFC2136_RFC2136_TSIG_KEY=my_key 
RFC2136_TSIG_SECRET=my_secret \
dist/lego -s https://acme-staging-v02.api.letsencrypt.org/directory -d example.com -a --dns=rfc2136 -m postmaster@example.com  run 

2020/06/19 17:05:34 [INFO] [example.com] acme: Obtaining bundled SAN certificate
2020/06/19 17:05:34 [INFO] [example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/66907829
2020/06/19 17:05:34 [INFO] [example.com] acme: Could not find solver for: tls-alpn-01
2020/06/19 17:05:34 [INFO] [example.com] acme: Could not find solver for: http-01
2020/06/19 17:05:34 [INFO] [example.com] acme: use dns-01 solver
2020/06/19 17:05:34 [INFO] [example.com] acme: Preparing to solve DNS-01
2020/06/19 17:05:34 [INFO] [example.com] acme: Cleaning DNS-01 challenge
2020/06/19 17:05:35 [WARN] [example.com] acme: cleaning up failed: rfc2136: failed to remove: DNS update failed: server replied: FORMERR 
2020/06/19 17:05:35 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/66907829
2020/06/19 17:05:35 Could not obtain certificates:
    error: one or more domains had a problem:
[example.com] [example.com] acme: error presenting token: rfc2136: failed to insert: DNS update failed: server replied: FORMERR
dmke commented 4 years ago

I think now's the time to contact Dyn support and point them to this issue...

mlilien commented 4 years ago

I did that, I'll report as soon as I get an answer.

mlilien commented 4 years ago

I use a deprecated dns delegation for this domain. I will update this, which can take a while, because another party is involved to change that. After that I'll retest. Other than that, I got the remark, that the service will be retired end of May 2022. I don't know if it's worth to find a solution then. I'll have to switch anyway and can use the manual provider or my patch for now.

dmke commented 4 years ago

Okay, thanks for letting us know.

Closing this for now. Feel free to reopen should new information emerge :-)