search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
8.02k stars 1.02k forks source link

oraclecloud does not work with wildcard #1529

Open mattn opened 3 years ago

mattn commented 3 years ago

Welcome

What did you expect to see?

run finish the tasks successfully.

What did you see instead?

run fail with wildcard.

How do you use lego?

Binary

Reproduction steps

  OCI_PRIVKEY_FILE="/home/mattn/.oci/oci_api_key.pem" \
  OCI_PRIVKEY_PASS="XXXXXXXXXXXXXXXXXXXXXXXXXXX" \
  OCI_TENANCY_OCID="ocid1.tenancy.oc1..secret" \
  OCI_USER_OCID="ocid1.user.oc1..secret" \
  OCI_PUBKEY_FINGERPRINT="secret" \
  OCI_REGION="ap-tokyo-1" \
  OCI_COMPARTMENT_OCID="ocid1.tenancy.oc1..secret" \
  lego \
      --path /etc/letsencrypt \
      -m my-email@mail-address.net \
      --dns oraclecloud \
      -d xxxxxxxxx.xx \
      -d *.xxxxxxxxx.xx \
      -a run

Version of lego

lego version 4.5.3 linux/amd64

Logs

```console 2021/11/11 01:27:52 [INFO] [xxxxxxxxx.xx, *.xxxxxxxxx.xx] acme: Obtaining bundled SAN certificate 2021/11/11 01:27:54 [INFO] [*.xxxxxxxxx.xx] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/XXXXXXXXXXX 2021/11/11 01:27:54 [INFO] [xxxxxxxxx.xx] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/YYYYYYYYYYY 2021/11/11 01:27:54 [INFO] [xxxxxxxxx.xx] acme: authorization already valid; skipping challenge 2021/11/11 01:27:54 [INFO] [*.xxxxxxxxx.xx] acme: use dns-01 solver 2021/11/11 01:27:54 [INFO] [*.xxxxxxxxx.xx] acme: Preparing to solve DNS-01 2021/11/11 01:27:54 [INFO] [*.xxxxxxxxx.xx] acme: Trying to solve DNS-01 2021/11/11 01:27:54 [INFO] [*.xxxxxxxxx.xx] acme: Checking DNS record propagation using [127.0.0.53:53] 2021/11/11 01:27:56 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 2021/11/11 01:27:56 [INFO] [*.xxxxxxxxx.xx] acme: Waiting for DNS record propagation. 2021/11/11 01:27:58 [INFO] [*.xxxxxxxxx.xx] acme: Waiting for DNS record propagation. 2021/11/11 01:28:00 [INFO] [*.xxxxxxxxx.xx] acme: Waiting for DNS record propagation. 2021/11/11 01:28:02 [INFO] [*.xxxxxxxxx.xx] acme: Waiting for DNS record propagation. 2021/11/11 01:28:09 [INFO] [*.xxxxxxxxx.xx] acme: Cleaning DNS-01 challenge 2021/11/11 01:28:11 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/XXXXXXXXXXX 2021/11/11 01:28:11 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/YYYYYYYYYYY 2021/11/11 01:28:11 Could not obtain certificates: error: one or more domains had a problem: [*.xxxxxxxxx.xx] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: No TXT record found at _acme-challenge.xxxxxxxxx.xx ```

Go environment (if applicable)

```console $ go version && go env go version go1.16.6 linux/amd64 GO111MODULE="on" GOARCH="amd64" GOBIN="" GOCACHE="/home/mattn/.cache/go-build" GOENV="/home/mattn/.config/go/env" GOEXE="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/home/mattn/go/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/home/mattn/go" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.16.6" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/dev/null" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build752804175=/tmp/go-build -gno-record-gcc-switches" ```
ldez commented 3 years ago

Hello,

the output of the command in https://github.com/go-acme/lego/pull/808#issuecomment-467316780 suggests that wildcard domains works, but maybe it was a false positive.

ping @Sugi275

IrishPrime commented 2 years ago

I've had to request a lot of wildcard certificates with the oraclecloud provider (and have gotten a few thousand of them), so it can and does work at least some of the time. What I've noticed is that my success rate dramatically increased when I started using the --dns.disable-cp flag and specifying public DNS hosts with --dns.resolvers 8.8.8.8.

I've had a lot of trouble verifying quite what's going wrong. Frequently it would just work when I tried it a second time, but those options have helped it work the first time more often.