Open cnbeining opened 2 years ago
I ran into the exact same issue described here.
Since the acme implementation of NixOS depends on lego
I'll be glad if NS delegation would work properly.
@cnbeining In the meantime, have you found a workaround for this? @ldez Is there any progress in fixing/implementing this?
I implemented the support of CNAME by default, so I think you can handle your problem by using it.
Welcome
What did you expect to see?
lego
able to handle DNS-01 challenge via NS delegation.In not-so-human-language -
checkDNSPropagation
should consider that, if_acme-challenge.{domain}
record is setup with NS delegation,checkAuthoritativeNss
will always fail but this is a legitimate use case.NS delegation in human language:
_acme-challenge.{domain}
to {NS2}because maybe the user cannot control all records on {NS1}, or cannot control automatically.
In this case, if {NS2} works properly, aka setting up correct record for
_acme-challenge.{domain}
as per requested by ACME service -dig _acme-challenge.{domain} @{NS2} TXT
will workdig _acme-challenge.{domain} @{any 3rd party rDNS} TXT
will workdig _acme-challenge.{domain} @{NS1} TXT
will ALWAYS NOT WORK since there's no such record on {NS1}, and the record will not be passed on automatically as what usually happens with CNAME delegationdig _acme-challenge.{domain} @{NS1} NS
will return {NS2}Background reading: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
Proposed fixes:
checkAuthoritativeNss
WARN only and let ACME provider try its luck sincednsQuery(fqdn, dns.TypeTXT, recursiveNameservers, true)
works - probably dangerous to implement;requireCompletePropagation
option - more mental burden for users;checkDNSPropagation
at L70,authoritativeNss, err := lookupNameservers(fqdn)
: inlookupNameservers
, add logic to prefer NS record of_acme-challenge.{fqdn}
than NS record of{fqdn}
to handle NS delegation. Need to test whether this approach works with CNAME delegation.What did you see instead?
How do you use lego?
Other
Reproduction steps
Preparation:
_acme-challenge.{domain}
to {NS2}Testing:
_acme-challenge.{domain}
as the challenge codedig _acme-challenge.{domain} TXT @8.8.8.8
or any rDNS correctly shows the TXT record on {NS2}.lego
refuse to continue with verification:Version of lego
Logs
Go environment (if applicable)