search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
7.95k stars 1.02k forks source link

Use Hetzner's second level "rule" to avoid "could not get zone" error #1615

Open bryanpedini opened 2 years ago

bryanpedini commented 2 years ago

Welcome

How do you use lego?

Through Traefik

Detailed Description

Basically following up on https://github.com/traefik/traefik/issues/8910, I called up Hetzner the other day to ask about making a third level domain zone for my company, and they straight up told me that that wasn't possible and to just make a second level domain zone and put NS records pointing at Hetzner's servers only for the subdomain. So since Hetzner's DNS server are authoritative and not recursive, there would be no way that anybody would use them as primary resolver, hence not being able to use our main domain and not find the appropriate records.

Maybe that "rule" from Hetzner could be used to just call up Hetzner's APIs directly asking for the zone ID by just stripping everything past the second level domain, to avoid this error caused by internal DNS servers for home.mydomain.com?

traefik.home.mydomain.com  | time="2022-04-02T09:06:38Z" level=error msg="Unable to obtain ACME certificate for domains \"heimdall.home.mydomain.com\": unable to generate a certificate for the domains [heimdall.home.mydomain.com]: error: one or more domains had a problem:\n[heimdall.home.mydomain.com] [heimdall.home.mydomain.com] acme: error presenting token: hetzner: could not get zone for domain home.mydomain.com not found\n" rule="Host(`heimdall.home.mydomain.com`)" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=https-heimdall_home_mydomain_com@docker
lachnerd commented 1 year ago

hi, i think i have a related or similar problem. Im using hetzner DNS for DNS challenge with traefik with a CNAME Entry to a dyndns provider so i could run my services @home with changing ip adresses.

in the last 90 days something must have changed, i only get ssl certs vor my subdomains but not for the root domain. Also the logged error strips the subdomain from the referenced dyndns provider (mysub.ddns.net)

error presenting token: hetzner: could not get zone for domain ddns.net

After changing the traefik.mydomain.net CNAME mysub.ddns.net to traefik.mydomain.net A <myPublicIP> the letsencrypt certs get generated as expected.

voruti commented 1 year ago

hi, i think i have a related or similar problem. Im using hetzner DNS for DNS challenge with traefik with a CNAME Entry to a dyndns provider so i could run my services @home with changing ip adresses.

in the last 90 days something must have changed, i only get ssl certs vor my subdomains but not for the root domain. Also the logged error strips the subdomain from the referenced dyndns provider (mysub.ddns.net)

error presenting token: hetzner: could not get zone for domain ddns.net

After changing the traefik.mydomain.net CNAME mysub.ddns.net to traefik.mydomain.net A <myPublicIP> the letsencrypt certs get generated as expected.

I also got a similar problem :).

The error message I get (for some reason I don't know) is:

2023/05/25 14:00:56 [WARN] [example.de] acme: cleaning up failed: hetzner: could not get zone for domain de not found

Yes, there is the TLD "de" without "example." in front of it.

After skimming through some of the source code, I found out, that the CNAME record is the only response returned, when lego actually wants to know the SOA record (I think this is normal DNS behaviour?). I fixed it by using a public nameserver for the DNS challenge with --dns.resolvers 8.8.8.8 (the CNAME is only within my internal network).

ldez commented 1 year ago

@voruti to disable the CNAME support you have to set the env var LEGO_DISABLE_CNAME_SUPPORT to true.

voruti commented 1 year ago

I tried this env var before (and just retried now, too) and it doesn't work. As above: domain "de" not found.

ldez commented 1 year ago

when lego actually wants to know the SOA record (I think this is normal DNS behaviour?).

Yes, it's the expected behavior.

I think your problem is related to your local DNS and the SOA calls.

voruti commented 1 year ago

I'm using a pi.hole including the DHCP server. After its filtering is done, it's using Google DNS as well.

TonyR600 commented 1 year ago

Any News to the original subject on this? We have the same problem.

haarp commented 10 months ago

fyi

If you're running into acme: error presenting token: hetzner: could not get zone for domain foo.bar not found, while using Hetzner's DNS servers, this might also be because you have over 100 domains/zones. Hetzner's API does pagination and only shows 100 entries at most. lego fixed this issue in #1815, but the version in Debian (4.9.1) does not have the fix. Use a newer version from Github instead.