Split DNS and certificates

deoxykev commented 1 year ago

Welcome

[X] Yes, I'm using a binary release within 2 latest releases.
[X] Yes, I've searched similar issues on GitHub and didn't find any.
[X] Yes, I've included all information below (version, config, etc).

What did you expect to see?

Getting a wildcard cert on the root domain (*.redacted.net) works:

 lego --accept-tos --email email@redacted.net --dns cloudflare --domains *.redacted.net run
2023/08/08 17:37:34 [INFO] [*.redacted.net] acme: Obtaining bundled SAN certificate
2023/08/08 17:37:35 [INFO] [*.redacted.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/253211000000
2023/08/08 17:37:35 [INFO] [*.redacted.net] acme: use dns-01 solver
2023/08/08 17:37:35 [INFO] [*.redacted.net] acme: Preparing to solve DNS-01
2023/08/08 17:37:36 [INFO] cloudflare: new record for redacted.net, ID xxxxxxxxxxxxxxxxxxxxxxx
2023/08/08 17:37:36 [INFO] [*.redacted.net] acme: Trying to solve DNS-01
2023/08/08 17:37:36 [INFO] [*.redacted.net] acme: Checking DNS record propagation using [1.1.1.1:53]
2023/08/08 17:37:38 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2023/08/08 17:37:41 [INFO] [*.redacted.net] The server validated our request
2023/08/08 17:37:41 [INFO] [*.redacted.net] acme: Cleaning DNS-01 challenge
2023/08/08 17:37:41 [INFO] [*.redacted.net] acme: Validations succeeded; requesting certificates
2023/08/08 17:37:42 [INFO] [*.redacted.net] Server responded with a certificate.

What did you see instead?

But a wildcard cert on a subdomain or nested subdomain (*.subdomain.redacted.net) does not work.

lego --accept-tos --email email@redacted.net --dns cloudflare --domains "*.subdomain.redacted.net" run
2023/08/08 17:32:57 [INFO] [*.subdomain.redacted.net] acme: Obtaining bundled SAN certificate
2023/08/08 17:32:58 [INFO] [*.subdomain.redacted.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/253210469496
2023/08/08 17:32:58 [INFO] [*.subdomain.redacted.net] acme: use dns-01 solver
2023/08/08 17:32:58 [INFO] [*.subdomain.redacted.net] acme: Preparing to solve DNS-01
2023/08/08 17:32:58 [INFO] [*.subdomain.redacted.net] acme: Cleaning DNS-01 challenge
2023/08/08 17:32:58 [WARN] [*.subdomain.redacted.net] acme: cleaning up failed: cloudflare: failed to find zone subdomain.redacted.net.: zone could not be found
2023/08/08 17:32:58 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/25321xxxxxxxx
2023/08/08 17:32:58 Could not obtain certificates:
    error: one or more domains had a problem:
[*.subdomain.redactednet] [*.subdomain.redacted.net] acme: error presenting token: cloudflare: failed to find zone subdomain.redacted.net.: zone could not be found

How do you use lego?

Binary

Reproduction steps

CLOUDFLARE_DNS_API_TOKEN=xxxxxxxxx lego --accept-tos --email email@redacted.net --dns cloudflare --domains "*.subdomain.redacted.net" run

Version of lego

lego version 4.13.3 linux/386

Logs

n/a

Go environment (if applicable)

n/a

deoxykev commented 1 year ago

So it turns out it is because I have a split DNS scenario where subdomain.redacted.net actually does have a SOA on my LAN, but not in Cloudflare, where the SOA would be at redacted.net. However, the program uses the internal DNS where subdomain.redacted.net has a SOA, making it think that the cloudflare zone it's supposed to operate on is subdomain.redacted.net instead of redacted.net.

Any way you could add in support to specify the zone by environment variable rather than dynamic SOA lookup?

Here's the relevant function: https://github.com/go-acme/lego/blob/master/providers/dns/cloudflare/cloudflare.go\#L127

ldez commented 1 year ago

Hello,

Any way you could add in support to specify the zone by environment variable rather than dynamic SOA lookup?

lego is used as a CLI but also as a library, this kind of option can only work in a very specific use case related to CLI with only one zone. We will not add this option.

you can use --dns.resolvers to choose the right resolver. you can also use CNAME.

deoxykev commented 1 year ago

Thank you for reading and responding. The --dns.resolvers option worked for me.

If any one else comes across this issue, my working example is:

# token api key permissions in cloudflare:
# Zone / Zone / Read
# Zone / DNS / Edit

export CLOUDFLARE_DNS_API_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/usr/local/bin/lego \
    --dns.resolver 1.1.1.1 \
    --accept-tos \
    --email you@example.com \
    --dns cloudflare \
    --domains "*.subdomain.example.com" \
    run

go-acme / lego