search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
7.91k stars 1.01k forks source link

Help with Bunny DNS / Lego / Traefik setup #2069

Closed Blu3wolf closed 9 months ago

Blu3wolf commented 9 months ago

Welcome

What did you expect to see?

Traefik generating LE certificates

What did you see instead?

Traefik getting stuck on "acme: Waiting for DNS record propagation. lib=lego

After time passes: 

Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [teale.cloud *.teale.cloud]: error: one or more domains had a problem:
[*.teale.cloud] propagation: time limit exceeded: last error: NS kiki.bunny.net. did not return the expected TXT record

How do you use lego?

Through Traefik

Reproduction steps

docker compose up -d

version: '3.4'
services:
  reverse-proxy:
    image: traefik:v3.0
    container_name: traefik
    command: 
      - --log.level=DEBUG
      - --accesslog=true
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=blue_traefik
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.myresolver.acme.email=bill@auspilot.net
      - --certificatesresolvers.myresolver.acme.storage=acme.json
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=bunny
        #      - --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=kiki.bunny.net:53,coco.bunny.net:53
      - --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
      - --certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=false
      - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    environment:
      BUNNY_API_KEY: long-string-of-letters-and-numbers
      BUNNY_TTL: 60
      BUNNY_PROPAGATION_TIMEOUT: 180
      BUNNY_POLLING_INTERVAL: 5
      LEGO_DISABLE_CNAME_SUPPORT: true
    networks:
      - traefik
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./acme.json:/acme.json
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.traefik.rule=Host(`traefik.teale.cloud`)'
      - 'traefik.http.services.traefik.loadbalancer.server.port=8080'
    restart: unless-stopped
  nginx:
    image: nginxinc/nginx-unprivileged
    container_name: nginx
    restart: unless-stopped
    networks:
      - traefik
    volumes:
      - './web/src:/usr/share/nginx/html'
      - './web/nginx.conf:/etc/nginx/nginx.conf:ro'
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.nginx.rule=Host(`www.teale.cloud`)'
      - 'traefik.http.routers.nginx.tls=true'
      - 'traefik.http.routers.nginx.tls.certresolver=myresolver'
      - 'traefik.http.routers.nginx.tls.domains[0].main=teale.cloud'
      - 'traefik.http.routers.nginx.tls.domains[0].sans=*.teale.cloud'
      - 'traefik.http.services.nginx.loadbalancer.server.port=8080'

Host is pointing to router for DNS, router is pointing to quad9 (9.9.9.9). 

$ dig www.teale.cloud

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> www.teale.cloud
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5871
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.teale.cloud.               IN      A

;; ANSWER SECTION:
www.teale.cloud.        18000   IN      CNAME   teale.cloud.
teale.cloud.            1318    IN      A       122.148.255.108

;; Query time: 64 msec
;; SERVER: 192.168.50.1#53(192.168.50.1) (UDP)
;; WHEN: Sat Dec 16 17:20:20 AWST 2023
;; MSG SIZE  rcvd: 74

$ dig _acme-challenge.teale.cloud

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> _acme-challenge.teale.cloud
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55444
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.teale.cloud.   IN      A

;; ANSWER SECTION:
_acme-challenge.teale.cloud. 18000 IN   CNAME   teale.cloud.
teale.cloud.            1060    IN      A       122.148.255.108

;; Query time: 64 msec
;; SERVER: 192.168.50.1#53(192.168.50.1) (UDP)
;; WHEN: Sat Dec 16 17:24:38 AWST 2023
;; MSG SIZE  rcvd: 86

$ dig _acme-challenge.teale.cloud TXT @kiki.bunny.net

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> _acme-challenge.teale.cloud TXT @kiki.bunny.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40656
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.teale.cloud.   IN      TXT

;; ANSWER SECTION:
_acme-challenge.teale.cloud. 18000 IN   CNAME   teale.cloud.
_acme-challenge.teale.cloud. 60 IN      TXT     "correct-letters-and-numbers"
_acme-challenge.teale.cloud. 60 IN      TXT     "different-correct-letters-and-numbers"

;; Query time: 12 msec
;; SERVER: 91.200.176.1#53(kiki.bunny.net) (UDP)
;; WHEN: Sat Dec 16 17:25:03 AWST 2023
;; MSG SIZE  rcvd: 193

I also asked for help at Traefik's forum: https://community.traefik.io/t/dns-01-challenge-fails/20792/10

Looking at the three other issues here related to Bunny, it seems like its working aside from not propagating the records to other DNS servers. Im not sure how to troubleshoot this and would really appreciate any advice - even if the advice is "try some other provider". I only signed up with Bunny (free DNS trial) yesterday as my existing DNS provider does not have an API at all.

Version of lego

-bash: lego: command not found

Logs

> Adding route for www.teale.cloud with TLS options default entryPointName=web
2023-12-16T09:22:12Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:235 > Adding route for www.teale.cloud with TLS options default entryPointName=websecure
2023-12-16T09:22:12Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:849 > Looking for provided certificate(s) to validate ["teale.cloud" "*.teale.cloud"]... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=myresolver.acme
2023-12-16T09:22:12Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:893 > No ACME certificate generation required for domains ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["teale.cloud","*.teale.cloud"] providerName=myresolver.acme
2023-12-16T09:22:15Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] Wait for propagation [timeout: 3m0s, interval: 5s] lib=lego
[INFO] [teale.cloud] acme: Waiting for DNS record propagation. lib=lego
....................................................................................
[INFO] [teale.cloud] acme: Waiting for DNS record propagation. lib=lego
2023-12-16T09:11:48Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [*.teale.cloud] acme: Cleaning DNS-01 challenge lib=lego
2023-12-16T09:11:49Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [teale.cloud] acme: Cleaning DNS-01 challenge lib=lego
2023-12-16T09:11:51Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/10077689364 lib=lego
2023-12-16T09:11:51Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/10077689374 lib=lego
2023-12-16T09:11:51Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:472 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [teale.cloud *.teale.cloud]: error: one or more domains had a problem:\n[*.teale.cloud] propagation: time limit exceeded: last error: NS kiki.bunny.net. did not return the expected TXT record [fqdn: teale.cloud., value: uQERPcD-WE4oTha15oplAI1wteLOJNu02v-fnRJC5ng]: \n[teale.cloud] propagation: time limit exceeded: last error: NS kiki.bunny.net. did not return the expected TXT record [fqdn: teale.cloud., value: Q95VUKhoAvb4WpAsqUCgbOpNa4-rK8a_ZtGPfliAmN0]: \n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["teale.cloud","*.teale.cloud"] providerName=myresolver.acme routerName=nginx@docker rule=Host(`www.teale.cloud`)

Go environment (if applicable)

No response

Blu3wolf commented 9 months ago

This seems unlikely to be a bug with lego as far as I can see. I tried removing the wildcard CNAME record and this has stopped the endless wait for propagation.

It then choked on a SERVFAIL when it went for the CAA record (which didnt exist). I tried adding a CAA record and this worked.