Closed TTomczek closed 5 months ago
@jankatins @AlexH-HankIT can you check that?
The lego command is not available in the traefik docker image.
Traefik and lego are written in Go, it's a compiled language, so dependencies are not executable (it's not Python).
@TTomczek can you try lego directly? https://go-acme.github.io/lego/installation/
@ldez I tried it with the lego docker image using the following command:
docker run --rm -e IONOS_API_KEY=<API_KEY> goacme/lego --accept-tos --email="me@example.com" --dns ionos --domains="*.example.com" --server="https://acme-staging-v02.api.letsencrypt.org/directory" --dns.resolvers="ns1***.ui-dns.com" run
After i successfully requested the certificate and waiting 45 minutes the record is still there.
Logs:
I can confirm this: I use traefik to create lets encrypt certs against my ionos hosted domain and I have a ton of
_acme-challenge.<subdomain>
in my TXT records for my domain.
@jankatins can you try my PR #2083? The PR doesn't fix the problem but it will help to diagnose.
@jankatins have you tried my PR?
@TTomczek if I explain how to build the PR, can you test it?
Here you go:
λ git pr 2083 # checks out the PR #2083
λ make build
# Redaced real email and domain
λ IONOS_API_KEY="<key>" dist/lego --accept-tos --email="email@example.com" --dns ionos --domains="*.invalid.example.com" --server="https://acme-staging-v02.api.letsencrypt.org/directory" run
2024/01/17 17:26:32 No key found for account email@example.com. Generating a P256 key.
2024/01/17 17:26:32 Saved key to /home/jan/projects/lego/.lego/accounts/acme-staging-v02.api.letsencrypt.org/email@example.com/keys/email@example.com.key
2024/01/17 17:26:33 [INFO] acme: Registering account for email@example.com
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/home/jan/projects/lego/.lego/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/01/17 17:26:33 [INFO] [*.invalid.example.com] acme: Obtaining bundled SAN certificate
2024/01/17 17:26:34 [INFO] [*.invalid.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/10666513264
2024/01/17 17:26:34 [INFO] [*.invalid.example.com] acme: use dns-01 solver
2024/01/17 17:26:34 [INFO] [*.invalid.example.com] acme: Preparing to solve DNS-01
2024/01/17 17:26:37 [INFO] [*.invalid.example.com] acme: Trying to solve DNS-01
2024/01/17 17:26:37 [INFO] [*.invalid.example.com] acme: Checking DNS record propagation using [100.100.100.100:53]
2024/01/17 17:26:39 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/01/17 17:26:39 [INFO] [*.invalid.example.com] acme: Waiting for DNS record propagation.
2024/01/17 17:27:04 [INFO] [*.invalid.example.com] The server validated our request
2024/01/17 17:27:04 [INFO] [*.invalid.example.com] acme: Cleaning DNS-01 challenge
2024/01/17 17:27:06 [INFO] Name: _acme-challenge.invalid.example.com, Content: "...."
2024/01/17 17:27:06 [WARN] [*.invalid.example.com] acme: cleaning up failed: ionos: failed to remove record (zone=d6e2815f-4fe7-11eb-857e-0a58644464b1, domain=invalid.example.com, fqdn=_acme-challenge.invalid.example.com., value=...): %!w(<nil>)
2024/01/17 17:27:06 [INFO] [*.invalid.example.com] acme: Validations succeeded; requesting certificates
2024/01/17 17:27:06 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2024/01/17 17:27:07 [INFO] [*.invalid.example.com] Server responded with a certificate.
The relevant line again with added line breaks:
2024/01/17 17:27:06 [WARN] [*.invalid.example.com] acme: cleaning up failed: ionos: failed to remove record
(zone=d6e2815f-4fe7-11eb-857e-0a58644464b1, domain=invalid.example.com,
fqdn=_acme-challenge.invalid.example.com., value=...): %!w(<nil>)
@jankatins thank you.
Based on your logs, I think I found the problem: the record content/value has quotes when coming from the API ("...."
)
[INFO] Name: _acme-challenge.invalid.example.com, Content: "...."
domain=invalid.example.com, fqdn=_acme-challenge.invalid.example.com., value=...)
I updated the PR, can you try it?
Looks better:
~/projects/lego on pr/2083:refs/pull/2083/head (025621a0) took 29s
[18:13:16] λ IONOS_API_KEY="key" dist/lego --accept-tos --email="email@example.com" --dns ionos --domains="*.invalid1.example.com" --server="https://acme-staging-v02.api.letsencrypt.org/directory" run
2024/01/17 18:13:34 [INFO] [*.invalid1.example.com] acme: Obtaining bundled SAN certificate
2024/01/17 18:13:35 [INFO] [*.invalid1.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/10667079314
2024/01/17 18:13:35 [INFO] [*.invalid1.example.com] acme: use dns-01 solver
2024/01/17 18:13:35 [INFO] [*.invalid1.example.com] acme: Preparing to solve DNS-01
2024/01/17 18:13:37 [INFO] [*.invalid1.example.com] acme: Trying to solve DNS-01
2024/01/17 18:13:37 [INFO] [*.invalid1.example.com] acme: Checking DNS record propagation using [100.100.100.100:53]
2024/01/17 18:13:39 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/01/17 18:14:03 [INFO] [*.invalid1.example.com] The server validated our request
2024/01/17 18:14:03 [INFO] [*.invalid1.example.com] acme: Cleaning DNS-01 challenge
2024/01/17 18:14:07 [INFO] Name: _acme-challenge.invalid1.example.com, Content: "...."
2024/01/17 18:14:07 [INFO] [*.invalid1.example.com] acme: Validations succeeded; requesting certificates
2024/01/17 18:14:08 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2024/01/17 18:14:08 [INFO] [*.invalid1.example.com] Server responded with a certificate.
Thank you again, the PR is ready now.
Just deleted 130 challenges for ~3 subdomains :-)
Welcome
What did you expect to see?
Removal of the created _acme_challenge DNS records after successful validation.
What did you see instead?
After the successful validation of the dns01-challange the created TXT _acme_challange records are not removed. Even though the logs state "[INFO] [traefik.example.com] acme: Cleaning DNS-01 challenge" After waiting two hours the IONOS web ui still shows the records. The same procedure with certbot/dns-ionos removes the records immediately.
How do you use lego?
Through Traefik
Reproduction steps
Version of lego
Logs
Go environment (if applicable)