Error during automated certificate renewal wildcard letsencrypt

Potusek commented 7 months ago

Welcome

[X] Yes, I'm using a binary release within 2 latest releases.
[X] Yes, I've searched similar issues on GitHub and didn't find any.
[X] Yes, I've included all information below (version, config, etc).

What did you expect to see?

LetsEncrypt request successful

What did you see instead?

Failed to issue new certificate

How do you use lego?

Binary

Reproduction steps

There has been a configuration of several domains in directadmin for several years and the problems probably appeared in version lego_v4.14.2-SNAPSHOT-cd63b325_linux_amd64.tar.gz - a newer version is not yet available for DA

DNS Zone in ovh

```console $TTL 3600 @ IN SOA dns14.ovh.net. tech.ovh.net. (2024020200 86400 3600 3600000 60) IN NS dns14.ovh.net. IN NS ns14.ovh.net. IN MX 10 wawer-plaza.com.pl. 60 IN A 146.59.66.209 60 IN CAA 0 issuewild "letsencrypt.org" * 60 IN CNAME wawer-plaza.com.pl. ```

Version of lego

lego version 4.14.2-SNAPSHOT-cd63b325 linux/amd64

Logs

```console Found wildcard domain name and http challenge type, switching to dns-01 validation. 2024/02/24 00:11:52 [INFO] [*.wawer-plaza.com.pl, wawer-plaza.com.pl] acme: Obtaining SAN certificate 2024/02/24 00:11:53 [INFO] [*.wawer-plaza.com.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169577 2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169587 2024/02/24 00:11:53 [INFO] [*.wawer-plaza.com.pl] acme: use dns-01 solver 2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] acme: Could not find solver for: tls-alpn-01 2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] acme: Could not find solver for: http-01 2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] acme: use dns-01 solver 2024/02/24 00:11:53 [INFO] [*.wawer-plaza.com.pl] acme: Preparing to solve DNS-01 2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.wawer-plaza.com.pl.": "wawer-plaza.com.pl." 2024/02/24 00:11:53 refusing to create DNS challenge record 'wawer-plaza.com.pl', missing _acme-challenge prefix 2024/02/24 00:11:53 [INFO] [*.wawer-plaza.com.pl] acme: Cleaning DNS-01 challenge 2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.wawer-plaza.com.pl.": "wawer-plaza.com.pl." 2024/02/24 00:11:53 refusing to remove DNS challenge record 'wawer-plaza.com.pl', missing _acme-challenge prefix 2024/02/24 00:11:53 [WARN] [*.wawer-plaza.com.pl] acme: cleaning up failed: exec: exit status 1 2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] acme: Preparing to solve DNS-01 2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.wawer-plaza.com.pl.": "wawer-plaza.com.pl." 2024/02/24 00:11:53 refusing to create DNS challenge record 'wawer-plaza.com.pl', missing _acme-challenge prefix 2024/02/24 00:11:53 [INFO] [wawer-plaza.com.pl] acme: Cleaning DNS-01 challenge 2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.wawer-plaza.com.pl.": "wawer-plaza.com.pl." 2024/02/24 00:11:53 refusing to remove DNS challenge record 'wawer-plaza.com.pl', missing _acme-challenge prefix 2024/02/24 00:11:53 [WARN] [wawer-plaza.com.pl] acme: cleaning up failed: exec: exit status 1 2024/02/24 00:11:53 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169577 2024/02/24 00:11:54 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169587 2024/02/24 00:11:54 Could not obtain certificates: error: one or more domains had a problem: [*.wawer-plaza.com.pl] [*.wawer-plaza.com.pl] acme: error presenting token: exec: exit status 1 [wawer-plaza.com.pl] [wawer-plaza.com.pl] acme: error presenting token: exec: exit status 1 Failed to issue new certificate ```

Go environment (if applicable)

```console $ go version && go env # paste output here ```

ldez commented 7 months ago

Hello,

lego_v4.14.2-SNAPSHOT-cd63b325_linux_amd64.tar.gz - a newer version is not yet available for DA

lego v4.15.0 is available for one month, can you try it?

ldez commented 7 months ago

Can you provide more explanation about your context? What was the version of the latest working lego? You are using a CNAME, do you have the right entry for ACME? Since v4.9, the CNAMEs are followed by default. You can disable the CNAME support by setting the env var LEGO_DISABLE_CNAME_SUPPORT to true.

cd63b325 is a dangling commit, related to nothing in the lego tree, so you are using a custom version based on PR #1501. What is the link between DirectAdmin and this PR?

Potusek commented 7 months ago

I store the dns zone in ovh and have minimal entries (which have worked so far) ie:

domain.com. A 123.123.123.123   
*.domain.com.  CNAME domain.com.

I have the detailed subdomains described in the dns zone managed by directadmin and mostly within one IP address.

After adding LEGO_DISABLE_CNAME_SUPPORT=true it returned to the original functioning i.e. I get the wildcard certificate. Now it remains to "convince" directadmin to be able to set such a variable permanently.

So, it is indeed not a bug.

go-acme / lego