nifcloud: bug between v4.16.1 and v4.17.3

[penM000]

Welcome

• [X] Yes, I'm using a binary release within 2 latest releases.
• [X] Yes, I've searched similar issues on GitHub and didn't find any.
• [X] Yes, I've included all information below (version, config, etc).

What did you expect to see?

As with v4.16.1, v4.17.3 and later versions can issue certificates.

What did you see instead?

The certificate was successfully issued in v4.16.1, but the handshake with “https://dns.api.nifcloud.com” fails in v4.17.3 and later versions.

How do you use lego?

Docker image

Reproduction steps

Verify that the certificate can be issued with v4.16.1.

export MAIL_ADDR=example@example.com
export NIFCLOUD_ACCESS_KEY_ID=<>
export NIFCLOUD_SECRET_ACCESS_KEY=<>
export DOMAIN=sub.example.nifcloud.net
export SAVE_DIR=/opt/lego
export LEGO_VERSION=v4.16.1
sudo docker run --rm --env  NIFCLOUD_ACCESS_KEY_ID=$NIFCLOUD_ACCESS_KEY_ID --env NIFCLOUD_SECRET_ACCESS_KEY=$NIFCLOUD_SECRET_ACCESS_KEY -v $SAVE_DIR:/.lego goacme/lego:$LEGO_VERSION  --dns nifcloud -a --email $MAIL_ADDR --domains $DOMAIN run

Verify that the certificate cannot be issued with v4.17.3.

export MAIL_ADDR=example@example.com
export NIFCLOUD_ACCESS_KEY_ID=<>
export NIFCLOUD_SECRET_ACCESS_KEY=<>
export DOMAIN=sub.example.nifcloud.net
export SAVE_DIR=/opt/lego
export LEGO_VERSION=v4.17.4
sudo docker run --rm --env  NIFCLOUD_ACCESS_KEY_ID=$NIFCLOUD_ACCESS_KEY_ID --env NIFCLOUD_SECRET_ACCESS_KEY=$NIFCLOUD_SECRET_ACCESS_KEY -v $SAVE_DIR:/.lego goacme/lego:$LEGO_VERSION  --dns nifcloud -a --email $MAIL_ADDR --domains $DOMAIN run

Version of lego

lego version 4.16.1 linux/amd64
lego version 4.17.3 linux/amd64

Logs

``` $ export LEGO_VERSION=v4.16.1 $ sudo docker run --rm --env NIFCLOUD_ACCESS_KEY_ID=$NIFCLOUD_ACCESS_KEY_ID --env NIFCLOUD_SECRET_ACCESS_KEY=$NIFCLOUD_SECRET_ACCESS_KEY -v $SAVE_DIR:/.lego goacme/lego:$LEGO_VERSION --dns nifcloud -a --email $MAIL_ADDR --domains $DOMAIN run 2024/08/21 06:39:06 [INFO] [sub.example.nifcloud.net] acme: Obtaining bundled SAN certificate 2024/08/21 06:39:07 [INFO] [sub.example.nifcloud.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/393043367796 2024/08/21 06:39:07 [INFO] [sub.example.nifcloud.net] acme: Could not find solver for: tls-alpn-01 2024/08/21 06:39:07 [INFO] [sub.example.nifcloud.net] acme: Could not find solver for: http-01 2024/08/21 06:39:07 [INFO] [sub.example.nifcloud.net] acme: use dns-01 solver 2024/08/21 06:39:07 [INFO] [sub.example.nifcloud.net] acme: Preparing to solve DNS-01 2024/08/21 06:39:09 [INFO] Wait for nifcloud [timeout: 2m0s, interval: 4s] 2024/08/21 06:39:09 [INFO] [sub.example.nifcloud.net] acme: Trying to solve DNS-01 2024/08/21 06:39:09 [INFO] [sub.example.nifcloud.net] acme: Checking DNS record propagation. [nameservers=8.8.8.8:53,8.8.4.4:53] 2024/08/21 06:39:11 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 2024/08/21 06:39:11 [INFO] [sub.example.nifcloud.net] acme: Waiting for DNS record propagation. 2024/08/21 06:39:13 [INFO] [sub.example.nifcloud.net] acme: Waiting for DNS record propagation. 2024/08/21 06:39:16 [INFO] [sub.example.nifcloud.net] acme: Waiting for DNS record propagation. 2024/08/21 06:39:23 [INFO] [sub.example.nifcloud.net] The server validated our request 2024/08/21 06:39:23 [INFO] [sub.example.nifcloud.net] acme: Cleaning DNS-01 challenge 2024/08/21 06:39:25 [INFO] Wait for nifcloud [timeout: 2m0s, interval: 4s] 2024/08/21 06:39:26 [INFO] [sub.example.nifcloud.net] acme: Validations succeeded; requesting certificates 2024/08/21 06:39:27 [INFO] [sub.example.nifcloud.net] Server responded with a certificate. ``` ``` $ export LEGO_VERSION=v4.17.3 $ sudo docker run --rm --env NIFCLOUD_ACCESS_KEY_ID=$NIFCLOUD_ACCESS_KEY_ID --env NIFCLOUD_SECRET_ACCESS_KEY=$NIFCLOUD_SECRET_ACCESS_KEY -v $SAVE_DIR:/.lego goacme/lego:$LEGO_VERSION --dns nifcloud -a --email $MAIL_ADDR --domains $DOMAIN run 2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: Obtaining bundled SAN certificate 2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/393044192476 2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: Could not find solver for: tls-alpn-01 2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: Could not find solver for: http-01 2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: use dns-01 solver 2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: Preparing to solve DNS-01 2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: Cleaning DNS-01 challenge 2024/08/21 06:41:46 [WARN] [sub.example.nifcloud.net] acme: cleaning up failed: nifcloud: failed to change record set: unable to communicate with the API server: error: Post "https://dns.api.nifcloud.com/2012-12-12N2013-12-16/hostedzone/example.nifcloud.net/rrset": remote error: tls: handshake failure 2024/08/21 06:41:46 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/393044192476 2024/08/21 06:41:46 Could not obtain certificates: error: one or more domains had a problem: [sub.example.nifcloud.net] [sub.example.nifcloud.net] acme: error presenting token: nifcloud: failed to change record set: unable to communicate with the API server: error: Post "https://dns.api.nifcloud.com/2012-12-12N2013-12-16/hostedzone/example.nifcloud.net/rrset": remote error: tls: handshake failure ```

Go environment (if applicable)

```console $ go version && go env # paste output here ```

[ldez]

Hello,

there is no change between v4.16.1 and v4.17.3 on the nifcloud package.

https://github.com/go-acme/lego/compare/v4.16.1...v4.17.3

The only change is the Go version used to compile, so I guess the nifcloud certificates have an issue.

[penM000]

Hello.

We have confirmed the changes due to the go version change. (https://tip.golang.org/doc/go1.22)

We have confirmed the following description.

By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes. reverted with the tlsrsakex=1 GODEBUG setting.

We have run “https://www.ssllabs.com/ssltest/” against “https://dns.api.nifcloud.com” and obtained the following results.

We expect this is due to a TLS cipher suite limitation caused by the go version change, not the certificate.

[ldez]

So, as I expressed in my first comment, this is a problem with Nifcloud itself. I don't think we will not compile lego with tlsrsakex=1 just for nifcloud.