Inconsistent behavior in _acme-challenge record creation for desec.io - domain name detecion seems to fail

hcc23 commented 4 hours ago

Welcome

[X] Yes, I'm using a binary release within 2 latest releases.
[X] Yes, I've searched similar issues on GitHub and didn't find any.
[X] Yes, I've included all information below (version, config, etc).

What did you expect to see?

I expect to see a consistent behavior when using the DNS provider desec.io, no matter the domain name.

In detail, the initial output of (when using the docker image) of

docker run --env-file .env goacme/lego --accept-tos --dns desec --email acme@mydomain.de --domains mydomain.de --domains '*.mydomain.de' run

should be the same, no matter what mydomain.de is (ok, granted that its DNS is hosted at desec.io)

What did you see instead?

I tried this with two of my domains: enc0.de and dadac0.de. Both have their DNS provided by desec.io.

For enc0.de lego tries to setup _acme-challenge as a TXT record for enc0.de, for dadac0.de lego tries to setup _acme-challenge.dadac0 as a TXT record for de.

As expected, that last one doesn't really work ;)

Trial 1: for enc0.de

❯ docker run --env-file .env goacme/lego --accept-tos --dns desec --email acme@dadac0.de --domains enc0.de --domains '*.enc0.de' run
2024/11/17 14:27:44 No key found for account acme@dadac0.de. Generating a P256 key.
2024/11/17 14:27:44 Saved key to /.lego/accounts/acme-v02.api.letsencrypt.org/acme@dadac0.de/keys/acme@dadac0.de.key
2024/11/17 14:27:45 [INFO] acme: Registering account for acme@dadac0.de
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/11/17 14:27:45 [INFO] [enc0.de, *.enc0.de] acme: Obtaining bundled SAN certificate
2024/11/17 14:27:46 [INFO] [*.enc0.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/431479628587
2024/11/17 14:27:46 [INFO] [enc0.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/431479628597
2024/11/17 14:27:46 [INFO] [*.enc0.de] acme: use dns-01 solver
2024/11/17 14:27:46 [INFO] [enc0.de] acme: Could not find solver for: tls-alpn-01
2024/11/17 14:27:46 [INFO] [enc0.de] acme: Could not find solver for: http-01
2024/11/17 14:27:46 [INFO] [enc0.de] acme: use dns-01 solver
2024/11/17 14:27:46 [INFO] [*.enc0.de] acme: Preparing to solve DNS-01
2024/11/17 14:27:46 [DEBUG] GET https://desec.io/api/v1/domains/enc0.de/rrsets/_acme-challenge/TXT/
2024/11/17 14:27:46 [DEBUG] PATCH https://desec.io/api/v1/domains/enc0.de/rrsets/_acme-challenge/TXT/
2024/11/17 14:27:46 [INFO] [enc0.de] acme: Preparing to solve DNS-01
2024/11/17 14:27:46 [DEBUG] GET https://desec.io/api/v1/domains/enc0.de/rrsets/_acme-challenge/TXT/
2024/11/17 14:27:46 [DEBUG] PATCH https://desec.io/api/v1/domains/enc0.de/rrsets/_acme-challenge/TXT/
2024/11/17 14:27:46 [INFO] [*.enc0.de] acme: Trying to solve DNS-01
2024/11/17 14:27:46 [INFO] [*.enc0.de] acme: Checking DNS record propagation. [nameservers=192.168.71.2:53]
2024/11/17 14:27:50 [INFO] Wait for propagation [timeout: 2m0s, interval: 4s]
....

Trial 2: for dadac0.de

❯ docker run --env-file .env goacme/lego --accept-tos --dns desec --email acme@dadac0.de --domains dadac0.de --domains '*.dadac0.de' run
2024/11/17 14:29:07 No key found for account acme@dadac0.de. Generating a P256 key.
2024/11/17 14:29:07 Saved key to /.lego/accounts/acme-v02.api.letsencrypt.org/acme@dadac0.de/keys/acme@dadac0.de.key
2024/11/17 14:29:07 [INFO] acme: Registering account for acme@dadac0.de
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/11/17 14:29:08 [INFO] [dadac0.de, *.dadac0.de] acme: Obtaining bundled SAN certificate
2024/11/17 14:29:08 [INFO] [*.dadac0.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/431480033887
2024/11/17 14:29:08 [INFO] [dadac0.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/431480033897
2024/11/17 14:29:08 [INFO] [*.dadac0.de] acme: use dns-01 solver
2024/11/17 14:29:08 [INFO] [dadac0.de] acme: Could not find solver for: tls-alpn-01
2024/11/17 14:29:08 [INFO] [dadac0.de] acme: Could not find solver for: http-01
2024/11/17 14:29:08 [INFO] [dadac0.de] acme: use dns-01 solver
2024/11/17 14:29:08 [INFO] [*.dadac0.de] acme: Preparing to solve DNS-01
2024/11/17 14:29:08 [DEBUG] GET https://desec.io/api/v1/domains/de/rrsets/_acme-challenge.dadac0/TXT/
2024/11/17 14:29:08 [DEBUG] POST https://desec.io/api/v1/domains/de/rrsets/
2024/11/17 14:29:09 [INFO] [dadac0.de] acme: Preparing to solve DNS-01
2024/11/17 14:29:09 [DEBUG] GET https://desec.io/api/v1/domains/de/rrsets/_acme-challenge.dadac0/TXT/
2024/11/17 14:29:09 [DEBUG] POST https://desec.io/api/v1/domains/de/rrsets/
2024/11/17 14:29:09 [INFO] [*.dadac0.de] acme: Cleaning DNS-01 challenge
2024/11/17 14:29:09 [DEBUG] GET https://desec.io/api/v1/domains/de/rrsets/_acme-challenge.dadac0/TXT/
2024/11/17 14:29:09 [WARN] [*.dadac0.de] acme: cleaning up failed: desec: failed to get records: domainName=de, recordName=_acme-challenge.dadac0: 404: Not found. 
2024/11/17 14:29:09 [INFO] [dadac0.de] acme: Cleaning DNS-01 challenge
2024/11/17 14:29:09 [DEBUG] GET https://desec.io/api/v1/domains/de/rrsets/_acme-challenge.dadac0/TXT/
2024/11/17 14:29:09 [WARN] [dadac0.de] acme: cleaning up failed: desec: failed to get records: domainName=de, recordName=_acme-challenge.dadac0: 404: Not found. 
2024/11/17 14:29:09 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/431480033887
2024/11/17 14:29:09 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/431480033897
2024/11/17 14:29:09 Could not obtain certificates:
        error: one or more domains had a problem:
[*.dadac0.de] [*.dadac0.de] acme: error presenting token: desec: failed to create records: domainName=de, recordName=_acme-challenge.dadac0: 404: Not found.
[dadac0.de] [dadac0.de] acme: error presenting token: desec: failed to create records: domainName=de, recordName=_acme-challenge.dadac0: 404: Not found.

Note the difference:

enc0.de issues this and seems to break down the domain correctly:

GET https://desec.io/api/v1/domains/enc0.de/rrsets/_acme-challenge/TXT/
PATCH https://desec.io/api/v1/domains/enc0.de/rrsets/_acme-challenge/TXT/

whereas dadac0.de does behave differently:

GET https://desec.io/api/v1/domains/de/rrsets/_acme-challenge.dadac0/TXT/
POST https://desec.io/api/v1/domains/de/rrsets/

How do you use lego?

Docker image

Reproduction steps

issue the docker commands above
observe output

Version of lego

❯ docker run --env-file .env goacme/lego --version
lego version 4.20.2 linux/amd64

Logs

See details above

Go environment (if applicable)

No response

ldez commented 4 hours ago

Hello,

this is because you have a problem with zone definition.

You need to define the zone dadac0.de.

hcc23 commented 4 hours ago

Hi @ldez ,

thanks for being so super fast with your response. Unfortunately it doesn't mean anything to me :(

Can you elaborate on what you mean by defining the zone for my domains?

ldez commented 3 hours ago

2024/11/17 14:29:09 [WARN] [dadac0.de] acme: cleaning up failed: desec: failed to get records: domainName=de, recordName=_acme-challenge.dadac0: 404: Not found.

This log means that the detected zone is de.

I tried to get the zone of your domain, and it works as expected.

$ drill dadac0.de SOA                            
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 48044
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; dadac0.de.   IN      SOA

;; ANSWER SECTION:
dadac0.de.      65      IN      SOA     get.desec.io. get.desec.io. 2024114567 86400 3600 2419200 3600

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 2 msec
;; SERVER: 2a02:842b:5a8:b601:ce19:a8ff:fe05:c8ff
;; WHEN: Sun Nov 17 15:57:11 2024
;; MSG SIZE  rcvd: 75

So I think you have a local DNS, that interferes with this call.

go-acme / lego