Closed jen20 closed 6 years ago
Actually this looks like a misunderstanding. The --dns-resolvers
option already implements the first of the options above, however the help text displayed is wrong: "Set the resolvers to use for performing recursive DNS queries. Supported: host:port. The default is to use Google's DNS resolvers." - the default appears to be to use the resolvers configured on the machine rather than Google. When I set --dns-resolvers 8.8.8.8:53
on the command line all is well.
Sorry for opening this without a complete understanding of the issue - and thanks for a great project!
When using the DNS-01 challenge on an instance AWS VPC with split horizon DNS configured, it is not necessarily possible to resolve external records using the internal resolver, meaning the propagation check which is part of the AWS driver fails. For example:
Assume we have a VPC with address space
10.0.0.0/16
. If the VPC has it's DNS domain set toexample.com
via a DHCP options set, Route 53 will resolveexample.com
using the resolver for the subnet within the VPC (2 addresses above the first in the subnet range). However, this resolvesexample.com
using the private hosted zone associated with the VPC.If we were requesting a certificate for
someservice.example.com
, Lego writes the validation record to the public hosted zone associated with the nameexample.com
, but then tries to check propagation using the local resolver which will never succeed, as the record does not exist in the private hosted zone corresponding to that domain.I believe there may be a couple of solutions to this:
I can produce a detailed repro of this as Terraform code to create the exact environment, but am opening with a quick description of the problem and environment for now. I'll look at opening a pull request for this (admittedly somewhat unusual) case.