ldez
commented
5 years ago All our e2e tests for the DNS challenges use --disable-cp. (and failed if the flag is omited)
Then seems weird.
Open Klaus-Tockloth opened 5 years ago
ldez
commented
5 years ago All our e2e tests for the DNS challenges use --disable-cp. (and failed if the flag is omited)
Then seems weird.
Klaus-Tockloth
commented
5 years ago Just to avoid duplicate work: Any progress or new infos here?
If not, I could look deeper into this issue. It's an important feature for me. I'm using 'pebble-challtestsrv' for testing. And 'pebble-challtestsrv' hasn't any propagation functionality.
Klaus-Tockloth
commented
5 years ago It seems that the issue depends on the operating system and/or environment.
Linux (OK):
./lego --version
lego version 2.4.0 linux/amd64
LEGO_CA_CERTIFICATES=./pebble.minica.pem \
EXEC_PATH=./update-dns.sh \
./lego \
--server https://127.0.0.1:14000/dir \
--email admin.dep42@ganyfoods.com \
--accept-tos \
--domains gany-veggies.com \
--dns.disable-cp \
--dns exec \
--cert.timeout 60 \
run
2019/04/04 13:19:50 No key found for account admin.dep42@ganyfoods.com. Generating a P384 key.
2019/04/04 13:19:51 Saved key to /home/evallx034/Lego/.lego/accounts/127.0.0.1_14000/admin.dep42@ganyfoods.com/keys/admin.dep42@ganyfoods.com.key
2019/04/04 13:19:51 [INFO] acme: Registering account for admin.dep42@ganyfoods.com
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/home/evallx034/Lego/.lego/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Obtaining bundled SAN certificate
2019/04/04 13:19:51 [INFO] [gany-veggies.com] AuthURL: https://127.0.0.1:14000/authZ/Iwvj67Femm42YKg25x_rHA9jhFKMOdnTS1xBP1e2i_s
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Could not find solver for: tls-alpn-01
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Could not find solver for: http-01
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: use dns-01 solver
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Preparing to solve DNS-01
2019/04/04 13:19:51 ./update-dns.sh present _acme-challenge.gany-veggies.com. 2_vc05F-uF9u4bWo-iOxT9aM3558-GWYByslj7369b0 --> return code 0 at 'present'
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Trying to solve DNS-01
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Checking DNS record propagation using [141.36.249.9:53 141.36.1.5:53 141.36.251.10:53]
2019/04/04 13:19:51 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2019/04/04 13:19:51 [INFO] [gany-veggies.com] The server validated our request
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Cleaning DNS-01 challenge
2019/04/04 13:19:51 ./update-dns.sh cleanup _acme-challenge.gany-veggies.com. 2_vc05F-uF9u4bWo-iOxT9aM3558-GWYByslj7369b0 --> return code 0 at 'cleanup'
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Validations succeeded; requesting certificates
2019/04/04 13:19:51 [INFO] Wait for certificate [timeout: 1m0s, interval: 1s]
2019/04/04 13:19:51 [INFO] [gany-veggies.com] Server responded with a certificate.macOS (NOK):
./lego --version
lego version 2.4.0 darwin/amd64
LEGO_CA_CERTIFICATES=./pebble.minica.pem \
EXEC_PATH=./update-dns.sh \
./lego \
--server https://127.0.0.1:14000/dir \
--email admin.dep42@ganyfoods.com \
--accept-tos \
--domains gany-veggies.com \
--dns.disable-cp \
--dns exec \
--cert.timeout 60 \
run
2019/04/04 13:43:09 No key found for account admin.dep42@ganyfoods.com. Generating a P384 key.
2019/04/04 13:43:09 Saved key to /Users/klaustockloth/Work/Lego-Mac/.lego/accounts/127.0.0.1_14000/admin.dep42@ganyfoods.com/keys/admin.dep42@ganyfoods.com.key
2019/04/04 13:43:09 [INFO] acme: Registering account for admin.dep42@ganyfoods.com
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/Users/klaustockloth/Work/Lego-Mac/.lego/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Obtaining bundled SAN certificate
2019/04/04 13:43:09 [INFO] [gany-veggies.com] AuthURL: https://127.0.0.1:14000/authZ/J5vC_VNdpIds9EGJGkjiEN23ujGkJ23cVnRGnaSAe0s
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Could not find solver for: tls-alpn-01
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Could not find solver for: http-01
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: use dns-01 solver
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Preparing to solve DNS-01
2019/04/04 13:43:09 ./update-dns.sh present _acme-challenge.gany-veggies.com. 4sMo1CNyzVda80ZDLk_KP8K8Ng3zjaVnZUwf7qC9hbk --> return code 0 at 'present'
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Trying to solve DNS-01
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Checking DNS record propagation using [192.168.178.1:53 [fd00::3a10:d5ff:febe:db74]:53]
2019/04/04 13:43:09 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/04/04 13:43:11 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
...
2019/04/04 13:44:06 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/04/04 13:44:08 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/04/04 13:44:10 [INFO] [gany-veggies.com] acme: Cleaning DNS-01 challenge
2019/04/04 13:44:10 ./update-dns.sh cleanup _acme-challenge.gany-veggies.com. 4sMo1CNyzVda80ZDLk_KP8K8Ng3zjaVnZUwf7qC9hbk --> return code 0 at 'cleanup'
2019/04/04 13:44:10 Could not obtain certificates:
acme: Error -> One or more domains had a problem:
[gany-veggies.com] time limit exceeded: last error: dial udp [fd00::3a10:d5ff:febe:db74]:53: connect: no route to hostAny ideas where to start further investigations?
ldez
commented
5 years ago Maybe it's a bug inside https://github.com/urfave/cli
Klaus-Tockloth
commented
5 years ago I looked deeper into this issue and dumped the content of "preCheck":
type preCheck struct {
// checks DNS propagation before notifying ACME that the DNS challenge is ready.
checkFunc WrapPreCheckFunc
// require the TXT record to be propagated to all authoritative name servers
requireCompletePropagation bool
}The "requireCompletePropagation" value is set correctly to "true or false", but "checkFunc" is always nil.
preCheck: (dns01.preCheck) {
checkFunc: (dns01.WrapPreCheckFunc) <nil>,
requireCompletePropagation: (bool) false
},
preCheck: (dns01.preCheck) {
checkFunc: (dns01.WrapPreCheckFunc) <nil>,
requireCompletePropagation: (bool) true
},That's the reason why "checkDNSPropagation()" is always called.
func (p preCheck) call(domain, fqdn, value string) (bool, error) {
if p.checkFunc == nil {
return p.checkDNSPropagation(fqdn, value)
}
return p.checkFunc(domain, fqdn, value, p.checkDNSPropagation)
}The function "WrapPreCheck()" sets "checkFunc":
// WrapPreCheck Allow to define checks before notifying ACME that the DNS challenge is ready.
func WrapPreCheck(wrap WrapPreCheckFunc) ChallengeOption {
return func(chlg *Challenge) error {
chlg.preCheck.checkFunc = wrap
return nil
}
}My understanding is, that "checkFunc()" allows it to define a (user implemented) mechanism to check the DNS propagation. In my case I don't want such a check. How to achieve this?
ldez
commented
5 years ago Maybe the issue is related to https://github.com/go-acme/lego/blob/f0cfdff3951fd8518e2f218b27f0dd103fba5017/cmd/setup_challenges.go#L110-L111
I fixed this in #868
ldez
commented
5 years ago The goal of --dns.disable-cp is only to to check all NS but tbut the propagation is ckecked with at least 1 NS in all cases.
The WrapPreCheck is something new (v2.3 #783) but the previous behavior has not been changed.
checkDNSPropagation
ldez
commented
5 years ago Your last message don't seems related to your previous message on weird behavior on Mac.
I think the Mac behavior is related to the bug #868.
Klaus-Tockloth
commented
5 years ago Just for clarification: The last analysis based on my own client. That means that https://github.com/urfave/cli isn't involved. The 'DisableCompletePropagationRequirement()' option is set directly:
err = client.Challenge.SetDNS01Provider(provider, dns01.DisableCompletePropagationRequirement())
if err != nil {
log.Printf("error <%v> at client.Challenge.SetDNS01Provider(), provider = %v", err, dns01Provider)
return err
}Maybe we are dealing with two independent issues ...
ldez
commented
5 years ago If the question is: how to disable the precheck?
The answer is:
err = client.Challenge.SetDNS01Provider(provider, dns01.WrapPreCheck(func(_, _, _ string, _ dns01.PreCheckFunc) (b bool, e error) {
return true, nil
}))err = client.Challenge.SetDNS01Provider(provider, dns01.WrapPreCheck(func(_, _, _ string, _ dns01.PreCheckFunc) (b bool, e error) { return true, nil }))
Thanks for explaining this.
Klaus-Tockloth
commented
5 years ago Version 2.6.0 has a fix concerning this issue, but it's still not working for me on macOS. Maybe a local problem. Could someone reproduce the issue?
./lego --version
lego version 2.6.0 darwin/amd64
LEGO_CA_CERTIFICATES=./pebble.minica.pem \
EXEC_PATH=./update-dns.sh \
./lego \
--server https://127.0.0.1:14000/dir \
--email admin.dep42@ganyfoods.com \
--accept-tos \
--domains gany-veggies.com \
--dns.disable-cp \
--dns exec \
--cert.timeout 60 \
run
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Obtaining bundled SAN certificate
2019/05/29 08:52:34 [INFO] [gany-veggies.com] AuthURL: https://127.0.0.1:14000/authZ/der3h4pt-fP01xFRKg6tK8cqwR_UAn5BlM7oCrrHVr0
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Could not find solver for: tls-alpn-01
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Could not find solver for: http-01
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: use dns-01 solver
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Preparing to solve DNS-01
2019/05/29 08:52:34 ./update-dns.sh present _acme-challenge.gany-veggies.com. BgSKGDD6mWT8KRqTuzg-gOZeLpeGL4QFK9xQSN0KtP0 --> return code 0 at 'present'
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Trying to solve DNS-01
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Checking DNS record propagation using [192.168.178.1:53 [fd00::3a10:d5ff:febe:db74]:53]
2019/05/29 08:52:34 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:36 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:38 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:40 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:42 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:44 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:46 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
...
rezaebrahimi1
commented
1 year ago I solved it using following code
opts := []dns01.ChallengeOption{dns01.DisableCompletePropagationRequirement()}
err = client.Challenge.SetDNS01Provider(dnsProvier, opts...)
if err != nil {
log.Fatal(err)
}
It seems that the option '--dns.disable-cp' isn't working. I have that ...
... and get this result:
My expectation is, that with the option '--dns.disable-cp' (set to true) the DNS record propagation check is omitted.
Tested with lego 2.2.0.