search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
8.01k stars 1.02k forks source link

Cloudflare .eu domain zone problem #930

Closed leoshusar closed 1 day ago

leoshusar commented 5 years ago

Hello, I have two .cz domains and one .eu domain. I am using Traefik for Let's Encrypt DNS challenge and Traefik is using LEGO. Two .cz domains were without problem but .eu domain challenge gives me error acme: error cleaning up: cloudflare: failed to find zone eu.: Zone could not be found I read a lot of things about this and I found old issue saying it's caused by split DNS - and yes, I have internal DNS redirect only for that .eu domain. Could it be the problem? What can I do with that?

leoshusar commented 5 years ago

Maybe I just found where is my problem. Is really LEGO is making any DNS queries from machine it runs on? My split DNS is router-based and NAT rule catches ALL requests on port 53. I realized it when I tried to run dig +trace mydomain.eu @8.8.8.8 and it returned my internal IP even while Google's DNS server was specified. If this is true, maybe I can set an exception to my NAT rule so queries from my LEGO running machine will just pass (if there's no other way to fix this). Can you please confirm my thoughts?

dmke commented 5 years ago

Yes, Lego performs recursive DNS requests on the machine it runs on. It tries, in order:

If you've started Lego with the --dns.resolvers flag, it tries the given resolvers instead.

The Cloudflare error happens, because in order to update DNS records for the domain you're trying to obtain certificates for, Lego needs to find the "apex name" for that domain. This is the domain, for which a SOA records exists.

Example: if you want a certificate for foo.bar.mydomain.eu, and mydomain.eu is the Zone name at Cloudflare (i.e. the apex domain), Lego performs a query equivalent to this:

$ dig -t SOA foo.bar.mydomain.eu +recurse +nocomment
;foo.bar.mydomain.eu.        IN  SOA
foo.bar.mydomain.eu.   300   IN  CNAME mydomain.eu
mydomain.eu.           3600  IN  SOA   adi.ns.cloudflare.com. dns.cloudflare.com. 2032109425 10000 2400 604800 3600

Here, the apex domain is the first entry in the last line (mydomain.eu.).

Lego then proceeds to query the Cloudflare API for information on the mydomain.eu zone.

If your DNS server instead returns something like this:

$ dig -t SOA foo.bar.mydomain.eu +recurse +nocomment
;foo.bar.mydomain.eu.        IN  SOA
eu.           ... whatever

then Lego detects eu. as apex domain and queries information for that domain from Cloudflare (which it doesn't have). Hence the error "failed to find zone eu.: Zone could not be found".

ldez commented 4 days ago

can you open a dedicated discussion: https://github.com/go-acme/lego/discussions/categories/q-a

And provide all the information about your context.

leoshusar commented 1 day ago

Hi, sorry, completely forgot about this :)

I already have a different setup, so this is no longer an issue for me.

Thanks!