search

janeczku / rancher-letsencrypt

:cow: Rancher service that obtains and manages free SSL certificates from the Let's Encrypt CA
Apache License 2.0
326 stars 114 forks source link

OVH DNS : Could not determine zone for domain #101

Open rockandska opened 7 years ago

rockandska commented 7 years ago

Hi,

Not sure if it is related directly to "lego" or specifically to this image or OVH API (no one complain on ML).

Certificates created with v0.4.0 Multiple domains was specified at the creation but removed after Upgrade to v0.5.0

Nothing changed since, not even the credentials or rights give to the OVH account, domain exist

Domain / token redacted 

10/30/2017 4:27:45 PMtime="2017-10-30T15:27:45Z" level=info msg="Starting Let's Encrypt Certificate Manager v0.5.0 0913231"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Using locally stored Let's Encrypt account for mail@domain.com"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Using Let's Encrypt Production API"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Found locally stored certificate 'sub.domain.com'"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Found existing certificate 'sub.domain.com' in Rancher"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Managing renewal of certificate 'sub.domain.com'"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Certificate renewal scheduled for 2017/10/30 12:00 UTC"
10/30/2017 4:27:56 PMtime="2017-10-30T15:27:56Z" level=info msg="Trying to obtain renewed SSL certificate (sub.domain.com) from Let's Encrypt Production CA"
10/30/2017 4:27:56 PMtime="2017-10-30T15:27:56Z" level=info msg="[INFO][sub.domain.com] acme: Trying renewal with 479 hours remaining"
10/30/2017 4:27:56 PMtime="2017-10-30T15:27:56Z" level=info msg="[INFO][sub.domain.com] acme: Obtaining bundled SAN certificate"
10/30/2017 4:27:57 PMtime="2017-10-30T15:27:56Z" level=info msg="[INFO][sub.domain.com] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxxxxxxxxxxxxxxx"
10/30/2017 4:27:57 PMtime="2017-10-30T15:27:56Z" level=info msg="[INFO][sub.domain.com] acme: Could not find solver for: http-01"
10/30/2017 4:27:57 PMtime="2017-10-30T15:27:57Z" level=info msg="[INFO][sub.domain.com] acme: Could not find solver for: tls-sni-01"
10/30/2017 4:27:57 PMtime="2017-10-30T15:27:57Z" level=info msg="[INFO][sub.domain.com] acme: Trying to solve DNS-01"
10/30/2017 4:27:57 PMtime="2017-10-30T15:27:57Z" level=fatal msg="Failed to renew certificate: Error presenting token: Could not determine zone for domain: 'sub.domain.com'. Could not find the start of authority"
rockandska commented 7 years ago

After reading this comment , i changed one thing on my platform and didn't think than it could be a problem, but could it be ?

All my servers are behind a pfsense , and for different purpose, I had a DNS override on this domain to let the internal servers use the private IP instead of the public one.

I will give it a try with DNS_RESOLVERS to see if it solve my problem

rockandska commented 7 years ago

it seems that it was the problem indeed. Glad than i've found the solution in time, but not easy to find it and lost many time.

Could you please add a section in the README for this kind of configuration please ? (it is not related to the provider) Is it possible to use more than 1 DNS server in this env variable ?

Best regards,