janeczku / rancher-letsencrypt

:cow: Rancher service that obtains and manages free SSL certificates from the Let's Encrypt CA
Apache License 2.0
326 stars 114 forks source link

Can't generate www certificates with cloudflare #99

Open cmmarslender opened 7 years ago

cmmarslender commented 7 years ago

Not sure if this is a problem with cloudflare, or just a more general problem. This used to work fine, and only recently stopped working.

Trying to issue a certificate for root domain and www.domain.com, and am getting errors over and over. Here is the log from the container:


10/23/2017 3:53:09 PMtime="2017-10-23T22:53:09Z" level=info msg="Using locally stored Let's Encrypt account for myemail@myemail.com"
10/23/2017 3:53:09 PMtime="2017-10-23T22:53:09Z" level=info msg="Using Let's Encrypt Production API"
10/23/2017 3:53:09 PMtime="2017-10-23T22:53:09Z" level=info msg="Trying to obtain SSL certificate (mysite.com,www.mysite.com) from Let's Encrypt Production CA"
10/23/2017 3:53:09 PMtime="2017-10-23T22:53:09Z" level=info msg="[INFO][mysite.com, www.mysite.com] acme: Obtaining bundled SAN certificate"
10/23/2017 3:53:09 PMtime="2017-10-23T22:53:09Z" level=info msg="[INFO][mysite.com] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/<code>"
10/23/2017 3:53:09 PMtime="2017-10-23T22:53:09Z" level=info msg="[INFO][www.mysite.com] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/<code>"
10/23/2017 3:53:09 PMtime="2017-10-23T22:53:09Z" level=info msg="[INFO][mysite.com] acme: Could not find solver for: tls-sni-01"
10/23/2017 3:53:09 PMtime="2017-10-23T22:53:09Z" level=info msg="[INFO][mysite.com] acme: Could not find solver for: http-01"
10/23/2017 3:53:09 PMtime="2017-10-23T22:53:09Z" level=info msg="[INFO][mysite.com] acme: Trying to solve DNS-01"
10/23/2017 3:53:12 PMtime="2017-10-23T22:53:12Z" level=info msg="[INFO][mysite.com] Checking DNS record propagation using [169.254.169.250:53]"
10/23/2017 3:53:16 PMtime="2017-10-23T22:53:16Z" level=info msg="[INFO][mysite.com] The server validated our request"
10/23/2017 3:53:17 PMtime="2017-10-23T22:53:17Z" level=info msg="[INFO][www.mysite.com] acme: Could not find solver for: http-01"
10/23/2017 3:53:17 PMtime="2017-10-23T22:53:17Z" level=info msg="[INFO][www.mysite.com] acme: Trying to solve DNS-01"
10/23/2017 3:53:17 PMtime="2017-10-23T22:53:17Z" level=error msg="[www.mysite.com] Error obtaining certificate: Error presenting token: Unexpected response code 'SERVFAIL' for www.mysite.com."```
willseward commented 7 years ago

I'm trying to figure this one out too... It looks like the TXT records never make it to the zone

frankbohman commented 7 years ago

Any news on this?

We have the exact same problem, wich occured when adding new subdomains to our list.

clayrisser commented 6 years ago

I'm experiencing the same problem

Thom-x commented 6 years ago

I'm experiencing the same problem

clayrisser commented 6 years ago

Did you copy paste my response? lol

kimaero commented 6 years ago

I'm experiencing the same problem

willseward commented 6 years ago

I think this problem is specific to Cloudflare (though it may not be Cloudflare's fault).

The issue seems to resolve itself when I toggle the cloud icon on the failing CNAME/A record.

z3cka commented 6 years ago

@willseward toggle from what state to what? I'm having the same problem.

z3cka commented 6 years ago

Is there a way to manually set the token to return via TXT record?

kimaero commented 6 years ago

I don't know if it helps, but in my case, I had a CNAME record that was pointing to the root domain. After I have changed it not to point root, but to point the same server as root – everything went just fine and did it smoothly.

willseward commented 6 years ago

@z3cka I toggled it on for the certificate issuance, and then off because I don't require it.

@kimaero Yes, I had exactly the same situation. In my experience, it would transiently place the TXT records on the target of the CNAME instead of the correct domain. When I removed the CNAME it stopped happening, but started again soon after.

z3cka commented 6 years ago

Thanks for the response! I ended up using the HTTP method rather than the DNS based challenge and it worked like a charm.

Cheers!

Panthro commented 6 years ago

Same thing here, using Cloudflare had a CNAME with the subdmain I wanted www in that case pointing to the root, and I started getting this error.

Removed the subdomain CNAME and it worked