search

joohoi / acme-dns

Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
MIT License
2.19k stars 234 forks source link

Can't renew certs #303

Closed Serpher1 closed 2 years ago

Serpher1 commented 2 years ago

I've set it up 2 months ago and I got certs no problem (acme-dns and acme-dns-client). I haven't touched it since and now I get a timeout. The only thing that could change are some security updates to Debian 10 and maybe Certbot (I started with 1.23 and now it's 1.26). Acme-dns creates records on demand but somehow LE can't get to them. Ports 80/53 are open to the acme-dns server.

acme-dns-client register -d wyniki.spzozmm.pl -s http://localhost:8080
[W] Acme-dns account already registered for domain wyniki.spzozmm.pl
[*] CNAME record seems to already be set up correctly, you are good to go

A CAA record allows you to control additional certificate issuance safeguards. The currently supported
version allows the domain owner to control which certificate authorities are all owed to issue certificates for the domain in question.
The certificate authorities MUST check and respect the CAA records in the validation process.

There's also a standard (RFC 8657) that extends the CAA record to limit the issuance of certificates to a specific validation
method and/or to a specific ACME account. While they can be tested using staging environment of Let's Encrypt for example,
they're not enabled in the production yet. It is still be worthwhile to configure them so you'll be protected when the feature gets enabled.
Do you wish to set up a CAA record now? [y/N]: n
root@acme:~# certbot certonly --manual --preferred-challenges dns --manual-auth- hook 'acme-dns-client' -d wyniki.spzozmm.pl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for wyniki.spzozmm.pl

Certbot failed to authenticate some domains (authenticator: manual). The Certifi cate Authority reported these problems:
 Domain: wyniki.spzozmm.pl
 Type: dns
 Detail: DNS problem: query timed out looking up TXT for _acme-challenge.pacs.s pzozmm.pl

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot -- help manual" and the Certbot User Guide.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See t he logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for mo re details.

Ok I may have solved the DNS issue but the acme-dns server is not working as intended.

 certbot certonly --manual --preferred-challenges dns --manual-auth-hook acme-dns-client -d wyniki.spzozmm.pl -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for wyniki.spzozmm.pl
Performing the following challenges:
dns-01 challenge for wyniki.spzozmm.pl
Running manual-auth-hook command: acme-dns-client
Waiting for verification...
Challenge failed for domain wyniki.spzozmm.pl
dns-01 challenge for wyniki.spzozmm.pl

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: wyniki.spzozmm.pl
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.wyniki.spzozmm.pl - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Cleaning up challenges
Some challenges have failed.

Wasn't the acme-dns-client's job to return the TXT value ? Acme-dns service generates proper values.

Serpher1 commented 2 years ago

Solved it. Firewall blocked UDP ports.