Closed gctwnl closed 5 months ago
I worked around it by copying a valid cert over from another machine and setting
# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
tls = "cert"
# only used if tls = "cert"
tls_cert_privkey = "/etc/letsencrypt/live/mydomain.tld/privkey.pem"
tls_cert_fullchain = "/etc/letsencrypt/live/mydomain.tld/fullchain.pem"
That is of course not a real solution.
I can now successfully use the API, but not entirely:
% curl -X POST https://linuxserver.mydomain.tld:943/update -H "X-Api-User: <snip>" -H "X-Api-Key: <snip>" --data '{"subdomain": "<snip>", "txt": "___validation_token_recieved_from_the_ca___"}'| python3 -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 161 100 54 100 107 688 1364 --:--:-- --:--:-- --:--:-- 2064
{
"txt": "___validation_token_recieved_from_the_ca___"
}
That is a call on the inside. 443 is not available from outside (no NAT). The log says:
acmedns-1 | time="2024-06-08T16:06:57Z" level=info msg=" Actual request no headers added: missing origin"
acmedns-1 | time="2024-06-08T16:06:57Z" level=debug msg="TXT updated" subdomain=<snip> txt=___validation_token_recieved_from_the_ca___
But when I try to read this from the outside:
$ dig _acme-challenge.acmedns.mydomain.tld txt
; <<>> DiG 9.11.36-RedHat-9.11.36-14.el8_10 <<>> _acme-challenge.acmedns.mydomain.tld txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42965
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 327e502452512e255ca948b766647f7248f5c0f8d3a99f53 (good)
;; QUESTION SECTION:
;_acme-challenge.acmedns.mydomain.tld. IN TXT
;; ANSWER SECTION:
_acme-challenge.acmedns.mydomain.tld. 1 IN TXT ""
;; AUTHORITY SECTION:
acmedns.mydomain.tld. 207 IN NS usedname.mydomain.tld.
;; Query time: 37 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun 08 17:57:38 CEST 2024
;; MSG SIZE rcvd: 129
So, almost there?
Never mind @joohoi, it was in part a dumb question (there is a 'none' option).
Never mind, the error was mine (no surprise here). I had CNAME'd _acme-challenge.acmedns.mydomain.tld
to <acme-dns-subdomain>.acmedns.mydomain.tld
but I should have CNAME'd _acme-challenge.mydomain.tld
of course because that is where LE CA will look... 😬 Now just see if I can get it working in full.
So, probably the bootstrap would have worked too, maybe. I'll probably check later.
This was (as least in part) a dumb question.
[Update: this is a dumb question. Ignore]
I need to get the acme-dns server running locally, on a server that is already running an instance of my split-DNS (so 53 is not available).
Outside public DNS for
mydomain.tld
:Inside private DNS for
mydomain.tld
:acme-dns is running as a container via docker compose, with this:
It starts fine:
NAT is like
From the outside, my acme-dns is reachable:
From the inside as well:
Now, when on the inside I try to register, I get
and the log says:
My config is a mess, of course, because I don't understand this all very well.
Is there a way to get the
acme-dns
running self-hosted in this situation?