search

kchristensen / udm-le

Let's Encrypt support for Ubiquiti UniFi OS
MIT License
572 stars 79 forks source link

failed to find zone #12

Closed seekerPL closed 3 years ago

seekerPL commented 3 years ago

Hi, Not sure if I one something wrong, but the script fails on finding my zone. zone polska.org.pl

UDM-le env:

#

Required configuration

#

Email for LetsEncrypt certificate issuance

CERT_EMAIL='MYEMAIL@gmail.com'

The FQDN of your UDMP (comma separated fqdns are supported)

CERT_HOSTS='polska.org.pl'

Enable updating Captive Portal certificate as well as device certificate

ENABLE_CAPTIVE='no'

CloudFlare settings, see the README.md for information about other providers

CLOUDFLARE_DNS_API_TOKEN='MYTOKENFROMCLOUDFLARE' DNS_PROVIDER='cloudflare'

#

Change stuff below at your own risk

#

DNS_RESOLVERS supports a host:port if you need to override system DNS

DNS_RESOLVERS=''

Changing below requires changing line 6 of udm-le.sh

UDM_LE_PATH='/mnt/data/udm-le'

These should only change if Unifi-OS core changes require it

CERT_IMPORT_CMD='java -jar /usr/lib/unifi/lib/ace.jar import_key_cert' UBIOS_CERT_PATH='/mnt/data/unifi-os/unifi-core/config' UNIFIOS_CERT_PATH='/data/unifi-core/config'

Information during running the script:

Your account credentials have been saved in your Let's Encrypt configuration directory at "/var/lib/lego/accounts".

You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained from Let's Encrypt so making regular backups of this folder is ideal. 2020/08/25 08:00:39 [INFO] [polska.org.pl] acme: Obtaining bundled SAN certificate 2020/08/25 08:00:40 [INFO] [polska.org.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6760625124 2020/08/25 08:00:40 [INFO] [polska.org.pl] acme: Could not find solver for: tls-alpn-01 2020/08/25 08:00:40 [INFO] [polska.org.pl] acme: Could not find solver for: http-01 2020/08/25 08:00:40 [INFO] [polska.org.pl] acme: use dns-01 solver 2020/08/25 08:00:40 [INFO] [polska.org.pl] acme: Preparing to solve DNS-01 2020/08/25 08:00:41 [INFO] [polska.org.pl] acme: Cleaning DNS-01 challenge 2020/08/25 08:00:42 [WARN] [polska.org.pl] acme: cleaning up failed: cloudflare: failed to find zone polska.org.pl.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6111,\"message\":\"Invalid format for Authorization header\"}]}],\"messages\":[],\"result\":null}" 2020/08/25 08:00:42 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6760625124 2020/08/25 08:00:42 Could not obtain certificates: error: one or more domains had a problem: [polska.org.pl] [polska.org.pl] acme: error presenting token: cloudflare: failed to find zone polska.org.pl.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6111,\"message\":\"Invalid format for Authorization header\"}]}],\"messages\":[],\"result\":null}"

Is this some kind of bug, or I just wrongly use the CERT_HOSTS='polska.org.pl' field?

My CloudFlare API token setup Screenshot 2020-08-25 at 10 11 34

kchristensen commented 3 years ago

Hmm, that looks right to me, although the Cloudflare API permissions can be a little weird. Try not limiting it to your domain under Zone Resources and give it permissions on your entire account and see if that works as an experiment. At one point in the past there was an issue with limiting the scope to a specific zone that sounds similar to what you're seeing.

I just logged into my Cloudflare account and my token is setup the same as yours, so this is a bit puzzling.

SpicyAlmondMilk commented 3 years ago

I'm having the same issue when setting up a UDM Pro today. Same basic configuration, so it looks like either something changed outside of this script or we're both blind.

kchristensen commented 3 years ago

So I went in to make sure I didn't have any stray tokens laying around in Cloudflare and deleted everything but the one I thought I was using, which looks like this:

token

Then I went and blasted the lego directory in /mnt/data/udm-le so I was basically starting fresh and ran an initial certificate attempt:

2020/08/26 12:11:34 No key found for account kyle@domain.com. Generating a 2048 key.
2020/08/26 12:11:37 Saved key to /var/lib/lego/accounts/acme-v02.api.letsencrypt.org/kyle@domain.com/keys/kyle@domain.com.key
2020/08/26 12:11:37 [INFO] acme: Registering account for kyle@domain.com
!!!! HEADS UP !!!!

        Your account credentials have been saved in your Let's Encrypt
        configuration directory at "/var/lib/lego/accounts".
        You should make a secure backup of this folder now. This
        configuration directory will also contain certificates and
        private keys obtained from Let's Encrypt so making regular
        backups of this folder is ideal.2020/08/26 12:11:37 [INFO] [foo.domain.com] acme: Obtaining bundled SAN certificate
2020/08/26 12:11:38 [INFO] [foo.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6785250104
2020/08/26 12:11:38 [INFO] [foo.domain.com] acme: Could not find solver for: tls-alpn-01
2020/08/26 12:11:38 [INFO] [foo.domain.com] acme: Could not find solver for: http-01
2020/08/26 12:11:38 [INFO] [foo.domain.com] acme: use dns-01 solver
2020/08/26 12:11:38 [INFO] [foo.domain.com] acme: Preparing to solve DNS-01
2020/08/26 12:11:39 [INFO] cloudflare: new record for foo.domain.com, ID 2c65d23c74d9cae537c877bf44b4ad07
2020/08/26 12:11:39 [INFO] [foo.domain.com] acme: Trying to solve DNS-01
2020/08/26 12:11:39 [INFO] [foo.domain.com] acme: Checking DNS record propagation using [127.0.0.1:53]
2020/08/26 12:11:39 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2020/08/26 12:11:39 [INFO] [foo.domain.com] acme: Waiting for DNS record propagation.
2020/08/26 12:11:41 [INFO] [foo.domain.com] acme: Waiting for DNS record propagation.
2020/08/26 12:11:47 [INFO] [foo.domain.com] The server validated our request
2020/08/26 12:11:47 [INFO] [foo.domain.com] acme: Cleaning DNS-01 challenge
2020/08/26 12:11:47 [INFO] [foo.domain.com] acme: Validations succeeded; requesting certificates
2020/08/26 12:11:48 [INFO] [foo.domain.com] Server responded with a certificate.

Which worked as expected. I'm puzzled why it's any different for you guys. I don't see any related issues on either the lego issue tracker or the cloudflare-go github which is the client that lego is using under the hood for this.

seekerPL commented 3 years ago

Please check my udm-le.env file.

# Email for LetsEncrypt certificate issuance
CERT_EMAIL='mygmailemail@gmail.com'

# The FQDN of your UDMP (comma separated fqdns are supported)
CERT_HOSTS='gateway.polska.org.pl'

# Enable updating Captive Portal certificate as well as device certificate
ENABLE_CAPTIVE='yes'

# CloudFlare settings, see the README.md for information about other providers
CLOUDFLARE_DNS_API_TOKEN='0j748b0ec80946e7222849f13eb1789150a4b'
DNS_PROVIDER='cloudflare'

#
# Change stuff below at your own risk
#

# DNS_RESOLVERS supports a host:port if you need to override system DNS
DNS_RESOLVERS=''

# Changing below requires changing line 6 of udm-le.sh
UDM_LE_PATH='/mnt/data/udm-le'

# These should only change if Unifi-OS core changes require it
CERT_IMPORT_CMD='java -jar /usr/lib/unifi/lib/ace.jar import_key_cert'
UBIOS_CERT_PATH='/mnt/data/unifi-os/unifi-core/config'
UNIFIOS_CERT_PATH='/data/unifi-core/config'
seekerPL commented 3 years ago

Screenshot 2020-08-31 at 09 21 01 Screenshot 2020-08-31 at 09 19 18

In udm-le.env I'm using Global API key.

seekerPL commented 3 years ago

Log file:

`/mnt/data/udm-le/udm-le.sh initial stat: can't stat '/mnt/data/udm-le/lego': No such file or directory Attempting initial certificate generation 2020/08/31 07:13:31 No key found for account mygmailemail@gmail.com. Generating a 2048 key. 2020/08/31 07:13:33 Saved key to /var/lib/lego/accounts/acme-v02.api.letsencrypt.org/mygmailemil@gmail.com/keys/mygmailemail@gmail.com.key 2020/08/31 07:13:34 [INFO] acme: Registering account for mygmailemail@gmail.com !!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt configuration directory at "/var/lib/lego/accounts".

You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained from Let's Encrypt so making regular backups of this folder is ideal. 2020/08/31 07:13:34 [INFO] [gateway.polska.org.pl] acme: Obtaining bundled SAN certificate 2020/08/31 07:13:36 [INFO] [gateway.polska.org.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6887726334 2020/08/31 07:13:36 [INFO] [gateway.polska.org.pl] acme: Could not find solver for: tls-alpn-01 2020/08/31 07:13:36 [INFO] [gateway.polska.org.pl] acme: Could not find solver for: http-01 2020/08/31 07:13:36 [INFO] [gateway.polska.org.pl] acme: use dns-01 solver 2020/08/31 07:13:36 [INFO] [gateway.polska.org.pl] acme: Preparing to solve DNS-01 2020/08/31 07:13:37 [INFO] [gateway.polska.org.pl] acme: Cleaning DNS-01 challenge 2020/08/31 07:13:37 [WARN] [gateway.polska.org.pl] acme: cleaning up failed: cloudflare: failed to find zone polska.org.pl.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6111,\"message\":\"Invalid format for Authorization header\"}]}],\"messages\":[],\"result\":null}" 2020/08/31 07:13:38 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6887726334 2020/08/31 07:13:38 Could not obtain certificates: error: one or more domains had a problem: [gateway.polska.org.pl] [gateway.polska.org.pl] acme: error presenting token: cloudflare: failed to find zone polska.org.pl.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6111,\"message\":\"Invalid format for Authorization header\"}]}],\"messages\":[],\"result\":null}"

`

lcollins commented 3 years ago

Hi there all - I have ran into the same issue with UnifiOS v1.8.0. After some debugging I found a solution

Try removing ' around the CLOUDFLARE_DNS_API_TOKEN value

seekerPL commented 3 years ago

It helped, but I run on another problem

# /mnt/data/udm-le/udm-le.sh initial Attempting initial certificate generation 2020/08/31 11:09:26 [INFO] [gateway.polska.org.pl] acme: Obtaining bundled SAN certificate 2020/08/31 11:09:28 [INFO] [gateway.polska.org.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6891365885 2020/08/31 11:09:28 [INFO] [gateway.polska.org.pl] acme: Could not find solver for: tls-alpn-01 2020/08/31 11:09:28 [INFO] [gateway.polska.org.pl] acme: Could not find solver for: http-01 2020/08/31 11:09:28 [INFO] [gateway.polska.org.pl] acme: use dns-01 solver 2020/08/31 11:09:28 [INFO] [gateway.polska.org.pl] acme: Preparing to solve DNS-01 2020/08/31 11:09:30 [INFO] cloudflare: new record for gateway.polska.org.pl, ID e340e87c50153897e9dc1c9b95bb0bd5 2020/08/31 11:09:30 [INFO] [gateway.polska.org.pl] acme: Trying to solve DNS-01 2020/08/31 11:09:30 [INFO] [gateway.polska.org.pl] acme: Checking DNS record propagation using [127.0.0.1:53] 2020/08/31 11:09:32 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] 2020/08/31 11:09:32 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation.

And it failed in around 3 min.

In CloudFlare I notice a new entry in DNS tab.

TXT _acme-challenge.gateway KlsLR9vL5zdRoUawrOYyGxxAHw
lcollins commented 3 years ago

So in udm-le.env if you set DNS_RESOLVERS='8.8.8.8:53' you should overcome Checking DNS record propagation using [127.0.0.1:53]

seekerPL commented 3 years ago 
2020/08/31 11:29:14 [INFO] [gateway.polska.org.pl] acme: Obtaining bundled SAN certificate
2020/08/31 11:29:14 [INFO] [gateway.polska.org.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6891649685
2020/08/31 11:29:14 [INFO] [gateway.polska.org.pl] acme: Could not find solver for: tls-alpn-01
2020/08/31 11:29:14 [INFO] [gateway.polska.org.pl] acme: Could not find solver for: http-01
2020/08/31 11:29:14 [INFO] [gateway.polska.org.pl] acme: use dns-01 solver
2020/08/31 11:29:14 [INFO] [gateway.polska.org.pl] acme: Preparing to solve DNS-01
2020/08/31 11:29:16 [INFO] cloudflare: new record for gateway.polska.org.pl, ID 5896b03c00be488e0bdf3c4ad5e59eb5
2020/08/31 11:29:16 [INFO] [gateway.polska.org.pl] acme: Trying to solve DNS-01
2020/08/31 11:29:16 [INFO] [gateway.polska.org.pl] acme: Checking DNS record propagation using [8.8.8.8:53]
2020/08/31 11:29:18 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2020/08/31 11:29:18 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation.

It's trying with Waiting for DNS record propagation for a few minutes and then fails.

lcollins commented 3 years ago

I am not sure what might be the delay here possibly firewall or connectivity issue you could try with Cloudflare DNS DNS_RESOLVERS='1.1.1.1:53'

Other than that I am not sure if the script is setup to provide optional values for timeout. But it shouldn't take >2m to verify the TXT record

kchristensen commented 3 years ago

I didn't have my API token quoted in my env file so that might have been part of the reason why I wasn't running into issues.

I'm a little confused about something. Assuming polksa.org.pl is your actual domain name, Cloudflare is not authoritative for that domain:

DOMAIN NAME:           polska.org.pl
registrant type:       organization
nameservers:           ns10.az.pl. [46.242.144.100]
                                  ns11.az.pl. [46.242.145.8]
                                  ns12.az.pl. [89.171.29.77]
created:               2012.04.24 14:04:04
last modified:         2020.04.23 12:27:31
renewal date:          2021.04.24 14:04:04

This means your DNS challenges are never going to work regardless of where you try to resolve them because Cloudflare is not actually handling DNS for that domain.

seekerPL commented 3 years ago

I didn't have my API token quoted in my env file so that might have been part of the reason why I wasn't running into issues.

I'm a little confused about something. Assuming polksa.org.pl is your actual domain name, Cloudflare is not authoritative for that domain:

DOMAIN NAME:           polska.org.pl
registrant type:       organization
nameservers:           ns10.az.pl. [46.242.144.100]
                                  ns11.az.pl. [46.242.145.8]
                                  ns12.az.pl. [89.171.29.77]
created:               2012.04.24 14:04:04
last modified:         2020.04.23 12:27:31
renewal date:          2021.04.24 14:04:04

This means your DNS challenges are never going to work regardless of where you try to resolve them because Cloudflare is not actually handling DNS for that domain.

polska.org.pl is not my actual domain, it's very similar but different, sorry for the confusion.

seekerPL commented 3 years ago

I tried with the new version, but the same behavior.

# /mnt/data/udm-le/udm-le.sh initial Attempting initial certificate generation 2020/09/10 09:45:33 [INFO] [gateway.polska.org.pl] acme: Obtaining bundled SAN certificate 2020/09/10 09:45:34 [INFO] [gateway.polska.org.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/7118483646 2020/09/10 09:45:34 [INFO] [gateway.polska.org.pl] acme: Could not find solver for: tls-alpn-01 2020/09/10 09:45:34 [INFO] [gateway.polska.org.pl] acme: Could not find solver for: http-01 2020/09/10 09:45:34 [INFO] [gateway.polska.org.pl] acme: use dns-01 solver 2020/09/10 09:45:34 [INFO] [gateway.polska.org.pl] acme: Preparing to solve DNS-01 2020/09/10 09:45:36 [INFO] cloudflare: new record for gateway.polska.org.pl, ID 5c714e2238a4ac78858235e849094075 2020/09/10 09:45:36 [INFO] [gateway.polska.org.pl] acme: Trying to solve DNS-01 2020/09/10 09:45:36 [INFO] [gateway.polska.org.pl] acme: Checking DNS record propagation using [1.1.1.1:53] 2020/09/10 09:45:38 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] 2020/09/10 09:45:38 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:45:40 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:45:42 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:45:44 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:45:46 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:45:48 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:45:50 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:45:52 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:45:54 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:45:56 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:45:58 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:00 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:02 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:04 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:06 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:08 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:10 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:12 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:14 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:16 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:18 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:20 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:22 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:24 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:26 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:28 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:30 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:32 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:34 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:36 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:38 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:40 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:42 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:44 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:46 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:48 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:50 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:52 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:54 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:56 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:46:58 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:00 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:02 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:04 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:06 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:08 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:10 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:12 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:14 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:16 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:18 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:20 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:22 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:24 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:26 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:28 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:30 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:32 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:34 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:36 [INFO] [gateway.polska.org.pl] acme: Waiting for DNS record propagation. 2020/09/10 09:47:38 [INFO] [gateway.polska.org.pl] acme: Cleaning DNS-01 challenge 2020/09/10 09:47:42 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/7118483646 2020/09/10 09:47:42 Could not obtain certificates: error: one or more domains had a problem: [gateway.polska.org.pl] time limit exceeded: last error: NS collins.ns.cloudflare.com. returned REFUSED for _acme-challenge.gateway.polska.org.pl.

It looks like there is a connection between my UDM and the cloudflare, because it's creating a new TXT DNS entry.

Screenshot 2020-09-10 at 12 28 31

I'm using a pihole, as my DNS resolver, could it be a reason why it's not working? I tried to disable a pihole and run the script again, but nothing changed.

lcollins commented 3 years ago

It might be worth first checking is Cloudflare is authoritative as if its not you could still create records but they would not be used

https://mxtoolbox.com/SuperTool.aspx (run DNS Check test)

In terms of making the script check propagation using a different DNS server set the following in udm-le.env

DNS_RESOLVERS='1.1.1.1:53'

It would appear it is already doing this so 5c714e2238a4ac78858235e849094075 2020/09/10 09:45:36 [INFO] [gateway.polska.org.pl] acme: Trying to solve DNS-01 2020/09/10 09:45:36 [INFO] [gateway.polska.org.pl] acme: Checking DNS record propagation using [1.1.1.1:53]

kchristensen commented 3 years ago

One thing to note: If you're using a pihole as your resolver on your udmp, as well as internally and you have the pihole setup to do conditional forwarding from the pihole back to the udmp for your internal domain, you're likely to cause all sorts of mDNS storms and such.

Personally I use a pihole internally, but have my udmp set to use Cloudflare which works out well since nothing uses the udmp for DNS other than fallback if pihole is down or the udmp itself.

To @lcollins point I was going to suggest setting DNS_RESOLVERS but it looks like you're already doing that. Have you tried pointing your udmp at Cloudflare instead of Pihole?

seekerPL commented 3 years ago

Pihole removed, I switched to Adguardhome (installed on UDM).

I'm using UDM, firmware 1.8.0-rc16. I installed AdguardHome and ntopng on UDM with podman and both are working fine.

Again trying to install udm-le.

I tried to set DNS_RESOLVERS='1.1.1.1:53' DNS_RESOLVERS='8.8.8.8:53' and also tried to leave it empty DNS_RESOLVERS=''

Attempting initial certificate generation
2020/09/29 11:58:40 [INFO] [*.polska.org.pl] acme: Obtaining bundled SAN certificate
2020/09/29 11:58:41 [INFO] [*.polska.org.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/7528948874
2020/09/29 11:58:41 [INFO] [*.polska.org.pl] acme: use dns-01 solver
2020/09/29 11:58:41 [INFO] [*.polska.org.pl] acme: Preparing to solve DNS-01
2020/09/29 11:58:43 [INFO] cloudflare: new record for polska.org.pl, ID 50f20137b8835e6548f1035b99b5fbfc
2020/09/29 11:58:43 [INFO] [*.polska.org.pl] acme: Trying to solve DNS-01
2020/09/29 11:58:43 [INFO] [*.polska.org.pl] acme: Checking DNS record propagation using [127.0.0.1:53]
2020/09/29 11:58:45 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2020/09/29 11:58:45 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:58:47 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:58:49 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:58:51 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:58:53 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:58:55 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:58:57 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:58:59 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:01 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:03 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:05 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:07 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:09 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:11 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:13 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:15 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:17 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:19 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:21 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:23 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:25 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:27 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:29 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:31 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:33 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:35 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:37 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:39 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:41 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:43 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:45 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:47 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:49 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:51 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:53 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:55 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:57 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 11:59:59 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:01 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:03 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:05 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:07 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:09 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:11 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:13 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:15 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:17 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:19 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:21 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:23 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:25 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:27 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:29 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:31 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:33 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:35 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:37 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:39 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:41 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:43 [INFO] [*.polska.org.pl] acme: Waiting for DNS record propagation.
2020/09/29 12:00:45 [INFO] [*.polska.org.pl] acme: Cleaning DNS-01 challenge
2020/09/29 12:00:46 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/7528948874
2020/09/29 12:00:46 Could not obtain certificates:
    error: one or more domains had a problem:
[*.polska.org.pl] time limit exceeded: last error: NS collins.ns.cloudflare.com. returned REFUSED for _acme-challenge.polska.org.pl.
In cloudflare it's trying to create. a new entry: TXT _acme-challenge.gateway KlsLR9vL5zdRoUawrOYyGxxAHw
StefanBeOs commented 2 years ago

I recently ran into the same issue "acme: Waiting for DNS record propagation." and wanted to post my solution in case anyone else runs into this problem. In Cloudflare account management find the ip address (use ping) of one of your Cloudflare Nameservers assigned to your domain name. Then set DNS_RESOLVERS to use that ip with port 53.

Example: My name server is "example.ca.cloudflare.com"

Find IP ping example.ca.cloudflare.com Pinging example.ca.cloudflare.com [108.162.195.242] with 32 bytes of data: Reply from 108.162.195.242: bytes=32 time=19ms TTL=57

Edit udm-le.env: DNS_RESOLVERS='108.162.195.242:53'

Afterwards the script ran successfully for me and https is confirmed working.