search

kchristensen / udm-le

Let's Encrypt support for Ubiquiti UniFi OS
MIT License
572 stars 79 forks source link

[BUG] Can't use subdomain with CloudFlare #39

Closed psitem closed 2 years ago

psitem commented 2 years ago

Describe the bug When using the DNS challenge with an FQDN of the form 'hostname.subdomain.mydomain.com', the script attempts to update the zone 'subdomain.mydomain.com' in CloudFlare, which fails because the zone is 'mydomain.com'

Expected behavior Script updates the mydomain.com zone. CloudFlare does not allow the creation of a sub-zone.

Logs

# ./udm-le.sh initial
Attempting initial certificate generation
# 2021/08/22 17:47:30 [INFO] [unifi.home.(mydomain).com] acme: Obtaining bundled SAN certificate
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/24181593740
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] acme: Could not find solver for: tls-alpn-01
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] acme: Could not find solver for: http-01
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] acme: use dns-01 solver
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] acme: Preparing to solve DNS-01
2021/08/22 17:47:31 [INFO] [unifi.home.(mydomain).com] acme: Cleaning DNS-01 challenge
2021/08/22 17:47:31 [WARN] [unifi.home.(mydomain).com] acme: cleaning up failed: cloudflare: failed to find zone home.(mydomain).com.: Zone could not be found
2021/08/22 17:47:32 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/24181593740
2021/08/22 17:47:32 Could not obtain certificates:
        error: one or more domains had a problem:
[unifi.home.(mydomain).com] [unifi.home.(mydomain).com] acme: error presenting token: cloudflare: failed to find zone home.(mydomain).com.: Zone could not be found
kchristensen commented 2 years ago

I do something similar, domain.com is in Cloudflare, and my CERT_HOSTS variable is set to something.something.domain.com. It renews just fine which leads me to believe you have your Cloudflare API credentials setup improperly.

In Cloudflare, you should make sure your permissions look like this: domain.com - Zone:Read, DNS:Edit and "include specific zone" for domain.com.

psitem commented 2 years ago

I figured this out. Lego determines the zone to use via DNS by removing the leftmost part until it finds an SOA record. Since my UDM-P is using my internal DNS, it finds an SOA for home.(mydomain).com and attempts to use that instead of (mydomain).com.

The solution was to set DNS_RESOLVERS to an external resolver.

ptheofan commented 2 years ago

@tbyehl failing to find the zone and all the crazy errors before that... who would have thought. You saved the day!

I saw some more people around having similar issues, I would recommend we add in the readme information to let people know that if you're using unbound for example (like me) should use the DNS_RESOLVERS (ie. 1.1.1.1)

kchristensen commented 2 years ago

It's only an issue if you point your udmp at an internal resolver, which can have side effects if you use conditional forwarding like mDNS storms.

Personally I point my udmp at Cloudflare, and point internal hosts to a pi-hole with conditional forwarding back to the udmp for dnsmasq'd hostnames.