Closed cyplo closed 6 years ago
Are you sure that Let's Encrypt can get the DNS record for your domain?
dig
is telling me that there is no such record:
❯ dig AAAA test.cyplo.net
; <<>> DiG 9.11.2 <<>> AAAA test.cyplo.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24788
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.cyplo.net. IN AAAA
;; AUTHORITY SECTION:
cyplo.net. 3594 IN SOA ns-111.awsdns-13.com. admin.cyplo.net. 2018020301 3600 1800 604800 600
;; Query time: 42 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Feb 26 10:46:14 ACDT 2018
;; MSG SIZE rcvd: 105
You can check with this too: https://mxtoolbox.com/SuperTool.aspx
Heyo ! Thank you for checking :) It indeed does not have the record right now, as I deleted it to be able to make some further progress with the config. Looking at the logs pasted above:
"validationRecord": [
Feb 25 21:36:59 ip-10-0-27-169.eu-central-1.compute.internal acme-mail.test.cyplo.net-start[819]: {
Feb 25 21:36:59 ip-10-0-27-169.eu-central-1.compute.internal acme-mail.test.cyplo.net-start[819]: "url": "http://mail.test.cyplo.net/.well-known/acme-challenge/D9e0V3DUm33XY-51UU98gSlFgVB3xyIQ4Mhijh8F918",
Feb 25 21:36:59 ip-10-0-27-169.eu-central-1.compute.internal acme-mail.test.cyplo.net-start[819]: "hostname": "mail.test.cyplo.net",
Feb 25 21:36:59 ip-10-0-27-169.eu-central-1.compute.internal acme-mail.test.cyplo.net-start[819]: "port": "80",
Feb 25 21:36:59 ip-10-0-27-169.eu-central-1.compute.internal acme-mail.test.cyplo.net-start[819]: "addressesResolved": [
Feb 25 21:36:59 ip-10-0-27-169.eu-central-1.compute.internal acme-mail.test.cyplo.net-start[819]: "18.196.18.46",
Feb 25 21:36:59 ip-10-0-27-169.eu-central-1.compute.internal acme-mail.test.cyplo.net-start[819]: "2a05:d014:36d:a401:f8d1:fdcc:cdee:db7e"
Feb 25 21:36:59 ip-10-0-27-169.eu-central-1.compute.internal acme-mail.test.cyplo.net-start[819]: ],
Feb 25 21:36:59 ip-10-0-27-169.eu-central-1.compute.internal acme-mail.test.cyplo.net-start[819]: "addressUsed": "2a05:d014:36d:a401:f8d1:fdcc:cdee:db7e"
Feb 25 21:36:59 ip-10-0-27-169.eu-central-1.compute.internal acme-mail.test.cyplo.net-start[819]: }
Feb 25 21:36:59 ip-10-0-27-169.eu-central-1.compute.internal acme-mail.test.cyplo.net-start[819]: ]
thanks ! :)
Unfortunately I don't have an idea about your problem. If you remove SNM and add acme manually does it work? Maybe this is a bug in Nixos' acme support?
@cyplo could you share your entire config? AFAICT nginx
will listen on [::]
if config.networking.enableIPv6
is true, which I don't see in the snippet you posted. https://github.com/NixOS/nixpkgs/blob/93bfd8921fa26bc7046d3cb64c05ffe7f30bb9bf/nixos/modules/services/web-servers/nginx/default.nix#L20
Thank you both for your support :)
I'm going to try both seeing if pure ACME without SNM works and if setting nginx config explicitely helps.
The config I've pasted above is the full config from that machine - I don't have nginx configured separately, as I don't need it on the box. My understanding is that ACME needs it to setup a temporary validation server.
thanks again and will keep you posted :)
Hello ! I've tried different combinations and: 🎉 Resolved and not a bug in SNM 🎉 - was an unrelated network configuration problem - apologies :)
p.s. - I tried with config.networking.enableIPv6
and without it - does not make a difference if the box has an assigned IPv6 address - ACME works either way.
thanks again !
Heyo, First of all, thank you for an AMAZING project ! :)
I'm trying to migrate from some legacy ball-of-mud mail server config to this. Everything seems to be working very smoothly, except for the IPv6 Let's Encrypt validation. By default Let's Encrypt tries to validate domain ownership via IPv6 if there is an AAAA record for a particular domain. If I set only A records for the mail server - everything works, including Let's Encrypt. If I add AAAA record before validating the certificate - the Let's Encrypt setup fails.
Hypothesis: nginx not listening on IPv6 ? (haven't checked yet)
SNM Version: 2.1.2
Nixos Version: 17.09
Relevant part of the config to reproduce:
What I expected to happen:
When I set AAAA dns record to point to the server's IPv6 address I expect Let's encrypt validation to succeed.
What happened:
Let's Encrypt validation fails.
Relevant journald log: