search

rembik / dehydrated-hetzner-hook

Hetzner dns-01 challenge hook for Let's Encrypt client dehydrated
MIT License
18 stars 4 forks source link

CNAME fail #8

Closed pp0815 closed 6 years ago

pp0815 commented 6 years ago

Hello,

i'm afraid i'm too dumb to set up correct CNAME for wildcard cert.

After manually setting

_acme-challenge IN CNAME _acme-challenge.example.de.

in the Robot, Hetzner shortens this always to

_acme-challenge IN CNAME _acme-challenge

For the wildcard i have also tried

_acme-challenge.* IN CNAME _acme-challenge.example.de.

But i get 

...
+ Deploying challenge tokens...
+ Hetzner Robot hook executing: deploy_challenge
+ Error during updating zone for _acme-challenge.exapmle.de on Hetzner Robot!

Other variations do not work even with error:

...
+ Hetzner Robot hook executing: deploy_challenge
 + Domain _acme-challenge.example.de has invalid CNAME entry www.example.de
 + Use CNAME with _acme-challenge. at the beginning and valid top level domain at the end!

But Hetzner shortens this TLD, as described above... :-(

Please, what ist the correct CNAME entry?

thx, pp0815

pp0815 commented 6 years ago

More info from debug mode:

 ...
 + Get zone bla123.de for TXT record _acme-challenge.bla123.de from Hetzner Robot
 + Searching zone bla.de for TXT record _acme-challenge.bla123.de
 + Unable to locate TXT record for _acme-challenge.bla123.de
 + Created TXT record: _acme-challenge IN TXT "xD56wrD0rm62zxkcyfQ06wVkROKR2H3h5iBt0DnoTxA"
 + Saved zonefile: /etc/dehydrated/hooks/hetzner/zones/bla123.de.txt
 + Updating zone on Hetzner Robot:
   id: 567379
   _csrf_token: 6b1af16a008009ca0b0c3555e44676f3
   zonefile:

$TTL 86400
@   IN SOA ns1.first-ns.de. postmaster.robot.first-ns.de. (
    2018062904   ; serial
    86400        ; refresh
    10800        ; retry
    3600000      ; expire
    86400 )      ; minimum

@                        IN NS      robotns3.second-ns.com.
@                        IN NS      robotns2.second-ns.de.
@                        IN NS      ns1.first-ns.de.

@                        IN A       1.2.3.4
mail                     IN A       1.2.3.4
www                      IN A       1.2.3.4
mail                     IN AAAA    2a01:dead:beef::2
www                      IN AAAA    2a01:dead:beef::2
*                        IN CNAME   www
_acme-challenge          IN CNAME   _acme-challenge
_acme-challenge.*        IN CNAME   _acme-challenge
@                        IN MX 10   mail
_acme-challenge IN TXT "xD56wrD0rm62zxkcyfQ06wVkROKR2H3h5iBt0DnoTxA"

 + Error during updating zone for _acme-challenge.bla123.de on Hetzner Robot!

I have tried both "language": "de" and "language": "en". The web-interface speaks german, but the email answers from the robot are in english. But same result.

level420 commented 6 years ago

@pp0815 I've compared your debug output with the debug output of my installation, and it works here. Even if the debug log mentions _acme-challenge.mydomain.tld in the log, the hook script in fact only creates the TXT record without the domain appended, thus only _acme-challenge.

The latest certificate refresh was done on June 28. I don't think that hetzner changed something with their API since then.

The relevant difference I'm seeing are those additional lines

_acme-challenge          IN CNAME   _acme-challenge
_acme-challenge.*        IN CNAME   _acme-challenge

Where are they coming from? The normal round trip is that the hetzner hook is trying to remove an existing TXT record named _acme-challenge and afterwards to create a new one, containing the current challenge value.

I think the creation fails in your case, because there is already a record named _acme-challenge of different type (CNAME).

You could try to remove everything starting with acme-challenge in the DNS record and try again.

pp0815 commented 6 years ago

Ok, i've done so, and it's working now.

But: this time i also deleted the wildcard line

* IN CNAME www

With this wildcard the hook does not work. Seems logical, because of looking for "_acme-challenge" is answered with the corresponding CNAME. What a mess!

pp0815 commented 6 years ago

I examined this. It's correct that the wildcard in DNS causes the error.

Now i have a wildcard cert, but could not set a wildcard in DNS with this hook. I have to do this manually after the hook has finished.

Brmpft! :-(

level420 commented 6 years ago

But that is a bug then. You could create a specific issue for your use case and close this own. @rembik could then fix this.

Or offer a PR which solves the problem, which would be best!

pp0815 commented 6 years ago

Another check: with certbot it's possible to keep the wildcard inside while manually renewing. It's a bug in the hook.

Or offer a PR which solves the problem, which would be best!

Oh, my python is not the best... ;-)

Thanks a lot! Have a nice day!