Closed ottobaer closed 1 month ago
I tried going back a few versions now.
The oldest one I tried so far is
Smallstep CA/0.24.3-rc.5 (linux/arm64)
Release Date: 2023-07-27T22:11:35Z
still the same problem.
I found out that I forgot to change the IP of the dns server I manually added with '--resolver'.
The errors you get are rather interesting though if you do that.
Hey @ottobaer, good to hear you resolved this 🙂 I was about to ask checking to see if the --resolver
option works for you, but that's not necessary anymore 😅
You're correct that the errors can be opaque. As with any networked software there can be several causes, one of which is resolving domain names correctly, and we currently don't introspect the error for details, nor do we perform additional diagnostics in the case of an error. There's an open issue for improving the state for DNS specifically here: https://github.com/smallstep/certificates/issues/1680. Outside of that, a bigger project is to overhaul our logging, but there's no concrete timeline for that yet.
Steps to Reproduce
Hi,
After replacing dnsmasq with bind I can't get any certificates anymore it seems.
Your Environment
step-ca
Version - Smallstep CA/0.26.1 (linux/arm64Expected Behavior
Expecting to get certificates either via tls-alpn or http challenge.
Actual Behavior
I'm trying to get a certificate with certbot ( I tried with lego and caddy, but I get the same error).
On the step-ca side I get this:
Interestingly I also get the same reponse when I'm trying to get a certificate on the same machine step-ca runs on
In the logs I get this
This is definitely not a connection problem, this was on the same host also there are no firewalls.
I can connect to the acme server with a browser over https without a problem (this was on the same PC I tried getting the certbot certificate above).
I also tried getting a certificate on another host with a JWT token, this works without a problem.
Additional Context
Here is the DNS information, it looks ok for me.
Here is for the host requesting the certificate
forward pandabaer.lan.ursidae.space
reverse 192.168.1.25
Here for the host step-ca runs on
forward pki.lan.ursidae.space
reverse 192.168.1.2