search

terricain / certbot-dns-azure

AzureDNS Certbot plugin
Other
34 stars 16 forks source link

DNS-01 Challenge Failed #3

Closed nullromo closed 3 years ago

nullromo commented 3 years ago

I generated a config file like this:

dns_azure_sp_client_id = aaaaaa
dns_azure_sp_client_secret = bbbbbb
dns_azure_tenant_id = cccccc
dns_azure_zone1 = xxxxxx.onmicrosoft.com:/subscriptions/dddddd/resourceGroups/eeeeee

and I ran certbot like this:

kkovacs@gitlab:~$ sudo /usr/local/bin/certbot certonly --dns-azure-config ./mycredentials.ini -d *.xxxxxx.onmicrosoft.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Obtain certificates using a DNS TXT record (if you are using Azure for DNS).
(dns-azure)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator dns-azure, Installer None
Requesting a certificate for *.xxxxxx.onmicrosoft.com
Performing the following challenges:
dns-01 challenge for xxxxxx.onmicrosoft.com
Cleaning up challenges
Failed to add TXT record to domain xxxxxx.onmicrosoft.com, error: Azure Error: ParentResourceNotFound
Message: Can not perform requested operation on nested resource. Parent resource 'xxxxxx.onmicrosoft.com' not found.

but I got the error "Azure Error: ParentResourceNotFound."

Perhaps I missed a step in setting up things on the Azure side. I have a virtual network with multiple VMs on it and I can connect to them over SSH/RDP while logged in over the P2S VPN connection via Azure AD authentication.

nullromo commented 3 years ago

Update: after adding a public DNS zone in Azure, I got this:

kkovacs@gitlab:~$ sudo certbot certonly --dns-azure-config ./mycredentials-private.ini -d *.xxxxxx.onmicrosoft.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Obtain certificates using a DNS TXT record (if you are using Azure for DNS).
(dns-azure)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator dns-azure, Installer None
Requesting a certificate for *.xxxxxx.onmicrosoft.com
Performing the following challenges:
dns-01 challenge for xxxxxx.onmicrosoft.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain xxxxxx.onmicrosoft.com
dns-01 challenge for xxxxxx.onmicrosoft.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxxxxx.onmicrosoft.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.xxxxxx.onmicrosoft.com - check that a DNS
   record exists for this domain

While it is in the 10 second waiting period, I can see the TXT record appear in my public Azure DNS zone. After that, I can see the TXT record get deleted. However, the dns-01 challenge fails.

nullromo commented 3 years ago

As it turns out, I had to pay for a registered domain with Azure. More details here. Closing this issue now. Hopefully this will be useful to anyone else encountering the same issues.

terricain commented 3 years ago

Thanks for all this :) will improve the docs a bit with this info to make it clearer