[BUG] Creating SAN wildcard cert with zerossl fails

[rhee876527]

Attempt to create zerossl SAN cert similar format sub.sub.domain.com,*.sub.sub.domain.com. It will stall and eventually cancel the request itself after several minutes.

This may actually be a bug in how the challenge is done. Zoraxy tries to use http challenge and fails (check logs below). With lego on same system I have no problem issuing using DNS challenge.

Host Environment

• Arch: amd64
  • Device: VM
  • OS: Almalinux 9.4
  • Docker Version: 27.2.0

Logs

[2024-09-01 04:53:19.205449] [internal] [system:info] Temporary enabling HTTP to HTTPS redirect for ACME certificate renew requests
2024/09/01 04:53:27 [ACME] Obtaining certificate...
2024/09/01 04:53:27 [INFO] Using https://acme.zerossl.com/v2/DV90 for CA Directory URL
2024/09/01 04:53:27 External Account Required for this ACME Provider.
2024/09/01 04:53:27 EAB Credential retrieved. XXXXXXX XXXXXXXXX
2024/09/01 04:53:27 [INFO] acme: Registering account for email@example.com
2024/09/01 04:53:28 [INFO] [sub.sub.domain.com, *.sub.sub.domain.com] acme: Obtaining bundled SAN certificate
2024/09/01 04:53:30 [INFO] [sub.sub.domain.com] AuthURL: https://acme.zerossl.com/v2/DV90/authz/XXXXXXXX
2024/09/01 04:53:30 [INFO] [*.sub.sub.domain.com] AuthURL: https://acme.zerossl.com/v2/DV90/authz/XXXXXXXXXXX
2024/09/01 04:53:30 [INFO] [sub.sub.domain.com] acme: use http-01 solver
2024/09/01 04:53:30 [INFO] [*.sub.sub.domain.com] acme: Could not find solver for: dns-01
2024/09/01 04:53:30 [INFO] [sub.sub.domain.com] acme: Trying to solve HTTP-01
[2024-09-01 04:54:48.512657] [uptime-monitor] [system:info] Uptime updated - 1725166488
[2024-09-01 04:59:48.520289] [uptime-monitor] [system:info] Uptime updated - 1725166788
2024/09/01 05:03:36 net/http: request canceled
[2024-09-01 05:04:48.516565] [uptime-monitor] [system:info] Uptime updated - 1725167088
2024/09/01 05:09:28 [INFO] Deactivating auth: https://acme.zerossl.com/v2/DV90/authz/XXXXXXXXXX
2024/09/01 05:09:29 [INFO] Deactivating auth: https://acme.zerossl.com/v2/DV90/authz/XXXXXXXXX
2024/09/01 05:09:30 error: one or more domains had a problem:
[*.sub.sub.domain.com] [*.sub.sub.domain.com] acme: could not determine solvers
[sub.sub.domain.com] the server didn't respond to our request

[2024-09-01 05:09:30.196484] [ACME] [system:info] Restoring HTTP to HTTPS redirect settings
[2024-09-01 05:09:30.497906] [dprouter] [system:info] Reverse proxy service started in the background (TLS mode)
[2024-09-01 05:09:48.495972] [uptime-monitor] [system:info] Uptime updated - 1725167388
[2024-09-01 05:14:48.797476] [uptime-monitor] [system:info] Uptime updated - 1725167688

[rhee876527]

Should also note since this request takes several minutes to complete (at least on my system), the other http proxies will be down until zoraxy recovers since https is disabled for the http cert request challenge.

[tobychui]

Hi @rhee876527

Zoraxy only support SAN certificate (aka request certificate via DNS challenge) with Let's Encrypt. Currently there are no plan to support SAN certificate generation with zerossl.

In fact, when you select CA other than Let's Encrypt, the "Use a DNS challenge" checkbox is hidden to prevent you from requesting a SAN certificate.

Though, I do consider this a UI design issue and I guess I can do better with the UX to remind users that SAN certificate only support Lets Encrypt.

[tobychui]

Ok, this is fixed with some minor UI updates.

Will be closing this after the next release.