[BUG] Unable to generate any certificates with Lets Encrypt

[Sillver101]

I am having an issue when I try and generate Certificates for any of my subdomains. I followed all steps and confirmed my services are active. I can reach them through Zoraxy from the outside world (I get a cert Error due to the delf signed cert at the moment). However when i try and generate a certificate with the ACME tool i get the following error.

"Error: one or more domains had a problem: [sub.domain.tld] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for sub.domain.tld; DNS problem: query timed out looking up AAAA for sub.domain.tld"

At my Domain registrant the DNS records are using CNAMEs not A Records, However this shouldn't be an issue as i am able to generate certificates using CNAME Records with other acme tools.

I basically have the following records for clarity "sub.domain.tld IN CNAME some.other.domain."

To Reproduce Steps to reproduce the behavior: Use ACME tool within zoraxy and try to create a certificate from letsencrypt using.

Expected behavior Certificates are generated and deployed inside zoraxy successfully and automatically.

Screenshots

Host Environment (please complete the following information):

• Arch: AMD64 (QEMU VM)
  • Device: Proxmox VM
  • OS: Ubuntu
  • Version: 22.04.3 LTS (Jammy)
  • Docker Version: 27.2.1

Any help would be appreciated as i am at a loss right now

[PassiveLemon]

Duplicate of https://github.com/tobychui/zoraxy/issues/307

[PassiveLemon]

Oh wait sorry this looks different. What Docker image version are you using?

[Sillver101]

I am supposedly running the latest image

[PassiveLemon]

I'm skeptical of ACME errors at the moment because of a certificate issue in the Docker container but since there's nothing mentioned about that, it's probably unrelated. I don't exactly know how to troubleshoot ACME error messages but I do recall having a similar problem when running a local DNS server for my domain. Are you using a DNS server with your domain set up as a zone?

[Sillver101]

I did see the the other issue you mentioned and made sure the ca-certificate package was up to date. No local DNS servers running. I've had issues with the same in the past. I make sure any device now that will be serving internet facing services (weather behind a proxy or not) uses Public DNS servers for all of their DNS requests. and my internal network forwards all queries to public DNS servers as well.

[Sillver101]

So as part of my troubleshooting. I removed and recreated the docker image. and now i am getting the same error as bug 307

" Get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": tls: failed to verify certificate: x509: certificate signed by unknown authority"

When recreating the docker container i didn't pull a new image down (I recreated with the local image) i suspect one of the Config files had some bug in it somewhere or it didn't properly restart and update when i did the update yesterday as the initial setup somehow i pulled an old build.

But as it seems to be resolved (My specific bug) you are welcome to close this. and i apologize for taking up your time

[PassiveLemon]

Oh haha that's good and unfortunate to hear. If you are comfortable with building Docker images, I do have a PR open to fix the CA issue (https://github.com/tobychui/zoraxy/pull/308) that you could apply locally.

Otherwise, you can attach to the container, run apt install ca-certificates and then attempt to get the certificate again. This won't persist once the container restarts but it's enough to confirm that your issue is actually resolved

[Sillver101]

So ignore my previous comment xD.

Regarding building docker. I have honestly only started working with them recently so yeah i am running full force into a slightly flexible wall with regards to this. Luckily years of working in the tech field has given me the troubleshooting tools i seem to need.

I managed to resolve the error regarding the "Failed to verify certificate"

To resolve the verification error i ran update-ca-certificates --fresh on both he host and then inside the docker container. I then restarted the docker container and the logs now show it is using the certificate from the local store and verifying it.

I was able to restart the container multiple times and it seems to have persisted.

But as i mentioned i am now back to the same error i logged.

Section of Logs in pastbin for clarity sake which i hope helps explain what i am talking about https://pastebin.com/R1NFKX1R

[PassiveLemon]

Unfortunately I don't really know how to troubleshoot this so I'll leave that for @tobychui

[Sillver101]

Thanks for the Assistance. If there is anything else needed for troubleshooting let me know. Obviously ill wait for Tobychui to respond when he has a chance, I know how it can get busy

[tobychui]

@Sillver101 This error seems to cause by the CA cannot reach your Zoraxy instance due to a DNS error. This can be caused by many reasons including

• You haven't setup your DNS record on your domain correctly (does the subdomain you are requesting certificate exists on your domain's DNS record?)
• DNS record is still propagating (Wait 24 hours and try again)
• Your subdomain is not reaching Zoraxy (Seeing you are using Promox here, have you setup your virtual networking adapter correctly? Can you reach Zoraxy using your subdomain and see the Zoraxy build-in self-signed certificate?)

This is mostly cause by specific networking issue and usually in cases like these, there aren't much we can help. Thought, with the current docker image bug, I think there might also be chances that it is related to the DNS config in the docker's Ubuntu. If you have checked all the above possible reasons and still cant get it working, try update your docker image to the latest version (v3.1.1r3) when it is ready.

[Sillver101]

Hi @tobychui

Thanks for the feedback. I'll see in order just so I don't lose track of it. (Also apologies if the formatting has gone weird. I'm replying from my phone)

I figured it would be something with acme not reaching the instance but for the life of me couldn't figure out why. The main concern was that it was specifically looking for A or AAA DNS records instead of cnames which is what I have setup. I assume then this is not a setting in the docker image somewhere?

• the DNS records on the domain is setup using a cname record
• the DNS propagation is completed and I. Able to reach the instance from external devices/connections -the subdomain is also reaching zoraxy correctly as I am able to get to it through zoraxy and when enabling SSL/TLS it gives me the self signed cert and I am able to inspect it

So regarding the above I have setup one service I am proxying with an SSL certificate using zerossl (I ended up creating an account to get the keys needed I was hoping to avoid having to do this with acme but it's not. The worst scenario) and it was setup without issues so it looks like it is 100% only with the acme side of it.

I will wait for the updated docker container and see if that resolves the issue. Thanks for all the assistance and the time to look at the bug.