-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNS challenge requires several CNAME in some cases #2386
Comments
Hello, lego follows the CNAME by default (there is no specificity for Cloudflare). The problem is related either to your DNS records (multiple CNAME, CNAME wildcard, invalid A record, etc.) or to your local network (firewall, etc.). So, check your DNS records, and try to use |
thanks for your reply. Since the scenario is working with acme.sh there must be a difference in the behavior of the two tools |
lego expects a classic CNAME, nothing special, no apex (top-level) requirement. But Have you tried |
yes i tried with --dns.resolvers. I did a further test and request a cert only for # docker run --rm -e CLOUDFLARE_DNS_API_TOKEN=<redacted key> goacme/lego -a --email "<redacted email>" --domains "local.mydomain.de" --dns cloudflare --dns.resolvers 1.1.1.1 run
2025/01/02 14:40:19 No key found for account <redacted email>. Generating a P256 key.
2025/01/02 14:40:19 Saved key to /.lego/accounts/acme-v02.api.letsencrypt.org/<redacted email>/keys/<redacted email>.key
2025/01/02 14:40:19 [DEBUG] GET https://acme-v02.api.letsencrypt.org/directory
2025/01/02 14:40:20 [INFO] acme: Registering account for <redacted email>
2025/01/02 14:40:20 [DEBUG] HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce
2025/01/02 14:40:20 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/new-acct
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2025/01/02 14:40:20 [INFO] [local.mydomain.de] acme: Obtaining bundled SAN certificate
2025/01/02 14:40:20 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/new-order
2025/01/02 14:40:20 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/authz/211234965/4544123485
2025/01/02 14:40:20 [INFO] [local.mydomain.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/211234965/4544123485
2025/01/02 14:40:20 [INFO] [local.mydomain.de] acme: Could not find solver for: tls-alpn-01
2025/01/02 14:40:20 [INFO] [local.mydomain.de] acme: Could not find solver for: http-01
2025/01/02 14:40:20 [INFO] [local.mydomain.de] acme: use dns-01 solver
2025/01/02 14:40:20 [INFO] [local.mydomain.de] acme: Preparing to solve DNS-01
2025/01/02 14:40:20 [INFO] Found CNAME entry for "_acme-challenge.local.mydomain.de.": "challenge-domain.eu."
2025/01/02 14:40:22 [INFO] cloudflare: new record for local.mydomain.de, ID 18b123456b352e8c44f871bfba2c8d51
2025/01/02 14:40:22 [INFO] [local.mydomain.de] acme: Trying to solve DNS-01
2025/01/02 14:40:22 [INFO] Found CNAME entry for "_acme-challenge.local.mydomain.de.": "challenge-domain.eu."
2025/01/02 14:40:22 [INFO] [local.mydomain.de] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53]
2025/01/02 14:40:24 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2025/01/02 14:40:24 [INFO] [local.mydomain.de] acme: Waiting for DNS record propagation.
2025/01/02 14:40:26 [INFO] [local.mydomain.de] acme: Waiting for DNS record propagation.
2025/01/02 14:40:28 [INFO] [local.mydomain.de] acme: Waiting for DNS record propagation.
2025/01/02 14:40:30 [INFO] [local.mydomain.de] acme: Waiting for DNS record propagation.
2025/01/02 14:40:32 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/chall/211234965/4544123485/R58NMw
2025/01/02 14:40:32 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/authz/211234965/4544123485
2025/01/02 14:40:40 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/authz/211234965/4544123485
2025/01/02 14:40:40 [INFO] [local.mydomain.de] The server validated our request
2025/01/02 14:40:40 [INFO] [local.mydomain.de] acme: Cleaning DNS-01 challenge
2025/01/02 14:40:40 [INFO] Found CNAME entry for "_acme-challenge.local.mydomain.de.": "challenge-domain.eu."
2025/01/02 14:40:41 [INFO] [local.mydomain.de] acme: Validations succeeded; requesting certificates
2025/01/02 14:40:41 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/finalize/2147243965/339985454935
2025/01/02 14:40:42 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/cert/034f4f812d47a47b76e4a91293dd26f1c8e6
2025/01/02 14:40:42 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/cert/034f4f812d47a47b76e4a91293dd26f1c8e6/1
2025/01/02 14:40:43 [INFO] [local.mydomain.de] Server responded with a certificate. However, i cannot get certs for subdomains e.g. # docker run --rm -e CLOUDFLARE_DNS_API_TOKEN=<redacted key> goacme/lego -a --email "<redacted email>" --domains "test.local.mydomain.de" --dns cloudflare --dns.re
solvers 1.1.1.1 --server=https://acme-staging-v02.api.letsencrypt.org/directory run
2025/01/02 14:53:43 No key found for account <redacted email>. Generating a P256 key.
2025/01/02 14:53:43 Saved key to /.lego/accounts/acme-staging-v02.api.letsencrypt.org/<redacted email>/keys/<redacted email>.key
2025/01/02 14:53:43 [DEBUG] GET https://acme-staging-v02.api.letsencrypt.org/directory
2025/01/02 14:53:43 [INFO] acme: Registering account for <redacted email>
2025/01/02 14:53:43 [DEBUG] HEAD https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
2025/01/02 14:53:43 [DEBUG] POST https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2025/01/02 14:53:44 [INFO] [test.local.mydomain.de] acme: Obtaining bundled SAN certificate
2025/01/02 14:53:44 [DEBUG] POST https://acme-staging-v02.api.letsencrypt.org/acme/new-order
2025/01/02 14:53:44 [DEBUG] POST https://acme-staging-v02.api.letsencrypt.org/acme/authz/123453324/1234534634
2025/01/02 14:53:44 [INFO] [test.local.mydomain.de] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/123453324/1234534634
2025/01/02 14:53:44 [INFO] [test.local.mydomain.de] acme: Could not find solver for: tls-alpn-01
2025/01/02 14:53:44 [INFO] [test.local.mydomain.de] acme: Could not find solver for: http-01
2025/01/02 14:53:44 [INFO] [test.local.mydomain.de] acme: use dns-01 solver
2025/01/02 14:53:44 [INFO] [test.local.mydomain.de] acme: Preparing to solve DNS-01
2025/01/02 14:53:45 [INFO] [test.local.mydomain.de] acme: Cleaning DNS-01 challenge
2025/01/02 14:53:46 [WARN] [test.local.mydomain.de] acme: cleaning up failed: cloudflare: failed to find zone mydomain.de.: zone could not be found
2025/01/02 14:53:46 [DEBUG] POST https://acme-staging-v02.api.letsencrypt.org/acme/authz/123453324/1234534634
2025/01/02 14:53:46 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz/123453324/1234534634
2025/01/02 14:53:46 [DEBUG] POST https://acme-staging-v02.api.letsencrypt.org/acme/authz/123453324/1234534634
2025/01/02 14:53:46 Could not obtain certificates:
error: one or more domains had a problem:
[test.local.mydomain.de] [test.local.mydomain.de] acme: error presenting token: cloudflare: failed to find zone mydomain.de.: zone could not be found There the line 'Found CNAME entry for ..' is missing and it errors out with |
Do you have a CNAME for |
No. |
To handle the domain
|
letsencrypt seems to travel up and and looks for a cname at Do you think it is possible to implement a similar behavior in lego ? |
This is how it works: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/#the-advantages-of-a-cname You are trying to handle multiple subdomains: remember that
You are the first person who wants something like that, before adding an option (if it's possible) and handling the maintenance related to that, we need to have more than one user. Also, lego is used as a library and should handle thousands of domains, |
🤔 I think you are misusing the DNS challenge: the main goal of a DNS challenge is to have a wildcard certificate. You should use the following arguments to have a wildcard certificate:
The certificate will handle:
This works with only one CNAME: |
Thanks for the input.
understood - maybe others will stumble over the same issue
Yes - I would love to use lego in combination with traefik for my use cases. Other options would be to transfer the whole domain |
Yes and no: if you are not exposing your domains you can use a local ACME server like smallstep Currently, the DNS challenge is the only challenge that allows wildcard certificates. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
I've got the same use case and the same problem as @daschg . |
Me too! I'm struggling a bit, right now, putting in place the various bits required to get "hostname-based" TLS certificates under a "private" subdomain. On the DNS side, I've succesfully splitted the views, so that externally the acme challenge can be resolved (in the public view, there's only such acme challenge), and with the CNAME support I've redirected the management side on a dedicated-domain (to be dinamically updated via API). But unfortunately, it seems that @daschg , @trunneml : have you been able to solve the problem, somehow? |
Quoting myself, I just noticed this comment, in the source code, related to the
So, basically, as we (me, @trunneml , @daschg ) would like to receive a certificate with an FQDN in the CommonName... at the moment, it seems there are no option :-( Will continue investigating... Nevertheless... thanks, lego-team, for such a great project :-) |
My workaround was to move the subdomain local.mydomain.com to digitialocean (by creating NS records for the subdomain) and used the API keys there for the dns challange. Provider without api: The disadvantage of this approach - digital ocean has no possibility to create an api token with just permissions for one zone. The api key has permissions to all domains |
Welcome
What did you expect to see?
In my setup, the dns entries cannot be created via API. A second domain is served by cloudflare, where records can be created via API Calls.0
Acme supports cname alias to have a different zone serving TXT records for the challenge.
This is not working in lego with cloudflare when the dns zone for the challenge is different than the domain certs are requested.
Example:
Domain to request cert:
test1.local.mydomain.de
Domain for challenge:
challenge-domain.eu
Cname for
_acme-challenge.local.mydomain.de
ischallenge-domain.eu
challenge-domain.eu is the only zone setup up in cloudflare.
This setup works perfect with acme.sh because there is an option to pass the challenge domain
Lego seems to use the top-level domain when looking up the zone in cloudflare leading to an error
What did you see instead?
expectation is that the TXT record is created for _acme-challenge.challenge-domain.de in cloudflare and not for mydomain.de
How do you use lego?
Docker image
Reproduction steps
_acme-challenge.local.mydomain.de.
with valuechallenge-domain.eu.
Version of lego
lego version 4.21.0 linux/amd64
Logs
Go environment (if applicable)
The text was updated successfully, but these errors were encountered: