Unable to obtain ACME certificate for domains

FritzBox · March 25, 2024, 8:54pm

Hi deSEC

first of all - thanks for the service. Its really useful - especially when I learn to use it

I´ve tried to setup traefik with subdomains.
Because I want to use more services it looked easyier to do this with a *. subdomain.

So I read the docs and set it up:

certificatesResolvers:
  desec:
    acme:
      email: my@email
      storage: acme.json
      dnsChallenge:
        provider: desec
        delayBeforeCheck: 90
        resolvers:
          - "212.227.123.17:53"
          - "212.227.123.18:53"
          - "ns1.desec.io.:53"
          - "ns2.desec.org.:53"
#          - "1.1.1.1:53"
#          - "8.8.8.8:53"

in the docker-compose.yml it looks like this:

      - "traefik.http.routers.traefik-secure.tls.certresolver=desec"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik-secure.middlewares=secHeaders@file,traefik-auth"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"

But now I get this error:

2024/03/25 20:54:42 client.go:614: [DEBUG] GET https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/25 20:54:42 client.go:614: [DEBUG] POST https://desec.io/api/v1/domains/mydomain/rrsets/
2024/03/25 20:54:53 client.go:614: [DEBUG] GET https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/25 20:54:53 client.go:614: [DEBUG] PATCH https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/25 21:02:27 client.go:614: [DEBUG] GET https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/25 21:02:27 client.go:614: [DEBUG] PATCH https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/25 21:02:38 client.go:614: [DEBUG] GET https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/25 21:02:38 client.go:614: [DEBUG] PATCH https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
time="2024-03-25T21:02:39+01:00" level=error msg="Unable to obtain ACME certificate for domains \"mydomain,*.mydomain\"" routerName=traefik-secure@docker rule="Host(`traefik.mydomain`)" error="unable to generate a certificate for the domains [mydomain *.mydomain]: error: one or more domains had a problem:\n[*.mydomain] propagation: time limit exceeded: last error: NS shades05.rzone.de. did not return the expected TXT record [fqdn: _acme-challenge.mydomain., value: OUptLNjKIEQyLLykBlU__KPgdHd70HWsosEAPYoxQSM]: \n[mydomain] propagation: time limit exceeded: last error: NS docks13.rzone.de. did not return the expected TXT record [fqdn: _acme-challenge.mydomain., value: FSwXLTI0ZLX0fxZXUoPf0D-n_Pz9l5BPAFZEKMavDcY]: \n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=desec.acme

Is there a error in my thinking?

fiwswe · March 26, 2024, 6:20am

Well, not really. Just a deSEC user This is a forum, not the deSEC e.V. support channel.

Disclaimer: I have never used Traefik or DNS-01 challenge for wildcard certificates.

Some possibilities to consider:

According to your apparently shortened/anonymized log 3 tries are made to set the TXT record and the failure happens 1s after the last try, not the 90s defined in delayBeforeCheck. The delays between the tries don’t match 90s either. No status is shown in the log to see if these tries were successful or not. So maybe your token is incorrect or mydomain is not what the deSEC API expects?
- Can you get logs that show the HTTP status?
- Can you manually send an API request using your token and mydomain-replacement using something like curl to see if that works as expected?
Reading Wildcard Domains the Let’s Encrypt ACME V2 api is mentioned. Are you using that?
- I don’t see the required caServer entry in your config, so maybe that is the problem? OTOH the default is supposed to be V2…
Also, have you tried eliminating the 212.227.123.* NS from the list of resolvers (just using the deSEC NS for this)?
- Some weird caching could be getting in the way…
- In my tests 212.227.123.17 was able to resolve a query for a domain at deSEC but 212.227.123.18 was not.

You might also want to ask Traefik experts.

HTH
fiwswe

FritzBox · March 26, 2024, 9:15pm

Hi fiwswe

First of all - yes, the Log is anonymized, but not shortened. It is so short.

Now I changed some things:

I entered, according to the docs, this values
- DESEC_HTTP_TIMEOUT=600
- DESEC_PROPAGATION_TIMEOUT=600
- DESEC_TTL=3600
- DESEC_POLLING_INTERVAL=60
And I followed the recomendation and commnted the 212.* DNS out

This is the result:

2024/03/26 21:47:27 client.go:614: [DEBUG] GET https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/26 21:47:27 client.go:614: [DEBUG] POST https://desec.io/api/v1/domains/mydomain/rrsets/
2024/03/26 21:47:27 client.go:614: [DEBUG] GET https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/26 21:47:27 client.go:614: [DEBUG] PATCH https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/26 22:09:28 client.go:614: [DEBUG] GET https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/26 22:09:28 client.go:614: [DEBUG] PATCH https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/26 22:09:28 client.go:614: [DEBUG] GET https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
2024/03/26 22:09:28 client.go:614: [DEBUG] PATCH https://desec.io/api/v1/domains/mydomain/rrsets/_acme-challenge/TXT/
time="2024-03-26T22:09:30+01:00" level=error msg="Unable to obtain ACME certificate for domains \"mydomain,*.mydomain\"" rule="Host(`traefik.mydomain`)" providerName=desec.acme error="unable to generate a certificate for the domains [mydomain *.mydomain]: error: one or more domains had a problem:\n[*.mydomain] propagation: time limit exceeded: last error: could not determine authoritative nameservers\n[mydomain] propagation: time limit exceeded: last error: could not determine authoritative nameservers\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=traefik-secure@docker

I have no time at the moment - I´ll try tomorrow again with http-challenge.

fiwswe · March 26, 2024, 10:31pm

No idea where you set these and what these would do.

FritzBox:

time="2024-03-26T22:09:30+01:00" level=error msg="Unable to obtain ACME certificate for domains \"mydomain,*.mydomain\"" rule="Host(`traefik.mydomain`)" providerName=desec.acme error="unable to generate a certificate for the domains [mydomain *.mydomain]: error: one or more domains had a problem:\n[*.mydomain] propagation: time limit exceeded: last error: could not determine authoritative nameservers\n[mydomain] propagation: time limit exceeded: last error: could not determine authoritative nameservers\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=traefik-secure@docker

Is your domain correctly set up for DNSSEC, i.e. is/are the DS record/s set in the parent zone? You could do a check with DNSViz. And of course the NS glue records need to point to the deSEC NS as well. If not then the could not determine authoritative nameservers message might make sense.

HTTP-01 challenge does not require any DNS modification. It does require resolving the IP of the web server though. Does that work? Even if you ask Cloudflare or Google?

Also you can’t do wildcard certificates with HTTP-01.

HTH
fiwswe