Powerdns DNS-01 challange (with letsencrypt's pebble and LEGO, fails) [Need help!]] #14233
Unanswered
SpiderUnderUrBed
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello, for the last week or so I wanted to try and host a local CA, my raspberry pi isnt powerful enough for something like letsencrypts boulder, so I wanted to test the capibillities of powerdns and so and so with pebble, their server built for testing this stuff, before i get more powerful hardware, I tried the http-01 challange with lego, and I got too many issues so I am trying the DNS-01 challange (but now i am thinking the issues from both challanges are cut from the same cloth)
pschiffe/docker-pdns#137
^ Here is the discussion I had with the maintainer of one of the docker ports for powerdns, its implied that its less of a issue on his part but how powerdns's split arcitecture works (seprate authoritative, recursive and maybe seprate admin UI), so it seemed approprate to move the issue here
I advice reading it, its 18 messages,
By current issue is that:
spiderunderurbed@raspberrypi:~ $ lego --dns pdns --email [email protected] --domains spidershomelab.net --server https://localhost:14000/dir --accept-tos run 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Obtaining bundled SAN certificate 2024/05/24 09:07:54 [INFO] retry due to: acme: error: 400 :: POST :: https://localhost:14000/order-plz :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: jef0TULTEUiXekrT4AiOIw 2024/05/24 09:07:54 [INFO] [spidershomelab.net] AuthURL: https://localhost:14000/authZ/nc0Ds4unrV1cgKjf9J8_U11zZDTw-qIipPqhGW3G9JE 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Could not find solver for: tls-alpn-01 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Could not find solver for: http-01 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: use dns-01 solver 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Preparing to solve DNS-01 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Trying to solve DNS-01 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Checking DNS record propagation using [127.0.0.1:53] 2024/05/24 09:07:56 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] 2024/05/24 09:08:03 [INFO] [spidershomelab.net] acme: Cleaning DNS-01 challenge 2024/05/24 09:08:04 [INFO] Deactivating auth: https://localhost:14000/authZ/nc0Ds4unrV1cgKjf9J8_U11zZDTw-qIipPqhGW3G9JE 2024/05/24 09:08:04 Could not obtain certificates: error: one or more domains had a problem: [spidershomelab.net] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: No TXT records found for DNS challengeAs you can see, when i set ns1.spidershomelab.net to resolve to the ip of my backend/authoritive nameserver I get this issue, when i get it to resolve to the ip of my recursor nameserver, it will say "Waiting for dns propergation" for like, 1 minuite every few seconds, until it fails with the issue, timeout or something.
EDIT: it fails with:
2024/05/24 09:32:01 [INFO] [spidershomelab.net] acme: Cleaning DNS-01 challenge
2024/05/24 09:32:01 [INFO] Deactivating auth: https://localhost:14000/authZ/rfFPmj1PK47IQGzSafCUL0FZXbNINSiWE473L08aKsE
2024/05/24 09:32:01 Could not obtain certificates:
error: one or more domains had a problem:
[spidershomelab.net] time limit exceeded: last error: NS ns1.spidershomelab.net. returned NXDOMAIN for _acme-challenge.spidershomelab.net.
Here is my docker compose:
https://pastebin.com/dTiAknUJ
(my pdns configuration is avalible under there)
and additonal logs will be in the issue i linked
Beta Was this translation helpful? Give feedback.
All reactions