PowerDNS
Powerdns DNS-01 challange (with letsencrypt's pebble and LEGO, fails) [Need help!]] #14233
Unanswered
SpiderUnderUrBed
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello, for the last week or so I wanted to try and host a local CA, my raspberry pi isnt powerful enough for something like letsencrypts boulder, so I wanted to test the capibillities of powerdns and so and so with pebble, their server built for testing this stuff, before i get more powerful hardware, I tried the http-01 challange with lego, and I got too many issues so I am trying the DNS-01 challange (but now i am thinking the issues from both challanges are cut from the same cloth)
pschiffe/docker-pdns#137
^ Here is the discussion I had with the maintainer of one of the docker ports for powerdns, its implied that its less of a issue on his part but how powerdns's split arcitecture works (seprate authoritative, recursive and maybe seprate admin UI), so it seemed approprate to move the issue here
I advice reading it, its 18 messages,
By current issue is that:
spiderunderurbed@raspberrypi:~ $ lego --dns pdns --email [email protected] --domains spidershomelab.net --server https://localhost:14000/dir --accept-tos run 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Obtaining bundled SAN certificate 2024/05/24 09:07:54 [INFO] retry due to: acme: error: 400 :: POST :: https://localhost:14000/order-plz :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: jef0TULTEUiXekrT4AiOIw 2024/05/24 09:07:54 [INFO] [spidershomelab.net] AuthURL: https://localhost:14000/authZ/nc0Ds4unrV1cgKjf9J8_U11zZDTw-qIipPqhGW3G9JE 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Could not find solver for: tls-alpn-01 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Could not find solver for: http-01 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: use dns-01 solver 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Preparing to solve DNS-01 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Trying to solve DNS-01 2024/05/24 09:07:54 [INFO] [spidershomelab.net] acme: Checking DNS record propagation using [127.0.0.1:53] 2024/05/24 09:07:56 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] 2024/05/24 09:08:03 [INFO] [spidershomelab.net] acme: Cleaning DNS-01 challenge 2024/05/24 09:08:04 [INFO] Deactivating auth: https://localhost:14000/authZ/nc0Ds4unrV1cgKjf9J8_U11zZDTw-qIipPqhGW3G9JE 2024/05/24 09:08:04 Could not obtain certificates: error: one or more domains had a problem: [spidershomelab.net] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: No TXT records found for DNS challengeAs you can see, when i set ns1.spidershomelab.net to resolve to the ip of my backend/authoritive nameserver I get this issue, when i get it to resolve to the ip of my recursor nameserver, it will say "Waiting for dns propergation" for like, 1 minuite every few seconds, until it fails with the issue, timeout or something.
EDIT: it fails with:
2024/05/24 09:32:01 [INFO] [spidershomelab.net] acme: Cleaning DNS-01 challenge
2024/05/24 09:32:01 [INFO] Deactivating auth: https://localhost:14000/authZ/rfFPmj1PK47IQGzSafCUL0FZXbNINSiWE473L08aKsE
2024/05/24 09:32:01 Could not obtain certificates:
error: one or more domains had a problem:
[spidershomelab.net] time limit exceeded: last error: NS ns1.spidershomelab.net. returned NXDOMAIN for _acme-challenge.spidershomelab.net.
Here is my docker compose:
https://pastebin.com/dTiAknUJ
(my pdns configuration is avalible under there)
and additonal logs will be in the issue i linked
Beta Was this translation helpful? Give feedback.
All reactions