Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to provision a certificate for wildcarded domain (all DNS records in hetzner zone, no split dns) #11

Open
collinvandyck opened this issue Jul 24, 2024 · 3 comments
Open

Unable to provision a certificate for wildcarded domain (all DNS records in hetzner zone, no split dns) #11

collinvandyck opened this issue Jul 24, 2024 · 3 comments

Comments

@collinvandyck
Copy link

collinvandyck commented Jul 24, 2024
edited
Loading

I'm trying to get the hetzner dns provider cert to work with a wildcarded subdomain, but I'm having issues with provisioning the cert for a four-segment domain. A normal subdomain does work properly with the hetzner dns provider.

I've set up my hetzner zone for 5xx.engineer as follows (irrelevant records omitted):

A foobar.5xx.engineer 100.123.179.103
A vps.5xx.engineer    100.123.179.103
A *.vps.5xx.engineer  100.123.179.103

In my Caddyfile, I've got two virtualhosts defined, each delegating dns-01 challenges to caddy-dns/hetzner:

foobar.5xx.engineer  {
  tls {
    dns hetzner {env.CADDY_HETZNER_DNS_TOKEN}
  }
  respond "foobar ({remote_host}:{remote_port})"
}

foo.vps.5xx.engineer  {
  tls {
    dns hetzner {env.CADDY_HETZNER_DNS_TOKEN}
  }
  respond "foo @ vps ({remote_host}:{remote_port})"
}

The first site, foobar.5xx.engineer is able to provision a cert through the dns provider, but the second one, foo.vps.5xx.engineer fails to work.

caddy  | {"level":"info","ts":1721779684.2958658,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"foo.vps.5xx.engineer","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy  | {"level":"error","ts":1721779694.1754322,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"foo.vps.5xx.engineer","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"No TXT record found at _acme-challenge.foo.vps.5xx.engineer","instance":"","subproblems":[]}}
caddy  | {"level":"error","ts":1721779694.175478,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"foo.vps.5xx.engineer","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"No TXT record found at _acme-challenge.foo.vps.5xx.engineer","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1848095037/290009038687","attempt":1,"max_attempts":3}
caddy  | {"level":"error","ts":1721779694.175556,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"foo.vps.5xx.engineer","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.foo.vps.5xx.engineer"}
caddy  | {"level":"info","ts":1721779694.175649,"logger":"tls.obtain","msg":"releasing lock","identifier":"foo.vps.5xx.engineer"}
caddy  | {"level":"error","ts":1721779694.175839,"logger":"tls","msg":"job failed","error":"foo.vps.5xx.engineer: obtaining certificate: [foo.vps.5xx.engineer] Obtain: [foo.vps.5xx.engineer] solving challenge: foo.vps.5xx.engineer: [foo.vps.5xx.engineer] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.foo.vps.5xx.engineer (ca=https://acme-v02.api.letsencrypt.org/directory)"}

I verified that it DOES work for a four-part domain that has an explicit A record without relying on the wildcard, but anything that uses the wildcard fails to provision.

It seems similar to #9 but the error message is different. It also seems similar to #2 but I'm not using split DNS, so I decided to create a new issue.

Is there any guidance on how to create the subdomain wildcard so that the hetzner dns provider will work in that case? Thank you!

Caddy build specs:

FROM caddy:2.8.4-builder AS builder
RUN xcaddy build v2.8.4 \
    --with github.com/tailscale/caddy-tailscale \
    --with github.com/caddy-dns/hetzner

FROM caddy:2.8.4
RUN apk add curl
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
COPY ./Caddyfile /etc/caddy/Caddyfile
COPY html /srv
@matthiasjo
Copy link

I have the same issue with wildcard domains with hetzner dns. thanks for posting

@krpr
Copy link

krpr commented Dec 14, 2024

the same issue with caddy-dns/hexonet
seems that some suffix cannot be recognise correctly

caddy-dns/hexonet#1

@janstuemmel
Copy link

janstuemmel commented Jan 23, 2025
edited
Loading

did you set an email address for the issuer?

i have:

{
  acme_dns hetzner XXXXXXXXXXXXXXXXXXXXXX
  email [email protected]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@collinvandyck @janstuemmel @krpr @matthiasjo