lego: loopia: cannot create or remove TXT records (via CNAME)

Welcome

  • Yes, I’m using a binary release within 2 latest releases.
  • Yes, I’ve searched similar issues on GitHub and didn’t find any.
  • Yes, I’ve included all information below (version, config, etc).

What did you expect to see?

Successful creation of TXT records

What did you see instead?

😦

I recall that ACME client for RFC2136 could not follow CNAME redirections. Is this a similar case?

I know loopias API is a steaming pile, and the bug is likely theirs.

The “DNS-editor” GUI has:

_acme-challenge
  CNAME 3600 0 _acme-challenge.challenge
_acme-challenge.mail
  CNAME 3600 0 _acme-challenge.challenge
_acme-challenge.neko
  CNAME 3600 0 _acme-challenge.challenge
_acme-challenge.challenge
  TXT 300 0 test

I know this case works when we are in control of the BIND server. I’d output more debug info if I knew how. DEBUG searches turn up empty for loopia.

How do you use lego?

Binary

Reproduction steps

  1. See logs for invocation

Version of lego

lego version 4.10.2 linux/amd64

Logs

2023/02/28 18:15:36 [INFO] [neko.example.se, mail.example.se] acme: Obtaining bundled SAN certificate
2023/02/28 18:15:37 [INFO] [mail.example.se] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<redacted>
2023/02/28 18:15:37 [INFO] [neko.example.se] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<redacted>
2023/02/28 18:15:37 [INFO] [mail.example.se] acme: Could not find solver for: tls-alpn-01
2023/02/28 18:15:37 [INFO] [mail.example.se] acme: Could not find solver for: http-01
2023/02/28 18:15:37 [INFO] [mail.example.se] acme: use dns-01 solver
2023/02/28 18:15:37 [INFO] [neko.example.se] acme: Could not find solver for: tls-alpn-01
2023/02/28 18:15:37 [INFO] [neko.example.se] acme: Could not find solver for: http-01
2023/02/28 18:15:37 [INFO] [neko.example.se] acme: use dns-01 solver
2023/02/28 18:15:37 [INFO] [mail.example.se] acme: Preparing to solve DNS-01
2023/02/28 18:15:37 [INFO] Found CNAME entry for "_acme-challenge.mail.example.se.": "_acme-challenge.example.se."
2023/02/28 18:15:37 [INFO] Found CNAME entry for "_acme-challenge.example.se.": "_acme-challenge.challenge.example.se."
2023/02/28 18:15:37 [INFO] [neko.example.se] acme: Preparing to solve DNS-01
2023/02/28 18:15:37 [INFO] Found CNAME entry for "_acme-challenge.neko.example.se.": "_acme-challenge.example.se."
2023/02/28 18:15:37 [INFO] Found CNAME entry for "_acme-challenge.example.se.": "_acme-challenge.challenge.example.se."
2023/02/28 18:15:37 [INFO] [mail.example.se] acme: Cleaning DNS-01 challenge
2023/02/28 18:15:37 [INFO] Found CNAME entry for "_acme-challenge.mail.example.se.": "_acme-challenge.example.se."
2023/02/28 18:15:37 [INFO] Found CNAME entry for "_acme-challenge.example.se.": "_acme-challenge.challenge.example.se."
2023/02/28 18:15:38 [WARN] [mail.example.se] acme: cleaning up failed: loopia: failed to remove TXT record: RPC Error: (637) Domain name not valid.
2023/02/28 18:15:38 [INFO] [neko.example.se] acme: Cleaning DNS-01 challenge
2023/02/28 18:15:38 [INFO] Found CNAME entry for "_acme-challenge.neko.example.se.": "_acme-challenge.example.se."
2023/02/28 18:15:38 [INFO] Found CNAME entry for "_acme-challenge.example.se.": "_acme-challenge.challenge.example.se."
2023/02/28 18:15:38 [WARN] [neko.example.se] acme: cleaning up failed: loopia: failed to remove TXT record: RPC Error: (637) Domain name not valid.
2023/02/28 18:15:38 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<redacted>
2023/02/28 18:15:38 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<redacted>
2023/02/28 18:15:38 Could not obtain certificates:
	error: one or more domains had a problem:
[mail.example.se] [mail.example.se] acme: error presenting token: loopia: failed to add TXT record: RPC Error: (637) Domain name not valid.
[neko.example.se] [neko.example.se] acme: error presenting token: loopia: failed to add TXT record: RPC Error: (637) Domain name not valid.

Go environment (if applicable)

No response

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Comments: 29 (29 by maintainers)

Most upvoted comments

Today It is working for me without any changes. But I’ll create a PR with handling of the error (and maybe adding additional logging).

Yesterday when I tested the dns01.GetRecord(domain, keyAuth) returned “_acme-challenge.challenge.” instead of “_acme-challenge.challenge.example.com.” Maybe I missed something in the zonefile?

Now I’ve created 1 correct and 1 faulty cname. Not using LEGO_DISABLE_CNAME_SUPPORT=true

_acme-challenge.challenge IN      300     TXT     test
_acme-challenge.correct  IN      300     CNAME   _acme-challenge.challenge
_acme-challenge.faulty   IN      300     CNAME   _acme-challenge.challenge.

The logs for a faulty cname (fqdn) shows:

[INFO] [faulty.example.com] acme: Obtaining bundled SAN certificate
[INFO] [faulty.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5592979254
[INFO] [faulty.example.com] acme: Could not find solver for: tls-alpn-01
[INFO] [faulty.example.com] acme: Could not find solver for: http-01
[INFO] [faulty.example.com] acme: use dns-01 solver
[INFO] [faulty.example.com] acme: Preparing to solve DNS-01
[INFO] Found CNAME entry for "_acme-challenge.faulty.example.com.": "_acme-challenge.challenge."
[INFO] [faulty.example.com] acme: Cleaning DNS-01 challenge
[INFO] Found CNAME entry for "_acme-challenge.faulty.example.com.": "_acme-challenge.challenge."
[WARN] [faulty.example.com] acme: cleaning up failed: loopia: failed to remove TXT record: RPC Error: (637) Domain name not valid.
[INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5592979254
Could not obtain certificates:
	error: one or more domains had a problem:
[faulty.example.com] [faulty.example.com] acme: error presenting token: loopia: failed to add TXT record: RPC Error: (637) Domain name not valid.

The logs for a working cname shows:

[INFO] [correct.example.com] acme: Obtaining bundled SAN certificate
[INFO] [correct.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5592959394
[INFO] [correct.example.com] acme: Could not find solver for: tls-alpn-01
[INFO] [correct.example.com] acme: Could not find solver for: http-01
[INFO] [correct.example.com] acme: use dns-01 solver
[INFO] [correct.example.com] acme: Preparing to solve DNS-01
[INFO] Found CNAME entry for "_acme-challenge.correct.example.com.": "_acme-challenge.challenge.example.com."
[INFO] [correct.example.com] acme: Trying to solve DNS-01
[INFO] Found CNAME entry for "_acme-challenge.correct.example.com.": "_acme-challenge.challenge.example.com."
[INFO] [correct.example.com] acme: Checking DNS record propagation using [ns1.loopia.se:53]
[INFO] Wait for propagation [timeout: 40m0s, interval: 1m0s]
[INFO] [correct.example.com] The server validated our request
[INFO] [correct.example.com] acme: Cleaning DNS-01 challenge
[INFO] Found CNAME entry for "_acme-challenge.correct.example.com.": "_acme-challenge.challenge.example.com."
[INFO] [correct.example.com] acme: Validations succeeded; requesting certificates
[INFO] [correct.example.com] Server responded with a certificate.

The dig output is

>dig +noall +answer @ns1.loopia.se _acme-challenge.correct.example.com TXT
_acme-challenge.correct.example.com. 166	IN CNAME _acme-challenge.challenge.example.com.
_acme-challenge.challenge.example.com. 166 IN TXT "test"

>dig +noall +answer @ns1.loopia.se _acme-challenge.faulty.example.com TXT
_acme-challenge.faulty.example.com. 178 IN CNAME	_acme-challenge.challenge.

@systemcrash can you test again (and verify that your cnames is not fdqns) and see if it works for you today for you as well?

+1
hazzeh on Mar 4, 2023

OK - thank you. lego makes no assumptions about the platform it’s on, as I read, so before invocation, I must remember to run like cd /root or just cd before invocation, otherwise it doesn’t find the .lego folder, and tries to make a new one locally… (mainly note to self)

+1
systemcrash on Feb 28, 2023

FYI it’s not a bug, the CNAME support has been added by default in lego v4.9.0, after several years in an experimental mode.

+1
ldez on Feb 28, 2023 
LOOPIA_API_USER_FILE=/root/.lego/loopia-user LOOPIA_API_PASSWORD_FILE=/root/.lego/loopia-pass LEGO_DISABLE_CNAME_SUPPORT=true /root/lego -a --email root@example.com --dns loopia --domains neko.example.se --domains mail.example.se run
2023/02/28 18:52:02 [INFO] [neko.example.se, mail.example.se] acme: Obtaining bundled SAN certificate
2023/02/28 18:52:03 [INFO] [mail.example.se] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/207133307846
2023/02/28 18:52:03 [INFO] [neko.example.se] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/207133307856
2023/02/28 18:52:03 [INFO] [mail.example.se] acme: Could not find solver for: tls-alpn-01
2023/02/28 18:52:03 [INFO] [mail.example.se] acme: Could not find solver for: http-01
2023/02/28 18:52:03 [INFO] [mail.example.se] acme: use dns-01 solver
2023/02/28 18:52:03 [INFO] [neko.example.se] acme: Could not find solver for: tls-alpn-01
2023/02/28 18:52:03 [INFO] [neko.example.se] acme: Could not find solver for: http-01
2023/02/28 18:52:03 [INFO] [neko.example.se] acme: use dns-01 solver
2023/02/28 18:52:03 [INFO] [mail.example.se] acme: Preparing to solve DNS-01
2023/02/28 18:52:04 [INFO] [neko.example.se] acme: Preparing to solve DNS-01
2023/02/28 18:52:04 [INFO] [mail.example.se] acme: Trying to solve DNS-01
2023/02/28 18:52:04 [INFO] [mail.example.se] acme: Checking DNS record propagation using [8.8.8.8:53]
2023/02/28 18:53:04 [INFO] Wait for propagation [timeout: 40m0s, interval: 1m0s]
2023/02/28 18:53:19 [INFO] [mail.example.se] The server validated our request
2023/02/28 18:53:19 [INFO] [neko.example.se] acme: Trying to solve DNS-01
2023/02/28 18:53:19 [INFO] [neko.example.se] acme: Checking DNS record propagation using [8.8.8.8:53]
2023/02/28 18:54:19 [INFO] Wait for propagation [timeout: 40m0s, interval: 1m0s]
2023/02/28 18:54:25 [INFO] [neko.example.se] The server validated our request
2023/02/28 18:54:25 [INFO] [mail.example.se] acme: Cleaning DNS-01 challenge
2023/02/28 18:54:25 [INFO] [neko.example.se] acme: Cleaning DNS-01 challenge
2023/02/28 18:54:26 [INFO] [neko.example.se, mail.example.se] acme: Validations succeeded; requesting certificates
2023/02/28 18:54:26 [INFO] [neko.example.se] Server responded with a certificate.

That succeeded. Although it nuked the CNAME records from the ‘subdomains’.

+1
systemcrash on Feb 28, 2023

Hello,

can you try to set the env var LEGO_DISABLE_CNAME_SUPPORT to true?

+1
ldez on Feb 28, 2023
Read more comments on GitHub
← lego: JWS verification error
lego: Possible bad propagation check with dns-01 challenge →