ACME: DNS propagation check fails with DeSEC #59

New Issue

Open

opened 2024-05-01 12:48:52 +03:00 by inex · 0 comments

inex commented 2024-05-01 12:48:52 +03:00

Owner

I guess the problem is once again caused by deploying two challenges at the same domain?..

May 01 12:29:31 bloodwine systemd[1]: Starting Renew ACME certificate for bloodwine.cyou...
May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: Waiting to acquire lock /run/acme/1.lock
May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: Acquired lock /run/acme/1.lock
May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: + set -euo pipefail
May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: + echo [REDACTED]
May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: + cmp -s domainhash.txt certificates/domainhash.txt
May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: + lego --accept-tos --path . -d '*.bloodwine.cyou' --email [REDACTED] --key-type ec256 --dns desec --server https://acme-v02.api.letsencrypt.org/directory -d bloodwine.cyou run
May 01 12:29:32 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:32 [INFO] [*.bloodwine.cyou, bloodwine.cyou] acme: Obtaining bundled SAN certificate
May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [*.bloodwine.cyou] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/[REDACTED]
May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [bloodwine.cyou] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/[REDACTED]
May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [*.bloodwine.cyou] acme: use dns-01 solver
May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [bloodwine.cyou] acme: Could not find solver for: tls-alpn-01
May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [bloodwine.cyou] acme: Could not find solver for: http-01
May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [bloodwine.cyou] acme: use dns-01 solver
May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [*.bloodwine.cyou] acme: Preparing to solve DNS-01
May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [DEBUG] GET https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/
May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [DEBUG] POST https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/
May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [bloodwine.cyou] acme: Preparing to solve DNS-01
May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [DEBUG] GET https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/
May 01 12:29:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:34 [DEBUG] PATCH https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/
May 01 12:29:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:34 [INFO] [*.bloodwine.cyou] acme: Trying to solve DNS-01
May 01 12:29:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:34 [INFO] [*.bloodwine.cyou] acme: Checking DNS record propagation using [1.1.1.1:53 1.0.0.1:53 185.12.64.2:53 185.12.64.1:53]
May 01 12:30:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:30:04 [INFO] Wait for propagation [timeout: 3m0s, interval: 30s]
May 01 12:30:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:30:04 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:30:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:30:34 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:31:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:31:04 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:31:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:31:34 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:32:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:32:04 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:32:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:32:34 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:33:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:33:04 [INFO] [bloodwine.cyou] acme: Trying to solve DNS-01
May 01 12:33:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:33:04 [INFO] [bloodwine.cyou] acme: Checking DNS record propagation using [1.1.1.1:53 1.0.0.1:53 185.12.64.2:53 185.12.64.1:53]
May 01 12:33:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:33:34 [INFO] Wait for propagation [timeout: 3m0s, interval: 30s]
May 01 12:33:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:33:34 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:34:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:34:04 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:34:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:34:34 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:35:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:35:04 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:35:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:35:34 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:36:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:04 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation.
May 01 12:36:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:34 [INFO] [*.bloodwine.cyou] acme: Cleaning DNS-01 challenge
May 01 12:36:35 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:35 [DEBUG] GET https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/
May 01 12:36:35 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:35 [DEBUG] PATCH https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/
May 01 12:36:35 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:35 [INFO] [bloodwine.cyou] acme: Cleaning DNS-01 challenge
May 01 12:36:35 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:35 [DEBUG] GET https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/
May 01 12:36:35 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:35 [DEBUG] PATCH https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/
May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:36 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/[REDACTED]
May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:36 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/[REDACTED]
May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:36 Could not obtain certificates:
May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]:         error: one or more domains had a problem:
May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]: [*.bloodwine.cyou] propagation: time limit exceeded: last error: could not determine authoritative nameservers
May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]: [bloodwine.cyou] propagation: time limit exceeded: last error: could not determine authoritative nameservers
May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205282]: + echo Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.
May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205282]: Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.
May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205282]: + exit 10
May 01 12:36:36 bloodwine systemd[1]: acme-bloodwine.cyou.service: Main process exited, code=exited, status=10/n/a
May 01 12:36:36 bloodwine systemd[1]: acme-bloodwine.cyou.service: Failed with result 'exit-code'.
May 01 12:36:36 bloodwine systemd[1]: Failed to start Renew ACME certificate for bloodwine.cyou.
May 01 12:36:36 bloodwine systemd[1]: acme-bloodwine.cyou.service: Consumed 440ms CPU time, received 51.4K IP traffic, sent 23.1K IP traffic.

I guess the problem is once again caused by deploying two challenges at the same domain?.. ``` May 01 12:29:31 bloodwine systemd[1]: Starting Renew ACME certificate for bloodwine.cyou... May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: Waiting to acquire lock /run/acme/1.lock May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: Acquired lock /run/acme/1.lock May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: + set -euo pipefail May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: + echo [REDACTED] May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: + cmp -s domainhash.txt certificates/domainhash.txt May 01 12:29:31 bloodwine acme-bloodwine.cyou-start[205282]: + lego --accept-tos --path . -d '*.bloodwine.cyou' --email [REDACTED] --key-type ec256 --dns desec --server https://acme-v02.api.letsencrypt.org/directory -d bloodwine.cyou run May 01 12:29:32 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:32 [INFO] [*.bloodwine.cyou, bloodwine.cyou] acme: Obtaining bundled SAN certificate May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [*.bloodwine.cyou] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/[REDACTED] May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [bloodwine.cyou] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/[REDACTED] May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [*.bloodwine.cyou] acme: use dns-01 solver May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [bloodwine.cyou] acme: Could not find solver for: tls-alpn-01 May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [bloodwine.cyou] acme: Could not find solver for: http-01 May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [bloodwine.cyou] acme: use dns-01 solver May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [*.bloodwine.cyou] acme: Preparing to solve DNS-01 May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [DEBUG] GET https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/ May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [DEBUG] POST https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/ May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [INFO] [bloodwine.cyou] acme: Preparing to solve DNS-01 May 01 12:29:33 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:33 [DEBUG] GET https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/ May 01 12:29:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:34 [DEBUG] PATCH https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/ May 01 12:29:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:34 [INFO] [*.bloodwine.cyou] acme: Trying to solve DNS-01 May 01 12:29:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:29:34 [INFO] [*.bloodwine.cyou] acme: Checking DNS record propagation using [1.1.1.1:53 1.0.0.1:53 185.12.64.2:53 185.12.64.1:53] May 01 12:30:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:30:04 [INFO] Wait for propagation [timeout: 3m0s, interval: 30s] May 01 12:30:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:30:04 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:30:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:30:34 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:31:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:31:04 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:31:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:31:34 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:32:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:32:04 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:32:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:32:34 [INFO] [*.bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:33:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:33:04 [INFO] [bloodwine.cyou] acme: Trying to solve DNS-01 May 01 12:33:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:33:04 [INFO] [bloodwine.cyou] acme: Checking DNS record propagation using [1.1.1.1:53 1.0.0.1:53 185.12.64.2:53 185.12.64.1:53] May 01 12:33:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:33:34 [INFO] Wait for propagation [timeout: 3m0s, interval: 30s] May 01 12:33:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:33:34 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:34:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:34:04 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:34:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:34:34 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:35:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:35:04 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:35:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:35:34 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:36:04 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:04 [INFO] [bloodwine.cyou] acme: Waiting for DNS record propagation. May 01 12:36:34 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:34 [INFO] [*.bloodwine.cyou] acme: Cleaning DNS-01 challenge May 01 12:36:35 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:35 [DEBUG] GET https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/ May 01 12:36:35 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:35 [DEBUG] PATCH https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/ May 01 12:36:35 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:35 [INFO] [bloodwine.cyou] acme: Cleaning DNS-01 challenge May 01 12:36:35 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:35 [DEBUG] GET https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/ May 01 12:36:35 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:35 [DEBUG] PATCH https://desec.io/api/v1/domains/bloodwine.cyou/rrsets/_acme-challenge/TXT/ May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:36 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/[REDACTED] May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:36 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/[REDACTED] May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]: 2024/05/01 12:36:36 Could not obtain certificates: May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]: error: one or more domains had a problem: May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]: [*.bloodwine.cyou] propagation: time limit exceeded: last error: could not determine authoritative nameservers May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205285]: [bloodwine.cyou] propagation: time limit exceeded: last error: could not determine authoritative nameservers May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205282]: + echo Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start. May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205282]: Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start. May 01 12:36:36 bloodwine acme-bloodwine.cyou-start[205282]: + exit 10 May 01 12:36:36 bloodwine systemd[1]: acme-bloodwine.cyou.service: Main process exited, code=exited, status=10/n/a May 01 12:36:36 bloodwine systemd[1]: acme-bloodwine.cyou.service: Failed with result 'exit-code'. May 01 12:36:36 bloodwine systemd[1]: Failed to start Renew ACME certificate for bloodwine.cyou. May 01 12:36:36 bloodwine systemd[1]: acme-bloodwine.cyou.service: Consumed 440ms CPU time, received 51.4K IP traffic, sent 23.1K IP traffic. ```

inex referenced this issue from a commit 2024-05-02 22:34:42 +03:00

fix: Add DeSEC to dnsPropagationCheckExceptions

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

flakes

inex/test-collect-garbage

inex/test-autobackup

inex/test-systemd-rebuild

master

pre-release

flake-to-override-folder

flake-to-override

systemd-limits

ldap

api-redis

pleroma-fixes

development

rolling-testing

Labels

Clear labels   

Contributions welcome

  

Service packaging

  

bug

Something is not working   

duplicate

This issue or pull request already exists   

enhancement

New feature   

help wanted

Need some help   

invalid

Something is wrong   

question

More information is needed   

wontfix

This won't be fixed

No Label

Contributions welcome

Service packaging

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: SelfPrivacy/selfprivacy-nixos-config#59

There is no content yet.