DNS Challenges example

[richp10]

Sorry - I got stuck at go trying to use the library for DNS challenges.

If you can give me a couple of basic pointeres here, I will try and figure it out and then propose a minimal example as a PR if I get it working!

[dreadl0ck]

Jep, sorry the documentation on this is a little spare atm.

1. Point your domain to the nameserver(s) of one of the providers supported by https://github.com/go-acme/lego (e.g to DigitalOcean)

Some examples for common registrars can be found here:
https://www.digitalocean.com/community/tutorials/how-to-point-to-digitalocean-nameservers-from-common-domain-registrars

2. Generate an API key at the provider with read and write access
3. Export the API key as an environment variable visible to your backend, with the name expected by lego for that provider (e.g: DO_AUTH_TOKEN for DigitalOcean).
4. Set the name of the provider you chose in the simplecert.Config that you pass to simplecert.Init (e.g. 'digitalocean')

That's pretty much it.
Let me know if you experience any issues.

[richp10]

Thanks - yes I have that bit in hand (using gcloud) and believe I have the necassary environment variables set (remove them and I get an error from lego, which is a good sign).

I also set cfg.DNSProvider = "gcloud" Local = false and pass to Init without error.

When Init runs, I get the following in the log. It appears that a TLS challenge is being tried not DNS:

2020/02/22 14:50:28 [INFO] simplecert: client creation complete
2020/02/22 14:50:28 [INFO] [mail.mydomain.net] acme: Obtaining bundled SAN certificate
2020/02/22 14:50:28 [INFO] [mail.mydomain.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<code>
2020/02/22 14:50:28 [INFO] [mail.mydomain.net] acme: use tls-alpn-01 solver
2020/02/22 14:50:28 [INFO] [mail.mydomain.net] acme: Trying to solve TLS-ALPN-01
2020/02/22 14:50:36 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<code>
2020/02/22 14:50:36 [FATAL] simplecert: failed to obtain cert: acme: Error -> One or more domains had a problem:
[mail.mydomain.net] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url: 

[dreadl0ck]

That's weird indeed.

Also because retrieving the cert via TLS-ALPN should have worked as well.
Did you maybe run into lets encrypt's rate limiting for your domain?

[dreadl0ck]

Are you using the Default config?
If yes clear the TLSAddress and HTTPAddress fields.

If they are set, they will also be set as available challenges in lego.
I'm not sure if it favours the TLS over the DNS challenge if both are set,
or if its due to the order the challenges are set in simplecert.

Currently the TLS challenge is always added before the DNS challenge.

[richp10]

Are you using the Default config?
If yes clear the TLSAddress and HTTPAddress fields.

Ah yes, that gets me closer. Nuking these kicks Lego into using DNS-01. It does appear that lego favours TLS over DNS. Without thesek it reports 'Cannot find solver for tls-alpn-01 and http-01' before it decides to use DNS-01 solver.

I am still getting errors but at this point I think this is just me tweaking the google cloud IAM permissions. I won't get back to this until Monday but I think you have given me enough to press on. It's looking good thanks and if I get it going I will propose an example and documentation tweaks.

[dreadl0ck]

Great!

I've added log messages which challenges are being set and moved setting the DNS challenge before setting the others in v1.6.8.

Enjoy the weekend