oraclecloud is using only default realm OC1 for all requests

[zbooyo]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

oraclecloud provider is not working properly for different Oracle realms (like oc10) making calls to oraclecloud.com api (instead of using oraclecloud10.com). Tested with setting ORACLE_DEFAULT_REALM also.

What did you see instead?

* error encountered while presenting token for DNS challenge: rpc error: code = Unknown desc = oraclecloud: Patch "https://dns.REGION.oraclecloud.com/20180115/zones/....... 
:"dial tcp: lookup dns.REGION.oraclecloud.com on 169.254.169.254:53: no such host

How do you use lego?

Through Terraform ACME provider

Reproduction steps

Fails during terraform apply

Version of lego

4.16.1

Logs

terraform output only

Go environment (if applicable)

$ go version && go env
# paste output here

[ldez]

Hello,

can you provide more information about your configuration?

dial tcp: lookup dns.REGION.oraclecloud.com on 169.254.169.254:53: no such host

It feels like a local DNS problem: the DNS at 169.254.169.254:53 doesn't have information about dns.REGION.oraclecloud.com.
I think it's not related to lego.

Tested with setting ORACLE_DEFAULT_REALM also.

This is not an env var supported by lego or the Oracle API client, then I'm not sure to understand.

Also, the error message, that you provided, is not complete, some important parts are missing.

[zbooyo]

This is my definition of acme_certificate resource:

resource "acme_certificate" "self" {
  for_each = toset(var.certificate_fqdns)

  account_key_pem         = acme_registration.self.account_key_pem
  certificate_request_pem = tls_cert_request.self[each.key].cert_request_pem

  dns_challenge {
    provider = "oraclecloud"
    config = {
      OCI_COMPARTMENT_OCID   = var.dns_provider.OCI_COMPARTMENT_OCID
      OCI_PRIVKEY_FILE       = "oci_private_key.pem"
      OCI_PUBKEY_FINGERPRINT = var.dns_provider.OCI_PUBKEY_FINGERPRINT
      OCI_REGION             = var.dns_provider.OCI_REGION
      OCI_TENANCY_OCID       = var.dns_provider.OCI_TENANCY_OCID
      OCI_USER_OCID          = var.dns_provider.OCI_USER_OCID
      OCI_DEFAULT_REALM      = var.dns_provider.OCI_DEFAULT_REALM
    }
  }
}

OCI_DEFAULT_REALM is set to: "oraclecloud10.com"

OCI terraform resources work properly - doing api calls in oraclecloud10.com domain.
Without setting OCI_DEFAULT_REALM in dns_challenge error is the same.

[zbooyo]

Hi Ludovic, I updated a thread on github. Regarding your comment:

It feels like a local DNS problem: the DNS at 169.254.169.254:53 doesn't have information about dns.REGION.oraclecloud.com. I think it's not related to lego.

Problem is that dns at 169.254.169.254 see dns.REGION.oraclecloud10.com, and this is a proper call - but somehow lego calls oraclecloud.com domain which is wrong.

[ldez]

OCI_DEFAULT_REALM is not an env var managed by lego or Terraform.

And I don't find anything about this env var inside the Oracle API client used by lego.

lego/go.mod

Line 61 in 8623f0d

github.com/oracle/oci-go-sdk v24.3.0+incompatible

Currently, the realm is defined by the region.

Oracle API client has changed their module versioning with v25, lego uses v24, and the latest version is v65.

I will try to update the Oracle API client to v65.

[zbooyo]

Region is related to realm domain - some regions use different domains, ACME/lego uses `oraclecloud.com` which is wrong for my region https://github.com/oracle/oci-go-sdk/blob/master/common/regions.json

[ldez]

As explained in my previous message lego uses v24 of the API client, so the client doesn't have the same elements as the master branch of this client.

oracle/oci-go-sdk@v24.3.0...v65.63.1

[zbooyo]

Understand, thanks