Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cloudflare .eu domain zone problem #930

Open
TheSpixxyQ opened this issue Jul 20, 2019 · 2 comments
Open

Cloudflare .eu domain zone problem #930

TheSpixxyQ opened this issue Jul 20, 2019 · 2 comments

Comments

@TheSpixxyQ
Copy link

@TheSpixxyQ TheSpixxyQ commented Jul 20, 2019

Hello, I have two .cz domains and one .eu domain. I am using Traefik for Let's Encrypt DNS challenge and Traefik is using LEGO. Two .cz domains were without problem but .eu domain challenge gives me error
acme: error cleaning up: cloudflare: failed to find zone eu.: Zone could not be found
I read a lot of things about this and I found old issue saying it's caused by split DNS - and yes, I have internal DNS redirect only for that .eu domain. Could it be the problem? What can I do with that?

@TheSpixxyQ

This comment has been minimized.

Copy link
Author

@TheSpixxyQ TheSpixxyQ commented Jul 22, 2019

Maybe I just found where is my problem. Is really LEGO is making any DNS queries from machine it runs on?
My split DNS is router-based and NAT rule catches ALL requests on port 53. I realized it when I tried to run dig +trace mydomain.eu @8.8.8.8 and it returned my internal IP even while Google's DNS server was specified.
If this is true, maybe I can set an exception to my NAT rule so queries from my LEGO running machine will just pass (if there's no other way to fix this). Can you please confirm my thoughts?

@dmke

This comment has been minimized.

Copy link
Member

@dmke dmke commented Oct 8, 2019

Yes, Lego performs recursive DNS requests on the machine it runs on. It tries, in order:

  • the system resolvers defined in /etc/resolv.conf
  • google-public-dns-a.google.com:53
  • google-public-dns-a.google.com:53

If you've started Lego with the --dns.resolvers flag, it tries the given resolvers instead.

The Cloudflare error happens, because in order to update DNS records for the domain you're trying to obtain certificates for, Lego needs to find the "apex name" for that domain. This is the domain, for which a SOA records exists.

Example: if you want a certificate for foo.bar.mydomain.eu, and mydomain.eu is the Zone name at Cloudflare (i.e. the apex domain), Lego performs a query equivalent to this:

$ dig -t SOA foo.bar.mydomain.eu +recurse +nocomment
;foo.bar.mydomain.eu.        IN  SOA
foo.bar.mydomain.eu.   300   IN  CNAME mydomain.eu
mydomain.eu.           3600  IN  SOA   adi.ns.cloudflare.com. dns.cloudflare.com. 2032109425 10000 2400 604800 3600

Here, the apex domain is the first entry in the last line (mydomain.eu.).

Lego then proceeds to query the Cloudflare API for information on the mydomain.eu zone.

If your DNS server instead returns something like this:

$ dig -t SOA foo.bar.mydomain.eu +recurse +nocomment
;foo.bar.mydomain.eu.        IN  SOA
eu.           ... whatever

then Lego detects eu. as apex domain and queries information for that domain from Cloudflare (which it doesn't have). Hence the error "failed to find zone eu.: Zone could not be found".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.