-
-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hosting backend does not support editing records. In which of the three services and which option do i use to fix this? #137
Comments
Hello @SpiderUnderUrBed. I don't have much experience with pebble, not sure how to use it. To your question, I think you only need either
Looking at your compose file, first try to put pebble and pdns ( Other than that, the configuration for pdns looks okeyish. |
Thank you for your quick response, currently I am trying out manually adding the zone acme-challenge.spidershomelab.net, but that might not work as I dont have anything to respond to the challange, Strictly related to PowerDNS, we can forget about what im trying to do, the point is, a challange to issue a cert over your domain just wont work if powerdns is my authoritative nameserver for my domain, unless i can figure out a way to let services edit my records, so currently i am trying to find a setting that does that, I have tried adding pebble and my powerdns backend to the same network as you said, but this doesnt solve the issue, this issue has been mentioned before here: |
Pdns server has an API where you can edit records, in general it works (for example, the powerdns web admin is also using the API). You can try to test it with curl, more info: https://doc.powerdns.com/authoritative/http-api/ I noticed that you are also using the bind backend in your docker compose file - Aha - yeah, you cannot update records from the bind backend: |
Ah. I wondered if it had anything to do with bind and i thought that, if it couldnt edit bind, it will edit the sql backend, since i have them both on the same authoritive nameserver, I guess i'll need to try and get my resolver to use two authoritve nameservers? This might not be ideal however, as for my admin UI, i can only use one as the backend, any suggestions? I would like to keep both my BIND and SQL backend |
Well, I think you can still have both backends in the single pdns server. Just the zones, you want to edit via API, must be present in the sql backend. I mean the whole zone must be present in the sql backend, and you will have to move it there beforehand manually. If you want to edit records of all (or most) zones which you have currently in the bind file - that could be doable with 2 authoritative servers and a recursor, but you would have to configure the delegation correctly with NS records in the bind zones. That could get really messy. Rather than that, I would maybe suggest a script such as https://doc.powerdns.com/authoritative/manpages/zone2sql.1.html and automate conversion of bind file to sql. |
I will close this issue soon, I am aware that this isnt strictly related to the docker port of powerdns (or unlikely) but i have one more issue, this possibly is related to the project. command: So, as you can see, lego or certbot can create the _acme-challange subdomain for my domain spidershomelab.net, but it cannot read from it or dig from it, the error i just posted was my attempt at the DNS-01 challange, but i get a simular resolve when doing the HTTP-01 challange. I have posted a issue on this at the letsencrypt forums, but its unusual that it can create a txt record and i cant use something like dig to see the record, and it returns NXDOMAIN, I think it might have something to do with powerdns because of this weird way of functioning. Correct me if im wrong. |
It may be related to the DNS resolver your system is using. Does it know about your authoritative server? You can create the record, because it's using PDNS API, but to be able to dig it, the DNS resolver of the system must be aware of your master DNS. When you run these two commands from the same bash you run the lego commands, what do you see? $ dig _acme-challenge.spidershomelab.net txt
...
$ dig _acme-challenge.spidershomelab.net txt @192.168.68.77 |
Well when the challange isnt running, both commands returns NXDOMAIN, I opened another terminal, then sshed into my raspberry pi to run those commands while the challange was ongoing and i got this:
I was up to this point in the command execution:
172.31.53.6 is the IP i given to my backend (pdns-mysql), so for some reason, my recursor must not be forwarding it to my backend? like what you said, it isnt aware of my authoritative server. Or something like that. I could specify the port to my dns server with lego (maybe the ip, i havent looked into that) with rfc2136.ini maybee. If powerdns could work with that. But ill wait to see what you can suggest, as it might be simpler than what i had in mind with rfc2136. |
OK, I see. The If that won't work, you may have to configure your local resolver to support the master DNS. What's in your |
So, i am pretty sure that even if you do specify dns.resolvers to be a certain value, somewhere down the line it will check with ns1. for some information, over the last hour I have been testing changing the data of ns1.spidershomelab.net to get it to resolve to diffrent thing: This is the error I get if i set ns1.spidershomelab.net to 172.31.53.6 This is the error I get if i set ns1.spidershomelab.net too 192.168.68.77, it will continue waiting for dns record propergation until it fails The issue here is consistency, lego needs to be able to put the subdomain in the same resolver, and ns1.spidershomelab.net needs to be able to access the txt record, also I dont know if it can make a txt record in the authoritive nameserver and requires that it be made in the backend, which makes this thing so confusing. Maybe its the ip's that im trying out is wrong, I would apprecite your input [Edit] |
If this works, Your objective is to make this work: What DNS resolver are you running? |
First (I added a empty _acme-challange):
2nd: EDIT: |
Sorry, could you try this command pls? |
Pastbin is cleaner:
|
So you are already using I think you need to add there something like |
spidershomelab.net = 172.31.53.6 I already had this in my zonefiles (it will forward the coorosponding zone to the correct location)
|
So when you try to ask the recursor directly, it doesn't work? Is the recursor showing any logs? |
I tried asking the recursor on port 53: I also tried removing zone forwarding to my domain which resulted in many errors. I get the same error either way. |
I'm sorry, not sure what could be the problem. The config seems mostly OK. The PDNS is sensitive to how the records are configured in the DNS itself, it must match with container or host IP, depending on from where you are asking (doesn't really like NAT) :( |
Ah ok, I'll keep this issue open, maybe until I find a resolution or you have a idea, or i give up on this route, (though that is unlikely) I'll be sure to post the resolution here, EDIT: |
In which of the three services and which option do i use to fix this? i am trying to use pebble as a local CA and i need to set it up with dns, as in it asks the dns for the zone, before it registers it under my local CA
the reason why i made the issue here is because allow-dnsupdate and allow-dnsupdate-from are options to configure editing records right? well under every single service i tried adding those options and they crashed, can someone please try and see if its repoducable?
spiderunderurbed@raspberrypi:~ $ lego --dns pdns --email <HIDDEN>@proton.me --domains spidershomelab.net --server https://localhost:14000/dir --accept-tos run 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: Obtaining bundled SAN certificate 2024/05/17 14:27:01 [INFO] [spidershomelab.net] AuthURL: https://localhost:14000/authZ/RYusSun6pHPIQBpTB2BlxBhhk5m2M5Ymgy6JawCCUCg 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: Could not find solver for: tls-alpn-01 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: Could not find solver for: http-01 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: use dns-01 solver 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: Preparing to solve DNS-01 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: Cleaning DNS-01 challenge 2024/05/17 14:27:01 [WARN] [spidershomelab.net] acme: cleaning up failed: pdns: no existing record found for _acme-challenge.spidershomelab.net. 2024/05/17 14:27:01 [INFO] Deactivating auth: https://localhost:14000/authZ/RYusSun6pHPIQBpTB2BlxBhhk5m2M5Ymgy6JawCCUCg 2024/05/17 14:27:01 Could not obtain certificates: error: one or more domains had a problem: [spidershomelab.net] [spidershomelab.net] acme: error presenting token: pdns: error talking to PDNS API: Hosting backend does not support editing records.
Here is my docker compose:
https://pastebin.com/dTiAknUJ
if there is any extra info needed please ask
The text was updated successfully, but these errors were encountered: