Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use DNS challenge with the DNS provider desec #6910

Closed
hcc23 opened this issue Jun 10, 2020 · 4 comments
Closed

Cannot use DNS challenge with the DNS provider desec #6910

hcc23 opened this issue Jun 10, 2020 · 4 comments
Labels
kind/question a question status/5-frozen-due-to-age
Projects
v2

Comments

@hcc23
Copy link

hcc23 commented Jun 10, 2020

Do you want to request a feature or report a bug?

Bug

What did you do?

Context:
I am attempting to get a wildcard certificate from Let'sEncrypt via a DNS-01 challenge with the DNS provider desec.

  1. I created a small example that replicates the problem ( see docker-compose.yml in the configuration section below
  2. Started the compose file (see output below) and observed the error (see What did you see instead? below)
  3. confirmed that go-acme/lego is indeed working (access token redacted):
~ docker run goacme/lego --version 
lego version v3.7.0 linux/amd64

➜  ~ docker run -it \
-e DESEC_TOKEN=<my access toke> \
goacme/lego --accept-tos --dns desec --domains \*.c0.dedyn.io --email postmaster@dadac0.de run


2020/06/10 13:23:54 No key found for account postmaster@dadac0.de. Generating a P384 key.
2020/06/10 13:23:54 Saved key to /.lego/accounts/acme-v02.api.letsencrypt.org/postmaster@dadac0.de/keys/postmaster@dadac0.de.key
2020/06/10 13:23:55 [INFO] acme: Registering account for postmaster@dadac0.de
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2020/06/10 13:23:55 [INFO] [*.c0.dedyn.io] acme: Obtaining bundled SAN certificate
2020/06/10 13:23:56 [INFO] [*.c0.dedyn.io] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5139524923
2020/06/10 13:23:56 [INFO] [*.c0.dedyn.io] acme: use dns-01 solver
2020/06/10 13:23:56 [INFO] [*.c0.dedyn.io] acme: Preparing to solve DNS-01
2020/06/10 13:23:56 [INFO] [*.c0.dedyn.io] acme: Trying to solve DNS-01
2020/06/10 13:23:56 [INFO] [*.c0.dedyn.io] acme: Checking DNS record propagation using [192.168.71.2:53]
2020/06/10 13:23:56 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2020/06/10 13:23:56 [INFO] [*.c0.dedyn.io] acme: Waiting for DNS record propagation.
2020/06/10 13:24:05 [INFO] [*.c0.dedyn.io] The server validated our request
2020/06/10 13:24:05 [INFO] [*.c0.dedyn.io] acme: Cleaning DNS-01 challenge
2020/06/10 13:24:05 [INFO] [*.c0.dedyn.io] acme: Validations succeeded; requesting certificates
2020/06/10 13:24:06 [INFO] [*.c0.dedyn.io] Server responded with a certificate.

What did you expect to see?

Traefic calling go-acme/lego to get the wildcard certificate from Let'sEncrypt

What did you see instead?

reverse-proxy_1  | time="2020-06-10T12:55:13Z" level=debug msg="Using DNS Challenge provider: desec" providerName=myresolver.acme
reverse-proxy_1  | time="2020-06-10T12:55:13Z" level=error msg="Unable to obtain ACME certificate for domains \"c0.dedyn.de,*.c0.dedyn.de\" : cannot get ACME client unrecognized DNS provider: desec" providerName=myreso

Output of traefik version: (What version of Traefik are you using?)

Version:      2.2.1
Codename:     chevrotin
Go version:   go1.14.2
Built:        2020-04-29T18:02:09Z
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

version: '3'

services:
  reverse-proxy:
    image: traefik:v2.2
    command: 
      --log.level=DEBUG
      --api.insecure=true 
      --providers.docker
      --certificatesresolvers.myresolver.acme.email=postmaster@dadac0.de
      --certificatesresolvers.myresolver.acme.storage=acme.json
      --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      --certificatesresolvers.myresolver.acme.dnschallenge.provider=desec
      
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - DESEC_TOKEN=abcdef1234568ghijkl

  whoami:
    image: containous/whoami
    labels:
      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
      - "traefik.http.routers.whoami.tls.domains[0].main=c0.dedyn.de"
      - "traefik.http.routers.whoami.tls.domains[0].sans=*.c0.dedyn.de"

If applicable, please paste the log output in DEBUG level (--log.level=DEBUG switch)

docker-compose up
Recreating traefik_desec_demo_reverse-proxy_1 ... done
Recreating traefik_desec_demo_whoami_1        ... done
Attaching to traefik_desec_demo_whoami_1, traefik_desec_demo_reverse-proxy_1
whoami_1         | Starting up on port 80
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=info msg="Configuration loaded from flags."
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"exposedByDefault\":true,\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"myresolver\":{\"acme\":{\"email\":\"postmaster@dadac0.de\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"desec\"}}}}}"
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Start TCP Server" entryPointName=traefik
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"exposedByDefault\":true,\"swarmModeRefreshSeconds\":15000000000}"
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=info msg="Starting provider *acme.Provider {\"email\":\"postmaster@dadac0.de\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"desec\"},\"ResolverName\":\"myresolver\",\"store\":{},\"ChallengeStore\":{}}"
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=info msg="Testing certificate renew..." providerName=myresolver.acme
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Start TCP Server" entryPointName=http
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=info msg="Starting provider *traefik.Provider {}"
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/[^:\\\\/]+(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}}}},\"tcp\":{},\"tls\":{}}" providerName=internal
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="No default certificate, generating one"
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Provider connection established with docker 19.03.5 (API 1.40)" providerName=docker
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"reverse-proxy-traefik-desec-demo\":{\"service\":\"reverse-proxy-traefik-desec-demo\",\"rule\":\"Host(`reverse-proxy-traefik-desec-demo`)\"},\"whoami\":{\"service\":\"whoami-traefik-desec-demo\",\"rule\":\"Host(`whoami.docker.localhost`)\",\"tls\":{\"certResolver\":\"myresolver\",\"domains\":[{\"main\":\"c0.dedyn.de\",\"sans\":[\"*.c0.dedyn.de\"]}]}}},\"services\":{\"reverse-proxy-traefik-desec-demo\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.19.0.2:80\"}],\"passHostHeader\":true}},\"whoami-traefik-desec-demo\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.19.0.3:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=api@internal middlewareName=tracing
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareName=tracing middlewareType=TracingForwarder routerName=dashboard@internal entryPointName=traefik
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating middleware" middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_stripprefix@internal entryPointName=traefik routerName=dashboard@internal
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating middleware" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Setting up redirection from ^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_redirect@internal entryPointName=traefik routerName=dashboard@internal
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="No default certificate, generating one"
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [http]" routerName=reverse-proxy-traefik-desec-demo
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [http]" routerName=whoami
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik middlewareName=tracing middlewareType=TracingForwarder routerName=dashboard@internal
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating middleware" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Setting up redirection from ^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$ to ${1}/dashboard/" routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=traefik middlewareName=traefik-internal-recovery
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating middleware" entryPointName=http serviceName=reverse-proxy-traefik-desec-demo middlewareName=pipelining middlewareType=Pipelining routerName=reverse-proxy-traefik-desec-demo@docker
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating load-balancer" routerName=reverse-proxy-traefik-desec-demo@docker entryPointName=http serviceName=reverse-proxy-traefik-desec-demo
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating server 0 http://172.19.0.2:80" routerName=reverse-proxy-traefik-desec-demo@docker entryPointName=http serviceName=reverse-proxy-traefik-desec-demo serverName=0
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Added outgoing tracing middleware reverse-proxy-traefik-desec-demo" routerName=reverse-proxy-traefik-desec-demo@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=http
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery entryPointName=http middlewareType=Recovery
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating middleware" serviceName=whoami-traefik-desec-demo entryPointName=http routerName=whoami@docker middlewareName=pipelining middlewareType=Pipelining
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating load-balancer" entryPointName=http routerName=whoami@docker serviceName=whoami-traefik-desec-demo
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating server 0 http://172.19.0.3:80" entryPointName=http routerName=whoami@docker serviceName=whoami-traefik-desec-demo serverName=0
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Added outgoing tracing middleware whoami-traefik-desec-demo" middlewareName=tracing middlewareType=TracingForwarder entryPointName=http routerName=whoami@docker
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=http middlewareName=traefik-internal-recovery
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="No default certificate, generating one"
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Looking for provided certificate(s) to validate [\"c0.dedyn.de\" \"*.c0.dedyn.de\"]..." providerName=myresolver.acme
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Domains [\"c0.dedyn.de\" \"*.c0.dedyn.de\"] need ACME certificates generation for domains \"c0.dedyn.de,*.c0.dedyn.de\"." providerName=myresolver.acme
reverse-proxy_1  | time="2020-06-10T12:55:08Z" level=debug msg="Loading ACME certificates [c0.dedyn.de *.c0.dedyn.de]..." providerName=myresolver.acme
reverse-proxy_1  | time="2020-06-10T12:55:12Z" level=debug msg="Building ACME client..." providerName=myresolver.acme
reverse-proxy_1  | time="2020-06-10T12:55:12Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=myresolver.acme
reverse-proxy_1  | time="2020-06-10T12:55:12Z" level=info msg=Register... providerName=myresolver.acme
reverse-proxy_1  | time="2020-06-10T12:55:12Z" level=debug msg="legolog: [INFO] acme: Registering account for postmaster@dadac0.de"
reverse-proxy_1  | time="2020-06-10T12:55:13Z" level=debug msg="Using DNS Challenge provider: desec" providerName=myresolver.acme
reverse-proxy_1  | time="2020-06-10T12:55:13Z" level=error msg="Unable to obtain ACME certificate for domains \"c0.dedyn.de,*.c0.dedyn.de\" : cannot get ACME client unrecognized DNS provider: desec" providerName=myresolver.acme
@ldez
Copy link
Member

ldez commented Jun 10, 2020

Hello,

currently Traefik (v2.2.1) use lego v3.6.

desec has been added in lego v3.7

I updated Traefik to use lego v3.7 (#6792) but after the release of Traefik v2.2.1.

So desec will be available in the next path release of Traefik (v2.2.2)

@hcc23
Copy link
Author

hcc23 commented Jun 10, 2020

Classic case of "once you file the bug report, the problem becomes clear":

According to the traefik v2.2.1 relese notes the included go-acme/lego is v3.6.0 .

However, go-acme/lego v3.6.0 does not seem to know the DNS provider desec:

~ docker run -it \                    
-e DESEC_TOKEN=52UJM9bfD6rrQlNWzPN6Xf482URQ \
goacme/lego:v3.6.0 --accept-tos --dns desec --domains \*.c0.dedyn.io --email postmaster@dadac0.de run


2020/06/10 13:29:25 No key found for account postmaster@dadac0.de. Generating a P384 key.
2020/06/10 13:29:25 Saved key to /.lego/accounts/acme-v02.api.letsencrypt.org/postmaster@dadac0.de/keys/postmaster@dadac0.de.key
2020/06/10 13:29:26 unrecognized DNS provider: desec

@hcc23
Copy link
Author

hcc23 commented Jun 10, 2020

Hi @ldez ,

thanks for the super quick reply - in that case I am looking forward for traefik v2.2.2.

In the meantime, maybe the traefik documentation at https://docs.traefik.io/https/acme/#dnschallenge should be updated as it (already) mentions desec as being supported?

@ldez
Copy link
Member

ldez commented Jun 10, 2020

The doc need to be updated even if we don't create a release, because there are some documentation fixes.

In some cases, as in your case, the documentation may be a little ahead of the version.

We prefer fix the doc bug early, and have some minor edge cases, than have to wait for a release to update the documentation.

@ldez ldez closed this as completed Jun 10, 2020
@ldez ldez added this to issues in v2 via automation Jun 10, 2020
@ldez ldez moved this from issues to Done in v2 Jun 28, 2020
@traefik traefik locked and limited conversation to collaborators Jul 27, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/question a question status/5-frozen-due-to-age
Projects
No open projects
v2
Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hcc23 @SantoDE @ldez @traefiker