[HELP] propagation: time limit exceeded: last error: NS XXXXXXX. did not return the expected TXT record #353
Comments
|
@yeungalan Do you think this can be fixed by adding a customizable timeout value for the ACME module? I am not sure if it is the polling interval or timeout value issue of lego. |
|
Hey tobychui, I think it would be grate when I can add a dedicated nameserver to resolve the "_acme-challenge.mydomain.com". When I use NPM the DNS challenge worked in the same environment without a problem. I think NPM call en external DNS to resolve the acme-challenge domain. Kind regards |
|
Hi @oneil1838 Thanks for the input. I am not the maintainer for the ACME module so it has to left for Alan for the decision, but in Zoraxy I think he is using lego (https://go-acme.github.io/lego/) for the ACME process. If you can help digging their document and see what is the option / command corresponding to the function you want, maybe he can get it working sooner. |
|
@ tobychui Kind regards |
|
@ tobychui Thank you for adding the DNS option in the ACME client. Now it works for my main domain. Now I have a other problem with another domain, but for this problem I open a new issue. Kind regards |
What happened?
Hello,
I tried to setup Zoraxy to replace my NPM, but it didn't work as exacted.
After I setup Zoraxy I set the port to 443 and activate "force HTTPS", than I tried to generate a wildcard Cert via DNS challenge, but the request runs in the 5min timeout (see log below).
Let my first describe my homelab config for your understanding:
) I use Proxmox with multiple VLANs and a also Windows Server for domain management.
) There are 4 DNS Server in my network. 2 Windows AD server with DNS (internal Domain = external Domain) and 2 Adguard Home (primary and secondary)
) All clients are configured to contact the Adguards first (so I can see the statistic and which client are calling which domains). There is a redirect for my external domain name (actually I use my external domain names for the services via NPM) to the Windows DNS server.
) I add a new DNS entry in front of my domain redirection on the Adguards for "_acme-challenge.mydomain.com" to call the external entry for my domain vendor / DNS provider.
) on the docker host, I checked the DNS server config to see it is pointed to the adguard servers.
) when I open the webgui from zoraxy, click on the certs menu and try to us the DNS challenge the process runs in a timeout.
Here is the log (my domain is replaced by placeholder domain "mydomain.com"):
[2024-10-25 06:24:27.060214] [ACME] [system:info] CA not set. Using default
[2024-10-25 06:24:27.060244] [ACME] [system:info] Obtaining certificate for: mydomain.com
[2024-10-25 06:24:27.060451] [ACME] [system:info] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
2024/10/25 06:24:27 [INFO] acme: Registering account for [email protected]
2024/10/25 06:24:27 [INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
2024/10/25 06:24:28 [INFO] [mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/420904461467
2024/10/25 06:24:28 [INFO] [mydomain.com] acme: Could not find solver for: tls-alpn-01
2024/10/25 06:24:28 [INFO] [mydomain.com] acme: Could not find solver for: http-01
2024/10/25 06:24:28 [INFO] [mydomain.com] acme: use dns-01 solver
2024/10/25 06:24:28 [INFO] [mydomain.com] acme: Preparing to solve DNS-01
2024/10/25 06:24:28 [INFO] domain "_acme-challenge.mydomain.com" not found, trying with "mydomain.com"
2024/10/25 06:24:31 [INFO] [mydomain.com] acme: Trying to solve DNS-01
2024/10/25 06:24:31 [INFO] [mydomain.com] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2024/10/25 06:24:33 [INFO] Wait for propagation [timeout: 5m0s, interval: 2s]
2024/10/25 06:24:33 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
[2024-10-25 06:24:35.469899] [internal] [system:info] mDNS Startup scan completed
2024/10/25 06:24:35 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
2024/10/25 06:24:47 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
2024/10/25 06:24:49 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
2024/10/25 06:24:51 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
2024/10/25 06:24:53 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
....
2024/10/25 06:29:32 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
2024/10/25 06:29:34 [INFO] [mydomain.com] acme: Cleaning DNS-01 challenge
2024/10/25 06:29:35 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/420904461467
[2024-10-25 06:29:35.638083] [ACME] [system:error] Obtain certificate failed: error: one or more domains had a problem:
[mydomain.com] propagation: time limit exceeded: last error: NS ad02.mydomain.com. did not return the expected TXT record [fqdn: _acme-challenge.mydomain.com., value: 9sROnqs5nbOby_9YuhO3RukUtOZRJfFd8UL1sBe-SSE]:
somehow the container knows the internal Windows AD/DNS server, but not the Adguard server.
My docker-compose.yml looks like this:
services:
zoraxy:
image: zoraxydocker/zoraxy:latest
container_name: zoraxy
restart: unless-stopped
ports:
- 80:80
- 443:443
- 8001:8000
volumes:
- /mnt/docker/zoraxy/config/:/opt/zoraxy/config/
- /mnt/docker/zoraxy/zerotier/config/:/var/lib/zerotier-one/
- /var/run/docker.sock:/var/run/docker.sock
- /etc/localtime:/etc/localtime
environment:
FASTGEOIP: "true"
ZEROTIER: "true"
Describe what have you tried
I also tried to add the following lines to the docker-compose.yml:
dns:
- "10.0.160.12" # Adguard Home 1
- "10.0.160.13" # Adguard Home 2
The result was that the timeout happens again. here the log:
[2024-10-25 07:08:10.218944] [ACME] [system:info] CA not set. Using default
[2024-10-25 07:08:10.218986] [ACME] [system:info] Obtaining certificate for: mydomain.com
[2024-10-25 07:08:10.219226] [ACME] [system:info] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
2024/10/25 07:08:10 [INFO] acme: Registering account for [email protected]
2024/10/25 07:08:11 [INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
2024/10/25 07:08:11 [INFO] [mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/420918352797
2024/10/25 07:08:11 [INFO] [mydomain.com] acme: Could not find solver for: tls-alpn-01
2024/10/25 07:08:11 [INFO] [mydomain.com] acme: Could not find solver for: http-01
2024/10/25 07:08:11 [INFO] [mydomain.com] acme: use dns-01 solver
2024/10/25 07:08:11 [INFO] [mydomain.com] acme: Preparing to solve DNS-01
2024/10/25 07:08:11 [INFO] domain "_acme-challenge.mydomain.com" not found, trying with "mydomain.com"
2024/10/25 07:08:12 [INFO] [mydomain.com] acme: Trying to solve DNS-01
2024/10/25 07:08:12 [INFO] [mydomain.com] acme: Checking DNS record propagation. [nameservers=10.0.160.12:53,10.0.160.13:53]
2024/10/25 07:08:14 [INFO] Wait for propagation [timeout: 5m0s, interval: 2s]
2024/10/25 07:08:24 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
[2024-10-25 07:08:29.540043] [internal] [system:info] mDNS Startup scan completed
2024/10/25 07:08:36 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
2024/10/25 07:06:48 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
2024/10/25 07:13:00 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
2024/10/25 07:13:12 [INFO] [mydomain.com] acme: Waiting for DNS record propagation.
2024/10/25 07:13:14 [INFO] [mydomain.com] acme: Cleaning DNS-01 challenge
2024/10/25 07:13:16 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/420918352797
[2024-10-25 07:13:16.656453] [ACME] [system:error] Obtain certificate failed: error: one or more domains had a problem:
[mydomain.com] propagation: time limit exceeded: last error: DNS call error: read udp 172.17.0.4:35802->10.10.10.10:53: i/o timeout [ns=ad01.mydomain.com.:53, question='_acme-challenge.mydomain.com. IN TXT']
I also tried the same with the IP from the nameserver of my DNS provider instead of my adguard ip and got the following error in the log:
[2024-10-25 07:18:29.445051] [ACME] [system:info] CA not set. Using default
[2024-10-25 07:18:29.445101] [ACME] [system:info] Obtaining certificate for: mydomain.com
[2024-10-25 07:18:29.445198] [ACME] [system:info] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
[2024-10-25 07:18:29.573089] [ACME] [system:error] Failed to spawn new ACME client from current config: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp: lookup acme-v02.api.letsencrypt.org on WW.XX.YY.ZZ:53: server misbehaving
[2024-10-25 07:18:31.704833] [internal] [system:info] mDNS Startup scan completed
Same happens when I add the following lines to the yml file:
dns_search:
- "_acme-challenge.mydomain.com"
Host System information
Host OS: Ubuntu 24.04.01 LTS
Docker version: 27.3.1
Docker compose version: v2.29.7
Kind regards
The text was updated successfully, but these errors were encountered: