Caddy/cloudflare seems to be trying to register against .net?

Help
1

Sorry about the previous post, I wacked the wrong button and wasn’t paying attention when I was editing :frowning:

1. The problem I’m having:

Caddy stopped renewing certs, so I blew it all away and upgraded it, that didn’t fix the issue so now I’m here for help

I’ve almost completely emptied my config out leaving just one domain.

I even went and created new cloudflare creds

2. Error messages and/or full log output:


{"level":"info","ts":1678168312.2640915,"logger":"tls.renew","msg":"acquiring lock","identifier":"fremnet.net"}

{"level":"info","ts":1678168312.2949867,"logger":"tls.renew","msg":"lock acquired","identifier":"fremnet.net"}

{"level":"info","ts":1678168312.29601,"logger":"tls.renew","msg":"renewing certificate","identifier":"fremnet.net","remaining":-79980.296007641}

{"level":"info","ts":1678168312.2970595,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["fremnet.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"redactedemail@example.com"}

{"level":"info","ts":1678168312.2970915,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["fremnet.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"redactedemail@example.com"}

{"level":"info","ts":1678168313.9168398,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"fremnet.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}

{"level":"error","ts":1678168314.3713026,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"fremnet.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.fremnet.net\" (usually OK if presenting also failed)"}

{"level":"error","ts":1678168314.6285212,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"fremnet.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[fremnet.net] solving challenges: presenting for challenge: adding temporary record for zone \"net.\": expected 1 zone, got 0 for net. (order=https://acme-v02.api.letsencrypt.org/acme/order/127027232/168649057637) (ca=https://acme-v02.api.letsencrypt.org/directory)"}

{"level":"info","ts":1678168314.629043,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["fremnet.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"redactedemail@example.com"}

{"level":"info","ts":1678168314.6290655,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["fremnet.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"redactedemail@example.com"}

{"level":"info","ts":1678168318.433271,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"fremnet.net","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}

{"level":"error","ts":1678168318.7315512,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"fremnet.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.fremnet.net\" (usually OK if presenting also failed)"}

{"level":"error","ts":1678168319.318353,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"fremnet.net","issuer":"acme.zerossl.com-v2-DV90","error":"[fremnet.net] solving challenges: presenting for challenge: adding temporary record for zone \"net.\": expected 1 zone, got 0 for net. (order=https://acme.zerossl.com/v2/DV90/order/ew9H2wjRU4GNNDAA0BXRmg) (ca=https://acme.zerossl.com/v2/DV90)"}

{"level":"error","ts":1678168319.3184984,"logger":"tls.renew","msg":"will retry","error":"[fremnet.net] Renew: [fremnet.net] solving challenges: presenting for challenge: adding temporary record for zone \"net.\": expected 1 zone, got 0 for net. (order=https://acme.zerossl.com/v2/DV90/order/ew9H2wjRU4GNNDAA0BXRmg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":7.023458072,"max_duration":2592000}

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:


/etc/init.d/caddy stop

docker run --rm -ti -v `pwd`/tmp:/outside caddy:2.6.4-builder-alpine xcaddy build v2.6.4 \

--output /outside/caddy

--with github.com/caddy-dns/cloudflare \

--with github.com/ueffel/caddy-brotli \

--with github.com/muety/caddy-remote-host \

--with github.com/abiosoft/caddy-exec \

--with github.com/kirsch33/realip \

--with github.com/lolPants/caddy-requestid \

--with github.com/mholt/caddy-webdav \

--with github.com/porech/caddy-maxmind-geolocation \

--with github.com/sjtug/caddy2-filter \

--with github.com/abiosoft/caddy-hmac \

--with github.com/abiosoft/caddy-json-parse \

--with github.com/abiosoft/caddy-named-routes \

--with github.com/RussellLuo/caddy-ext/ratelimit \

--with github.com/mholt/caddy-l4 \

--with github.com/caddy-dns/google-domains

cp tmp/caddy /usr/local/bin

/etc/init.d/caddy start

a. System environment:

Linux servah 5.14.17-gentoo #1 SMP Sun Nov 7 22:42:23 AEST 2021 x86_64 AMD FX™-8350 Eight-Core Processor AuthenticAMD GNU/Linux

b. Command:

/etc/init.d/caddy basically runs


setcap cap_net_bind_service=+ep

/usr/local/bin/caddyrun --config=/etc/caddy/Caddyfile

d. My complete Caddy config:


{

grace_period 1m

order filter after encode

email redactedemail@example.com

log {

output file /var/log/caddy.log

}

}

(cftls) {

tls {

dns cloudflare REDACTED

}

}

fremnet.net {

import cftls

reverse_proxy localhost:1280

}
2

Can you double-check if your Cloudflare API key is still valid and has the right scopes?

You can use the commands from the following post to test your token outside of Caddy :slight_smile:

1 Like
3

Hi,

I did in fact double check and create new keys, but I think it might be the soa lookup in the certmagic library.

I have an internal dns server setup that re-directs all my hostnames to my local ip, it has a capture on fremnet.net and is answering just fine, but apparently is returning nothing for soa lookups.

dig @10.0.0.3 soa fremnet.net

; <<>> DiG 9.16.15 <<>> @10.0.0.3 soa fremnet.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24824
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fremnet.net.			IN	SOA

;; Query time: 0 msec
;; SERVER: 10.0.0.3#53(10.0.0.3)
;; WHEN: Tue Mar 07 17:00:10 AEST 2023
;; MSG SIZE  rcvd: 29

vs

dig @1.1.1.1 soa fremnet.net

; <<>> DiG 9.16.15 <<>> @1.1.1.1 soa fremnet.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29374
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fremnet.net.			IN	SOA

;; ANSWER SECTION:
fremnet.net.		3600	IN	SOA	aurora.ns.cloudflare.com. dns.cloudflare.com. 2303657986 10000 2400 604800 3600

;; Query time: 7 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Mar 07 17:01:02 AEST 2023
;; MSG SIZE  rcvd: 104

Might be worth either trying to work around that… or documenting it… perhaps spitting out an error when it gets an empty soa…

Edit: I can work around it by specifyingtls.resolvers

Definitely still might be worth figuring out that a root zone soa might not be what someone’s looking for and spitting out a warning with the intent of informing the user something about that is borked (I saw a couple of other issues when I was searching between github repos that might be related)

4

If you wanted to replicate this cursed setup, have a working dnsmasq and add

address=/example.com/10.0.0.2

dig @dnsmasq a example.com
dig @dnsmasq soa example.com

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.