Caddy DNS cahllenge set TTL of token record

Help
1

1. Output of caddy version:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs

2. How I run Caddy:

a. System environment:

Running caddy on Ubuntu 22.04.1 LTS

b. Command:

caddy run -config caddyfile.json

c. My complete Caddy config:

{
	"logging": {
		"logs": {
			"default": {
				"writer": {
					"output": "stdout"
				},
				"level": "debug"
			}
		}
	},
	"apps": {
		"http": {
			"servers": {
				"srv0": {
					"listen": [
						":443"
					],
					"routes": [
						{
							"handle": [
								{
									"handler": "reverse_proxy",
									"upstreams": [
										{
											"dial": "<redacted>:8081"
										}
									]
								}
							]
						}
					],
					"tls_connection_policies": [
						{}
					]
				}
			}
		},
		"tls": {
			"automation": {
				"policies": [
					{
						"issuers": [
							{
								"module": "acme",
								"ca": "https://acme-staging-v02.api.letsencrypt.org/directory",
								"challenges": {
									"dns": {
										"provider": {
											"name": "powerdns",
											"api_token": "<redacted>",
											"server_url": "<redacted>",
											"server_id": "localhost"
										},
										"ttl": 300
									}
								}
							}
						],
						"on_demand": true
					}
				],
				"on_demand": {
					"ask": "http://<redacted>/ask"
				}
			},
			"cache": {
				"capacity": 1000
			}	
		}
	}
}

3. The problem I’m having:

When trying to issue certificates with caddys DNS modules, I noticed that the TTL field (mentioned here in the doc: JSON Config Structure - Caddy Documentation ) does not seem to have any effects. For context, I use the following libdns module: GitHub - Splamy/powerdns: libdns powerdns provider as it seems to have fixed a minor bug that is still present in the official libdns module for powerdns (GitHub - libdns/powerdns: libdns powerdns provider). Also, I use the following caddy-dns package GitHub - Splamy/caddydns-powerdns to build caddy.
Everything is working fine, all certs are issued properly, but the TTL of the TXT record for the challenge always seems to be set to 0. Now, my guess is that the setting in the caddy config mentioned above is always overwritten (or never even accepted) with whatever the libdns module specifies when creating the TXT record. In that case, the caddy-dns package should be able to read the config entry for TTL and pass it to the libdns module, which in return sets that value when creating the record? I see that none of the other major libdns provider modules seem to support that action, which is why I am not quite sure if I am correct here.
Don’t get me wrong, if the above is the case, that functionality must be handled by the respecting libdns modules and caddy-dns packages, not by caddy itself (as they seem to be maintained by the community). I would just like to reassure that my assumptions are correct. In that case, I will probably have to fork the repos myself and add the wanted functionalities.

5. What I already tried:

I tried to set the TTL field with other provider modules (Cloudflare etc.) but these also seem overwrite the TTL to zero.

1 Like
2

I just read the code in Caddy again, and we do indeed set the TTL on the certmagic.DNS01Solver struct, which does get passed into the libdns.Record struct by CertMagic. So I’m guessing that it’s the provider implementation that is not using it or setting it correctly.

For example, the Cloudflare implementation does set the TTL to the number of seconds:

It’s up to each provider to do that properly. A quick glance at PowerDNS code does show that it is in fact setting TTL to something, but whether it’s the correct value or accepted by their API, I dunno. I’d file an issue with the repo and/or do some more investigating (log.Println to see the actual TTL value being passed in or set).

3

Hello Matt, thanks for your time. I will dig through the PowerDNS code some more and see if I can figure out which values are set. Thanks!

1 Like
4

This topic was automatically closed after 30 days. New replies are no longer allowed.