Caddy v2 and RFC2136

zec · February 5, 2021, 9:33am

1. Caddy version (`caddy version`):

Windowx x64, 2.3.0
+module GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare (works)
+module GitHub - caddy-dns/lego-deprecated: (DEPRECATED) DNS modules so Caddy can solve the ACME DNS challenge with over 75 providers (I would like to use)

2. How I run Caddy:

I am using NSSM to run Caddy as a service on Windows 10 20H2 x64 (everything but my issue works like charm)

a. System environment:

see above

b. Command:

caddy.exe run --config C:\Services\Caddy2\Caddyfile --watch --environ

c. Service/unit/compose file:

none

d. My complete Caddyfile or JSON config:

https://mycoolsubdomain.v6.rocks:2096 {
	log {
		level	INFO
		output	file	logs/mycoolsubdomain.v6.rocks-access.log
		format	single_field	common_log
	}
	tls {
		dns lego_deprecated rfc2136
	}
	respond	"It works."
}

I set the environment variables

RFC2136_NAMESERVER=ns1.dynv6.com
RFC2136_TSIG_KEY=tsig-123456.dynv6.com
RFC2136_TSIG_ALGORITHM=hmac-sha256
RFC2136_TSIG_SECRET=<my token>

3. The problem I’m having:

The ACME challange does time out / does not work.

4. Error messages and/or full log output:

Caddy prints this on the console:

{"level":"warn","ts":1612467943.5180006,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": read tcp [b16b:00b5:9c0:3800:dc94:56e5:d625:4e56]:52537->[2606:4700:60:0:f41b:d4fe:4325:6026]:443: wsarecv: Eine vorhandene Verbindung wurde vom Remotehost geschlossen."}
{"level":"warn","ts":1612467946.519031,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": read tcp [b16b:00b5:9c0:3800:dc94:56e5:d625:4e56]:52538->[2606:4700:60:0:f41b:d4fe:4325:6026]:443: wsarecv: Eine vorhandene Verbindung wurde vom Remotehost geschlossen."}
{"level":"warn","ts":1612467955.5882125,"logger":"tls.issuance.acme.acme_client","msg":"HTTP request failed; retrying","url":"https://acme-staging-v02.api.letsencrypt.org/directory","error":"performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": read tcp [b16b:00b5:9c0:3800:dc94:56e5:d625:4e56]:52539->[2606:4700:60:0:f41b:d4fe:4325:6026]:443: wsarecv: Eine vorhandene Verbindung wurde vom Remotehost geschlossen."}
{"level":"error","ts":1612467955.5882125,"logger":"tls.obtain","msg":"will retry","error":"[mycoolsubdomain.v6.rocks] Obtain: [mycoolsubdomain.v6.rocks] creating new order: provisioning client: performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": read tcp [b16b:00b5:9c0:3800:dc94:56e5:d625:4e56]:52539->[2606:4700:60:0:f41b:d4fe:4325:6026]:443: wsarecv: Eine vorhandene Verbindung wurde vom Remotehost geschlossen. (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":710.8568515,"max_duration":2592000}

Eine vorhandene Verbindung wurde vom Remotehost geschlossen.
(German, means) An existing connection was closed by the remote host.

5. What I already tried:

6. Links to relevant resources:

I took the idea that this should work somehow from here: dynv6 APIs
The module seems to follow this RFC2136 :: Let’s Encrypt client and ACME library written in Go.
I also asked for help here: h**ps://community.dynv6.com/t/caddy-and-rfc2136/1200
Last link has ** because I am not allowed to post this many links.

Thanks for you time reading this.

francislavoie · February 5, 2021, 4:34pm

Looks like your Caddy instance isn’t able to make requests to https://acme-staging-v02.api.letsencrypt.org/directory which is necessary to initiate the ACME process. Is your server locked down from accessing external sites?

matt · February 5, 2021, 4:50pm

Let’s Encrypt staging was down for the last couple of days. Let's Encrypt Status

francislavoie · February 5, 2021, 4:52pm

Well then! Didn’t expect that

So I guess you should be able to just try again

zec · February 6, 2021, 11:16am

Thanks, I will test again on Monday

zec · February 7, 2021, 12:34pm

Just tried again. Now I am refused by dynv6 DNS server as it seems…

[... then the env vars are listed:]
RFC2136_NAMESERVER=185.55.116.154
RFC2136_TSIG_ALGORITHM=hmac-sha256.
RFC2136_TSIG_KEY=tsig-123456.dynv6.com
RFC2136_TSIG_SECRET=<token>
[... caddy starts up and later tries to catch a cert for this subdomain...]
{"level":"info","ts":1612700697.4856744,"logger":"tls.obtain","msg":"lock acquired","identifier":"mycoolsubdomain.v6.rocks"}
{"level":"info","ts":1612700697.4866881,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["mycoolsubdomain.v6.rocks"]}
{"level":"info","ts":1612700697.4866881,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["mycoolsubdomain.v6.rocks"]}
{"level":"info","ts":1612700698.6417792,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"mycoolsubdomain.v6.rocks","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1612700698.7354832,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"mycoolsubdomain.v6.rocks","challenge_type":"dns-01","error":"rfc2136: failed to remove: unexpected response code 'REFUSED' for _acme-challenge.mycoolsubdomain.v6.rocks."}
{"level":"error","ts":1612700698.913901,"logger":"tls.obtain","msg":"will retry","error":"[mycoolsubdomain.v6.rocks] Obtain: [mycoolsubdomain.v6.rocks] solving challenges: presenting for challenge: rfc2136: failed to insert: unexpected response code 'REFUSED' for _acme-challenge.mycoolsubdomain.v6.rocks. (order=https://acme-v02.api.letsencrypt.org/acme/order/111697211/7766415741) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":1.4282263,"max_duration":2592000}
{"level":"info","ts":1612700760.1443987,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"mycoolsubdomain.v6.rocks","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1612700760.2511022,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"mycoolsubdomain.v6.rocks","challenge_type":"dns-01","error":"rfc2136: failed to remove: unexpected response code 'REFUSED' for _acme-challenge.mycoolsubdomain.v6.rocks."}
{"level":"error","ts":1612700760.4171646,"logger":"tls.obtain","msg":"will retry","error":"[mycoolsubdomain.v6.rocks] Obtain: [mycoolsubdomain.v6.rocks] solving challenges: presenting for challenge: rfc2136: failed to insert: unexpected response code 'REFUSED' for _acme-challenge.mycoolsubdomain.v6.rocks. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/17924088/235606685) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":62.9314713,"max_duration":2592000}

I see the ‘REFUSED’ by ns1.dynv6.com… While trying to understand RFC2136 and lego and dynv6.com API docs I tried…

add/remove a ‘.’ at the end of RFC2136_TSIG_ALGORITHM
add/remove a ‘:’ at the end of RFC2136_TSIG_ALGORITHM
changed RFC2136_TSIG_KEY to <algo>:<key> <token>
used dns name and ip for RFC2136_NAMESERVER
tried to add a TXT entry manually

I always get ‘REFUSED’.
dynv6 DNS API: dynv6 APIs
What am I missing?

matt · February 7, 2021, 3:44pm

I’m not sure. You’ll probably want to ask the operators of dynv6.com. We’re Caddy community, so the chances that someone knows about dynv6 is lower than if you ask their community, they can probably help you more. Let us know what you find out!

francislavoie · February 7, 2021, 4:09pm

If there’s no specific reason you’re using dynv6.com, I’d recommend trying https://www.duckdns.org/ instead because we have known-good plugin for it that you can use with Caddy.

That said, I would love to see a libdns plugin for RFC2136 but I don’t have a usecase for it myself or a way to test it.

zec · February 7, 2021, 8:51pm

No, I am not married with dynv6. If duckdns won’t delete my account if my IP is not changing very often (only on router restart and i am running ubiquiti)… i just need a domain to have https running without issues… but it must use dns auth towards LE. my test server uses https port 2096.

francislavoie · February 7, 2021, 8:59pm

Yeah, duckdns doesn’t delete accounts.

zec · February 17, 2021, 11:02pm

Hi again,

I would like to share: I found a solution…

Two issues prevented the DNS update:

DNS ns1.dynv6.com not reachable (timeouts)…
I use two Piholes on my LAN and reject all outgoing DNS TCP/UDP53 client → inet. Caddy runs on a server with multiple NICs and decided to use the LAN NIC and IPv6 for the DNS update… and was blocked. I resolved ns1.dynv6.com IPv4 manually and set it as the RFC2136_NAMESERVER env var.
REJECTED by dynv6 DNS server…
I added a trailing point to the RFC2136_TSIG_ALGORITHM env var, generated a new token andit works!

After all I think 185.55.116.154 from the docs is not the correct IP for ns1.dynv6.com

system · March 7, 2021, 9:33am

This topic was automatically closed after 30 days. New replies are no longer allowed.