Could not determine zone for domain

1. Caddy version:

v2.6.2

2. How I installed, and run Caddy:

a. System environment:

Docker dekstop for windows 10

b. Command:

FROM caddy:2-builder AS builder

RUN xcaddy build \
	--with github.com/caddy-dns/duckdns

FROM caddy:2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
docker build -t "caddy-duckdns" .
docker compose up -d

c. Service/unit/compose file:

services:
  caddy:
    image: caddy-duckdns
    container_name: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - C:/Docker-data/caddy-data:/data
    environment:
      - DOMAIN=green-jungle.duckdns.org
      - DUCKDNS_TOKEN=<redacted>

networks:
  default:
    name: web-stack

d. My complete Caddy config:

{
	debug
}

{$DOMAIN} {
    tls {
        dns duckdns {$DUCKDNS_TOKEN}
    }
    respond "It's a duck world!"
}

3. The problem I’m having:

Previously my entire setup was working fine. However, since the end of last year, I am having trouble renewing certificates. Initially I thought it might have been a hiccup on duckdns side but because it is still not working I am pretty sure it is on my side. I have removed everything from my configs and I still cannot get it to work - the shown config is what I am actually trying to get started.
I keep ending up with the ‘Could not determine zone for domain’ line at the end of the log…
please assist :frowning:

4. Error messages and/or full log output:

2023-01-30 00:23:07 {"level":"debug","ts":1675034587.6759903,"logger":"events","msg":"event","name":"cert_obtaining","id":"04d23487-d011-42e7-99d9-506988fc377c","origin":"tls","data":{"identifier":"green-jungle.duckdns.org"}}
2023-01-30 00:23:07 {"level":"debug","ts":1675034587.6801205,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
2023-01-30 00:23:08 {"level":"debug","ts":1675034588.17546,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme-staging-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["830"],"Content-Type":["application/json"],"Date":["Sun, 29 Jan 2023 23:23:09 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
2023-01-30 00:23:08 {"level":"debug","ts":1675034588.331489,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Sun, 29 Jan 2023 23:23:09 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["BEB9vfeoBKu1n5XhB4BMNNUOGhrGtJri2XGY3zwfI8A7LVs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
2023-01-30 00:23:08 {"level":"debug","ts":1675034588.5121162,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["85344273"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["360"],"Content-Type":["application/json"],"Date":["Sun, 29 Jan 2023 23:23:09 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/85344273/6879787973"],"Replay-Nonce":["8F05qf8BBKtZ1BQgVPjSYK2UGmCXim_B5wjBBA5JU7YcwEo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
2023-01-30 00:23:08 {"level":"debug","ts":1675034588.670652,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5155500963","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["85344273"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["826"],"Content-Type":["application/json"],"Date":["Sun, 29 Jan 2023 23:23:09 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["A272e9_yeGdn771PcDBmGHTXKLiZ-lCXT_sgJ4NqYiDWKhs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
2023-01-30 00:23:08 {"level":"debug","ts":1675034588.6720102,"logger":"http.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
2023-01-30 00:23:08 {"level":"debug","ts":1675034588.6722088,"logger":"http.acme_client","msg":"no solver configured","challenge_type":"http-01"}
2023-01-30 00:23:08 {"level":"info","ts":1675034588.6722293,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"green-jungle.duckdns.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
2023-01-30 00:23:08 {"level":"error","ts":1675034588.7126393,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"green-jungle.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.green-jungle.duckdns.org\" (usually OK if presenting also failed)"}
2023-01-30 00:23:08 {"level":"debug","ts":1675034588.8765383,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5155500963","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["85344273"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["830"],"Content-Type":["application/json"],"Date":["Sun, 29 Jan 2023 23:23:09 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["EA57PRT-AesTlHyI6FO_6FizCkUTWufRxGYTJm58izX8OJU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
2023-01-30 00:23:08 {"level":"error","ts":1675034588.877028,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"green-jungle.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[green-jungle.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.green-jungle.duckdns.org\": could not find the start of authority for _acme-challenge.green-jungle.duckdns.org.: NOERROR (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/85344273/6879787973) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
2023-01-30 00:23:08 {"level":"debug","ts":1675034588.877199,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
2023-01-30 00:23:10 {"level":"debug","ts":1675034590.3204508,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Sun, 29 Jan 2023 23:23:11 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["n4eSaxkVtCi-xuCQBfd-hGMYFi00B33Qy4Dx7IsQf8E"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
2023-01-30 00:23:11 {"level":"debug","ts":1675034591.5661886,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["286"],"Content-Type":["application/json"],"Date":["Sun, 29 Jan 2023 23:23:12 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/iX0kq_4_sgSCTViTsqeOmw"],"Replay-Nonce":["bKLhfoPe-TDYeIA7Qmu4hboa4yJkfjvkatH1124k0bc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
2023-01-30 00:23:12 {"level":"debug","ts":1675034592.8589983,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/xJXz8apTVcGveqA7d9kqaQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["454"],"Content-Type":["application/json"],"Date":["Sun, 29 Jan 2023 23:23:13 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["aELhljCMy5CmUCvmWUN6cL0qV-aTWZoNKwn6r3ToCso"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
2023-01-30 00:23:12 {"level":"debug","ts":1675034592.859356,"logger":"http.acme_client","msg":"no solver configured","challenge_type":"http-01"}
2023-01-30 00:23:12 {"level":"info","ts":1675034592.8593786,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"green-jungle.duckdns.org","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
2023-01-30 00:23:12 {"level":"error","ts":1675034592.8933477,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"green-jungle.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.green-jungle.duckdns.org\" (usually OK if presenting also failed)"}
2023-01-30 00:23:13 {"level":"debug","ts":1675034593.991617,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/xJXz8apTVcGveqA7d9kqaQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["136"],"Content-Type":["application/json"],"Date":["Sun, 29 Jan 2023 23:23:14 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["MsM-jd_xUhjkgEnewsQen_Oew36Q7LKH2HeFsxC_WMQ"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
2023-01-30 00:23:13 {"level":"error","ts":1675034593.9918919,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"green-jungle.duckdns.org","issuer":"acme.zerossl.com-v2-DV90","error":"[green-jungle.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.green-jungle.duckdns.org\": could not find the start of authority for _acme-challenge.green-jungle.duckdns.org.: NOERROR (order=https://acme.zerossl.com/v2/DV90/order/iX0kq_4_sgSCTViTsqeOmw) (ca=https://acme.zerossl.com/v2/DV90)"}
2023-01-30 00:23:13 {"level":"debug","ts":1675034593.9919474,"logger":"events","msg":"event","name":"cert_failed","id":"fabd4073-ddc7-4fc4-b58b-7a37d16cf68e","origin":"tls","data":{"error":{},"identifier":"green-jungle.duckdns.org","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
2023-01-30 00:23:13 {"level":"error","ts":1675034593.9919946,"logger":"tls.obtain","msg":"will retry","error":"[green-jungle.duckdns.org] Obtain: [green-jungle.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.green-jungle.duckdns.org\": could not find the start of authority for _acme-challenge.green-jungle.duckdns.org.: NOERROR (order=https://acme.zerossl.com/v2/DV90/order/iX0kq_4_sgSCTViTsqeOmw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":72.1572269,"max_duration":2592000}

5. What I already tried:

-Reinstalling docker
-deleting all files related to cady (C:/Docker-data/caddy-data:/data)
-Removed all other containers running normally with caddy
-Deleted all images and recreated caddy image with Duckdns plugin (see above)
-Recreated token in duckdns
-Removed all non-essential lines from caddy file
-Attempted at multiple time points
-Disabled firewall and openend ports (trying to do a DNS challenge so this should not matter?) - same result.

6. Links to relevant resources:

There’s a mismatch here. Which domain is correct?

1 Like

green-jungle.duckdns.org is the correct one - I will update my original post as well. Not sure how that one slipped in, I have been troubleshooting with this address as well.

These errors were what I was getting before I turned off propagation checks.

Are you forcing your DNS locally to your router perhaps? If so, you can try,

{
	debug
}

{$DOMAIN} {
    tls {
          issuer acme {
                    dns duckdns {$DUCKDNS_TOKEN}
                    propagation_delay 10s
                    propagation_timeout -1
          }
          issuer zerossl {
                    dns duckdns {$DUCKDNS_TOKEN}
                    propagation_delay 10s
                    propagation_timeout -1
          }
    }

    respond "It's a duck world!"
}
1 Like

Thanks for the suggestion victor, I tried the changes you suggested and still receive the same error as far as I can tell.
I am still quite new to all of this, so I am not sure what you mean by ‘forcing your DNS locally to your router’. I am using the DDNS service present in the modem from my ISP (Ziggo) to update my IP on Duckdns but I did not change any other DNS related settings (so I guess the answer to your question is no?).

2023-01-30 16:25:38 {"level":"info","ts":1675092338.0252154,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"green-jungle.duckdns.org","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
2023-01-30 16:25:38 {"level":"error","ts":1675092338.03489,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"green-jungle.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.green-jungle.duckdns.org\" (usually OK if presenting also failed)"}
2023-01-30 16:25:38 {"level":"debug","ts":1675092338.206064,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/199451687137","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["939560147"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["812"],"Content-Type":["application/json"],"Date":["Mon, 30 Jan 2023 15:25:38 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["C878Mo7FOGhN5JyhIqEdFWwdNeYQ3PdgkMHBrcDRE9Oyabw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
2023-01-30 16:25:38 {"level":"error","ts":1675092338.2061532,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"green-jungle.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[green-jungle.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.green-jungle.duckdns.org\": could not find the start of authority for _acme-challenge.green-jungle.duckdns.org.: NOERROR (order=https://acme-v02.api.letsencrypt.org/acme/order/939560147/161890809247) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2023-01-30 16:25:38 {"level":"debug","ts":1675092338.206165,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
2023-01-30 16:25:38 {"level":"info","ts":1675092338.2225828,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["green-jungle.duckdns.org"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
2023-01-30 16:25:38 {"level":"info","ts":1675092338.2226262,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["green-jungle.duckdns.org"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
2023-01-30 16:25:38 {"level":"debug","ts":1675092338.4358559,"logger":"http.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Mon, 30 Jan 2023 15:25:38 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
2023-01-30 16:25:40 {"level":"debug","ts":1675092340.2941976,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Mon, 30 Jan 2023 15:25:40 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["ofI7bwTTn2_C9r7qPM47YqwX_2GVsjkMB2VA2DuXKz8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
2023-01-30 16:25:42 {"level":"debug","ts":1675092342.2248738,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["286"],"Content-Type":["application/json"],"Date":["Mon, 30 Jan 2023 15:25:42 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/QeHNtELUZwRb-vvJHD5jWA"],"Replay-Nonce":["9KCBejd4WZrrnvQsv8YqW1NW-uBtEAy3ERUjjgD5980"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
2023-01-30 16:25:43 {"level":"debug","ts":1675092343.5737739,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/zVjDRyhCrHTmRO_Gzjdo7g","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["454"],"Content-Type":["application/json"],"Date":["Mon, 30 Jan 2023 15:25:43 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["eQ1L4s_kYwvJl6NUeJRTSPNZAoPKyJMe_selBwXmNFU"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
2023-01-30 16:25:43 {"level":"info","ts":1675092343.5746574,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"green-jungle.duckdns.org","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
2023-01-30 16:25:43 {"level":"error","ts":1675092343.6096714,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"green-jungle.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.green-jungle.duckdns.org\" (usually OK if presenting also failed)"}
2023-01-30 16:25:44 {"level":"debug","ts":1675092344.840714,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/zVjDRyhCrHTmRO_Gzjdo7g","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["136"],"Content-Type":["application/json"],"Date":["Mon, 30 Jan 2023 15:25:44 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["k7OynA486FLF3_x-81kj6pvZ4JGWqH8SYuvXoNg1oHQ"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
2023-01-30 16:25:44 {"level":"error","ts":1675092344.8410318,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"green-jungle.duckdns.org","issuer":"acme.zerossl.com-v2-DV90","error":"[green-jungle.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.green-jungle.duckdns.org\": could not find the start of authority for _acme-challenge.green-jungle.duckdns.org.: NOERROR (order=https://acme.zerossl.com/v2/DV90/order/QeHNtELUZwRb-vvJHD5jWA) (ca=https://acme.zerossl.com/v2/DV90)"}
2023-01-30 16:25:44 {"level":"debug","ts":1675092344.84111,"logger":"events","msg":"event","name":"cert_failed","id":"be8bf62c-6995-40cc-be51-862c7c79e1c3","origin":"tls","data":{"error":{},"identifier":"green-jungle.duckdns.org","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
2023-01-30 16:25:44 {"level":"error","ts":1675092344.841488,"logger":"tls.obtain","msg":"will retry","error":"[green-jungle.duckdns.org] Obtain: [green-jungle.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.green-jungle.duckdns.org\": could not find the start of authority for _acme-challenge.green-jungle.duckdns.org.: NOERROR (order=https://acme.zerossl.com/v2/DV90/order/QeHNtELUZwRb-vvJHD5jWA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":7.9131817,"max_duration":2592000}
1 Like

It simply means that all requests on port 53 (dns) will be forced to your local router. That means if caddy tries to reach out to do the propagation checks, it will fail. But if you don’t know what I mean, then you probably aren’t doing it.:slightly_smiling_face:

1 Like

Well, it seems like your system’s DNS resolver isn’t able to query for your DuckDNS domain, and it returns an error. You should look into that.

As a workaround, you could configure Caddy to use a different DNS resolver instead for ACME operations:

	tls {
		dns duckdns {$DUCKDNS_TOKEN}
		resolvers 8.8.8.8
	}

Thanks for helping me troubleshoot this issue. With your suggestion, I was indeed able to get the new certificates.

I am currently running a windows machine as server (did not want to have to learn a new OS and all the things related to docker at the same time) and I see I had been using 1.1.1.1 as DNS server:

image
(https://1.1.1.1/)

This setting has not been changed in quite some time. Any suggestions on what might have caused it to stop working / where I should start looking to fix it?

1 Like

Hmm, that’s odd. I’m trying to do the same lookup with dig with 1.1.1.1 (CloudFlare’s DNS servers) and it seems to work fine:

$ dig @1.1.1.1 SOA _acme-challenge.green-jungle.duckdns.org

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @1.1.1.1 SOA _acme-challenge.green-jungle.duckdns.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59520
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.green-jungle.duckdns.org. IN SOA

;; AUTHORITY SECTION:
duckdns.org.		583	IN	SOA	ns1.duckdns.org. hostmaster.duckdns.org. 2023011501 6000 120 2419200 600

;; Query time: 24 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon Jan 30 11:41:48 EST 2023
;; MSG SIZE  rcvd: 120

So I’m not sure why your system is doing weird things.

But I’m glad that resolved it for now!

I did some more testing just now, and it does not matter which DNS server I use (google / cloudflare) for my server, unless I add the ‘resolvers 8.8.8.8’ line, it won’t be able to get the certificates.

Seems to me that the issue is somewhere else on my server in that case - anyone aware of something that could be overriding my DNS server (which now gets overwritten again to the google DNS in the caddy file)?

Since you’re running in Docker, which runs on top of a HyperV VM, the DNS settings for the VM might not inherit from Windows. I’m not sure though. I don’t use Docker on Windows (because it’s a Linux tool, and I think it’s silly to have to use virtualization when the point of Docker is to have light-weight process isolation, but the VMs add a ton of overhead).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.