DNS-01 Challenge failing with Netcup DNS-Plugin

Help
6

Hi Matt,

I played with my DNS Configuration around for a bit.
I got a step further I think.

Ive changed my Firewall Policys so that Caddy can reach ALL Public DNS Servers via Port 53.
Changed /etc/netplan/00-config(…) so that the DNS-Servers are now 8.8.8.8 and 8.8.4.4

Ive also changed my Caddyfile to have a line “resolvers 8.8.8.8” for “bw.exampledomain” and “nas1.exampledomain” in it:

	tls {
		dns netcup {
			customer_number {env.NETCUP_CUSTOMER_NUMBER}
			api_key {env.NETCUP_API_KEY}
			api_password {env.NETCUP_API_PASSWORD}
		}
        resolvers 8.8.8.8
	}

Now I get the follwowing errors from /var/log/caddy/acme-7.log

{"level":"debug","ts":1658820857.1749527,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3132776214","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["819"],"Content-Type":["application/json"],"Date":["Tue, 26 Jul 2022 07:34:17 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002dUCWrpOMX7a5YP5elWxGwGMYFEpKgntfpHP7ZYQvW_Q"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658820857.175076,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nas1.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[nas1.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364236034) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"debug","ts":1658820857.1750934,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme-staging-v02.api.letsencrypt.org-directory"}
{"level":"debug","ts":1658820857.32894,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Tue, 26 Jul 2022 07:34:17 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001aPhx_-vzXAvFIQrTxMxf7afxCTiYPEnVFXGpbfTBfj0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1658820857.4996245,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["349"],"Content-Type":["application/json"],"Date":["Tue, 26 Jul 2022 07:34:17 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364260604"],"Replay-Nonce":["0001ICppbfKLQo9Jwzlgr28ebPcj6WeRGELc9LZc3MRx5xU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1658820857.6555674,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3132794374","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["815"],"Content-Type":["application/json"],"Date":["Tue, 26 Jul 2022 07:34:17 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0002Jff7zCflLsJh5zVCDEzXWBk7iujnyXTl_Nbd0iownww"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"info","ts":1658820857.6556938,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"nas1.exampledomain","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"debug","ts":1658820895.0629697,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3132782224","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["817"],"Content-Type":["application/json"],"Date":["Tue, 26 Jul 2022 07:34:54 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001--yRfMTWN8YKSCkgcUNTlAXK5d6OwaBIqdogwV3TrxM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658820895.06309,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"bw.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[bw.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364244104) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1658820895.063111,"logger":"tls.obtain","msg":"will retry","error":"[bw.exampledomain] Obtain: [bw.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364244104) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":928.404023264,"max_duration":2592000}
{"level":"debug","ts":1658820979.2628758,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3132794374","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.5.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["61940324"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["819"],"Content-Type":["application/json"],"Date":["Tue, 26 Jul 2022 07:36:19 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001eIrBnJ8MRePr0Z8H8E8EQqie9E9xpcVr-RgqdEbeeK8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"error","ts":1658820979.2630055,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nas1.exampledomain","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[nas1.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364260604) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1658820979.2630174,"logger":"tls.obtain","msg":"will retry","error":"[nas1.exampledomain] Obtain: [nas1.exampledomain] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/61940324/3364260604) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":1012.603963752,"max_duration":2592000}
{"level":"debug","ts":1658821029.3843632,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"bw.exampledomain"}
{"level":"debug","ts":1658821029.384399,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.exampledomain"}
{"level":"debug","ts":1658821029.3844025,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.de"}
{"level":"debug","ts":1658821029.3844047,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1658821029.384408,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":"bw.exampledomain"}
{"level":"debug","ts":1658821029.384413,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"bw.exampledomain","remote":"PublicIPv4Address:55402","identifier":"bw.exampledomain","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1658821029.3844528,"logger":"http.stdlib","msg":"http: TLS handshake error from PublicIPv4Address:55402: no certificate available for 'bw.exampledomain'"}
{"level":"debug","ts":1658821149.7976165,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"bw.exampledomain"}
{"level":"debug","ts":1658821149.7976522,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.exampledomain"}
{"level":"debug","ts":1658821149.7976558,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.de"}
{"level":"debug","ts":1658821149.7976584,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1658821149.7976618,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":"bw.exampledomain"}
{"level":"debug","ts":1658821149.7976668,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"bw.exampledomain","remote":"PublicIPv4Address:55408","identifier":"bw.exampledomain","cipher_suites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1658821149.7977154,"logger":"http.stdlib","msg":"http: TLS handshake error from PublicIPv4Address:55408: no certificate available for 'bw.exampledomain'"}

Following line got my attention:

waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/

I dont know how to fix this though.

@francislavoie I deleted the “env.”-Sets from System-Service-Overrides as youve suggested :slight_smile: