DNS-01 delegation issues

1. The problem I’m having:

I am trying to issue a wildcard certificate using porkbun’s DNS acme plugin for the domain *.in.rschanz.org, but I am having issues getting Let’s Encrypt to actually verify my TXT record (sorry if this is more of a Let’s Encrypt forum issue rather than here). Everything seems to be working like I would expect, but Caddy times out every time it tries to issue the certificate. I am attempting to do it with dns_challenge_override_domain since using *.in.rschanz.org causes the porkbun plugin to fail since that domain specifically “doesn’t exist”

Something else to note, in the logs it points out the staging URL for Let’s Encrypt, don’t exactly know why that is since a grep -R "staging" within /etc/caddy shows no results, as well as grepping caddy adapt /etc/caddy/Caddyfile.

I believe my setup is correct, but please let me know if I messed something basic up :slight_smile:. I have also been messing around with the propagation_timeout to no avail as well, especially since I see most nameservers (1.1.1.1, 8.8.8.8, etc. update within 30s).

_acme-challenge.in.rschanz.org -> CNAME pointing to _acme-challenge.rschanz.org
_acme-challenge.rschanz.org -> Created by caddy with proper token during attempts, as verified by dig, 3rd-party sites, etc. Does not exist otherwise.

2. Error messages and/or full log output:

{"level":"info","ts":1743339359.576337,"msg":"trying to solve challenge","identifier":"*.in.rschanz.org","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1743339484.5553412,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.in.rschanz.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.in.rschanz.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/186748404/23572711644) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1743339484.5560472,"logger":"tls.obtain","msg":"will retry","error":"[*.in.rschanz.org] Obtain: [*.in.rschanz.org] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/186748404/23572711644) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":27,"retrying_in":21600,"elapsed":111346.29866896,"max_duration":2592000}

3. Caddy version:

v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

4. How I installed and ran Caddy:

Alpine APK package manager from edge

a. System environment:

x86_64 Alpine edge running on Hetzner VM

b. Command:

caddy run --config /etc/caddy/Caddyfile

d. My complete Caddy config:

(Note: This is not my complete caddy config, just the relevant parts (domain with issue, global settings, as my complete config is tens of files with unrelated domains that work fine. I am attempting to do this wildcard cert to get rid of the on_demand_tls hack I’ve had set up prior that you can see.)

{
	email *****
	log {
		output file /var/log/caddy/log
	}
	on_demand_tls {
		ask http://127.0.0.1:8080
	}
}

*.in.rschanz.org {
	tls {
        dns_challenge_override_domain _acme-challenge.rschanz.org.
        propagation_timeout 120s
		dns porkbun {
            api_key *****
            api_secret_key *****
        }
	}
	root * /srv/in_rschanz_landing/
	rewrite * index.html
	file_server
}

Hi @ryan77627,

I am noticing DNS Server issues in.rschanz.org | DNSViz

Thanks for noticing that… seems I missed it due to the way my VPN was set up. Turned that off for now and fixed that issue, I now have one authoritative DNS server for that subdomain. Same issue so far, perhaps it will take a little bit to propagate. Will update here if that did in fact solve the issue, but no dice currently.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.