DNS challenge with Namecheap and split horizon DNS

matt · September 9, 2020, 6:08pm

Edit: Ohhh wait, first try with :53 at the end of the IP. Does that help?

Thanks, that’s progress at least. Hmmm. Okay I might need your help to dive into it more and figure out why (working on a bunch of different issues this week).

The resolvers are passed into the underlying DNS utility functions in two places:

This is where the full list of resolvers is constructed: certmagic/dnsutil.go at 09acc6bf59fafc220fd444667851de44e55c1419 · caddyserver/certmagic · GitHub

Can you try tweaking that and see why it’s not using the configured resolvers?

carloscm · September 9, 2020, 6:24pm

Using 1.0.0.1:53 as the resolver makes it work, confirmed with wireshark! It goes all the way to complete a (staging) letsencrypt cert processing and download. Now I will try with the production endpoint, but it’s looking good. Thanks for the help!

matt · September 9, 2020, 6:25pm

Excellent! We borrowed the port-filling code from lego and I’m reviewing it now, and it doesn’t look correct. I will rewrite it with the corrected code so that an explicit port number is not required. Thank you!

matt · September 9, 2020, 7:29pm

@carloscm Annnd this commit here will fix the establishment of ports if missing: Properly ensure port is added to all nameservers · caddyserver/certmagic@34fc6bf · GitHub

Thanks again!

ChrisCartwright · September 17, 2020, 4:17am

For some reason my instance of Caddy isn’t using the external resolver.

Updated Caddyfile:

{
    debug
}

whoami1.internal.chris-cartwright.com {
    tls {
        issuer acme {
            dir https://acme-staging-v02.api.letsencrypt.org/directory
            dns lego_deprecated namecheap
            resolvers 1.0.0.1:53
        }
    }

    reverse_proxy whoami-1_whoami_1:80
}

Latest log output:

{"level":"info","ts":1600315855.0418367,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1600315855.0432982,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["[::1]:2019","127.0.0.1:2019","localhost:2019"]}
{"level":"info","ts":1600315855.0435789,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000ae8bd0"}
{"level":"info","ts":1600315855.4276745,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1600315855.4277284,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"debug","ts":1600315855.4280448,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
{"level":"debug","ts":1600315855.4281309,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
{"level":"info","ts":1600315855.4281526,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["whoami1.internal.chris-cartwright.com"]}
{"level":"info","ts":1600315855.4296803,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1600315855.4297078,"msg":"serving initial configuration"}
{"level":"info","ts":1600315855.4348445,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1600315855.465071,"logger":"tls.obtain","msg":"acquiring lock","identifier":"whoami1.internal.chris-cartwright.com"}
{"level":"info","ts":1600315855.4762707,"logger":"tls.obtain","msg":"lock acquired","identifier":"whoami1.internal.chris-cartwright.com"}
{"level":"info","ts":1600315855.4862607,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["whoami1.internal.chris-cartwright.com"]}
{"level":"info","ts":1600315855.4862943,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["whoami1.internal.chris-cartwright.com"]}
{"level":"debug","ts":1600315855.8149962,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-staging-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.2.0-rc.1.0.20200917020122-e3324aa6de6c CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["724"],"Content-Type":["application/json"],"Date":["Thu, 17 Sep 2020 04:10:57 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1600315855.8951283,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.2.0-rc.1.0.20200917020122-e3324aa6de6c CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Thu, 17 Sep 2020 04:10:57 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["00021m3GqmE0ccGFwpzn_bsR_XX8YThIPQcsxzEo4HLQSPA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1600315856.0308914,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.2.0-rc.1.0.20200917020122-e3324aa6de6c CertMagic acmez (linux; amd64)"]},"status_code":201,"response_headers":{"Boulder-Requester":["15420394"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["381"],"Content-Type":["application/json"],"Date":["Thu, 17 Sep 2020 04:10:57 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-staging-v02.api.letsencrypt.org/acme/order/15420394/150679867"],"Replay-Nonce":["0002q0dvolpTsP_ipT0cX8Yya2fIb-xRtyA4GGU9XTvtsnQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1600315856.1137397,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/113322870","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.2.0-rc.1.0.20200917020122-e3324aa6de6c CertMagic acmez (linux; amd64)"]},"status_code":200,"response_headers":{"Boulder-Requester":["15420394"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["836"],"Content-Type":["application/json"],"Date":["Thu, 17 Sep 2020 04:10:57 GMT"],"Link":["<https://acme-staging-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["0001NvwcOcqEFnFzFZlCwYNhE9Ynysy6BvsrcvUWe5wp-ck"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}}
{"level":"debug","ts":1600315856.1139302,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}

In Wireshark, it looks like the request is still hitting my local DNS server instead of 1.0.0.1.

Edit: Could it do with having some files cached from a previous run? I have not been removing the contents of /data in the container between runs.

system · September 28, 2020, 12:26am

This topic was automatically closed after 30 days. New replies are no longer allowed.