DNSSEC record for wildcard certificate?

1. The problem I’m having:

I am trying to deploy a domain with a wildcard certificate and I get an error related to a missing DNSEC record.

2. Error messages and/or full log output:

23 18:36:27 sciabarra0 systemd[1]: Started Caddy.
Jun 23 18:36:27 sciabarra0 caddy[64943]: {"level":"info","ts":1719167787.4923131,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"bad72d13-d98c-4022-8a50-e53e2e4c3158","try_again":1719254187.4922998,"try_again_in":86399.999998332}
Jun 23 18:36:27 sciabarra0 caddy[64943]: {"level":"info","ts":1719167787.4928622,"logger":"tls","msg":"finished cleaning storage units"}
Jun 23 18:36:27 sciabarra0 caddy[64943]: {"level":"info","ts":1719167787.4926324,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.sciabarra.top"}
Jun 23 18:36:27 sciabarra0 caddy[64943]: {"level":"info","ts":1719167787.4933481,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.sciabarra.top"}
Jun 23 18:36:27 sciabarra0 caddy[64943]: {"level":"info","ts":1719167787.4954095,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.sciabarra.top"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"michele@nuvolaris.io"}
Jun 23 18:36:27 sciabarra0 caddy[64943]: {"level":"info","ts":1719167787.49877,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.sciabarra.top"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"michele@nuvolaris.io"}
Jun 23 18:36:27 sciabarra0 caddy[64943]: {"level":"info","ts":1719167787.498892,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1798017827","account_contact":["mailto:michele@nuvolaris.io"]}
Jun 23 18:36:28 sciabarra0 caddy[64943]: {"level":"info","ts":1719167788.5801659,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.sciabarra.top","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Jun 23 18:36:38 sciabarra0 caddy[64943]: {"level":"error","ts":1719167798.1000473,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"*.sciabarra.top","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: looking up TXT for _acme-challenge.sciabarra.top: DNSSEC: DNSKEY Missing","instance":"","subproblems":[]}}
Jun 23 18:36:38 sciabarra0 caddy[64943]: {"level":"error","ts":1719167798.1004443,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"*.sciabarra.top","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: looking up TXT for _acme-challenge.sciabarra.top: DNSSEC: DNSKEY Missing","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1798017827/281042419317","attempt":1,"max_attempts":3}
Jun 23 18:36:38 sciabarra0 caddy[64943]: {"level":"error","ts":1719167798.1005266,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.sciabarra.top","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: looking up TXT for _acme-challenge.sciabarra.top: DNSSEC: DNSKEY Missing"}
Jun 23 18:36:38 sciabarra0 caddy[64943]: {"level":"error","ts":1719167798.1006913,"logger":"tls.obtain","msg":"will retry","error":"[*.sciabarra.top] Obtain: [*.sciabarra.top] solving challenge: *.sciabarra.top: [*.sciabarra.top] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: looking up TXT for _acme-challenge.sciabarra.top: DNSSEC: DNSKEY Missing (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":10.607499226,"max_duration":2592000}
Jun 23 18:37:38 sciabarra0 caddy[64943]: {"level":"info","ts":1719167858.1019535,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.sciabarra.top"}
Jun 23 18:37:38 sciabarra0 caddy[64943]: {"level":"info","ts":1719167858.103476,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/153178293","account_contact":["mailto:michele@nuvolaris.io"]}
Jun 23 18:37:39 sciabarra0 caddy[64943]: {"level":"info","ts":1719167859.0000021,"logger":"tls.issuance.acme.acme_client","msg":"authorization finalized","identifier":"*.sciabarra.top","authz_status":"valid"}
Jun 23 18:37:39 sciabarra0 caddy[64943]: {"level":"info","ts":1719167859.000719,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/153178293/17381789673"}
Jun 23 18:37:42 sciabarra0 caddy[64943]: {"level":"info","ts":1719167862.615939,"logger":"tls.issuance.acme.acme_client","msg":"got renewal info","names":["*.sciabarra.top"],"window_start":1724263058,"window_end":1724435858,"selected_time":1724386366,"recheck_after":1719189462.615931,"explanation_url":""}
Jun 23 18:37:42 sciabarra0 caddy[64943]: {"level":"info","ts":1719167862.909881,"logger":"tls.issuance.acme.acme_client","msg":"got renewal info","names":["*.sciabarra.top"],"window_start":1724263058,"window_end":1724435858,"selected_time":1724366790,"recheck_after":1719189462.9098723,"explanation_url":""}
Jun 23 18:37:42 sciabarra0 caddy[64943]: {"level":"info","ts":1719167862.9099991,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b571e9f0a1acc9877d4ef32d87079ca39be"}
Jun 23 18:37:42 sciabarra0 caddy[64943]: {"level":"info","ts":1719167862.9104903,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.sciabarra.top"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"michele@nuvolaris.io"}
Jun 23 18:37:42 sciabarra0 caddy[64943]: {"level":"info","ts":1719167862.9105077,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.sciabarra.top"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"michele@nuvolaris.io"}
Jun 23 18:37:42 sciabarra0 caddy[64943]: {"level":"info","ts":1719167862.9105382,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1798017827","account_contact":["mailto:michele@nuvolaris.io"]}
Jun 23 18:37:43 sciabarra0 caddy[64943]: {"level":"info","ts":1719167863.438739,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"*.sciabarra.top","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Jun 23 18:38:10 sciabarra0 caddy[64943]: {"level":"error","ts":1719167890.9329424,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"*.sciabarra.top","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: looking up TXT for _acme-challenge.sciabarra.top: DNSSEC: DNSKEY Missing","instance":"","subproblems":[]}}
Jun 23 18:38:10 sciabarra0 caddy[64943]: {"level":"error","ts":1719167890.933082,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"*.sciabarra.top","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: looking up TXT for _acme-challenge.sciabarra.top: DNSSEC: DNSKEY Missing","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1798017827/281042659307","attempt":1,"max_attempts":3}
Jun 23 18:38:10 sciabarra0 caddy[64943]: {"level":"error","ts":1719167890.9331832,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.sciabarra.top","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: looking up TXT for _acme-challenge.sciabarra.top: DNSSEC: DNSKEY Missing"}
Jun 23 18:38:10 sciabarra0 caddy[64943]: {"level":"info","ts":1719167890.93336,"logger":"tls.obtain","msg":"releasing lock","identifier":"*.sciabarra.top"}
Jun 23 18:38:10 sciabarra0 caddy[64943]: {"level":"error","ts":1719167890.933588,"logger":"tls","msg":"job failed","error":"*.sciabarra.top: obtaining certificate: [*.sciabarra.top] Obtain: [*.sciabarra.top] solving challenge: *.sciabarra.top: [*.sciabarra.top] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: looking up TXT for _acme-challenge.sciabarra.top: DNSSEC: DNSKEY Missing (ca=https://acme-v02.api.letsencrypt.org/directory)"}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

xcaddy build --with-modules GitHub - caddy-dns/hetzner: Caddy module: dns.providers.hetzner

a. System environment:

Linux Ubuntu 22.04

b. Command:

systemctl start caddy
systemctl enable caddy

c. Service/unit/compose file:

Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
        email michele@nuvolaris.io
        log debug
}
sciabarra.top {
        respond "sciabarra.top" 200
}
*.sciabarra.top {
        respond "*.sciabarra.top" 200
        tls {
                dns hetzner "...."
        }
}

5. Links to relevant resources:

Hi @Michele_Sciabarra,

This is a DNSSEC issue where Let’s Encrypt cannot successfully do the TXT Record Lookup due to the DNSKEY being Missing. Your DNS needs fixing, one solution would be to turn off DNSSEC.

2 Likes

I had to wait until the dnssec records expired at the top level

2 Likes