Gandi DNS wildcard TLS "error presenting token"


(Dmitriy Panteleyev) #1

Is this a bug, or am I doing something wrong?

Caddy 0.11.0 non-commercial

systemd service file has Environment=GANDIV5_API_KEY=xxxxxxxxx line.

Caddyfile reads:

thisheredomain.com {
       tls {
                dns gandiv5
        }
}

test.thisheredomain.com {
       tls {
                dns gandiv5
                wildcard
        }
}

Caddy fails to start…

Nov 03 15:45:57 web caddy[2030]: Activating privacy features... 2018/11/03 21:45:57 [INFO][thisheredomain.com] acme: Obtaining bundled SAN certificate
Nov 03 15:45:57 web caddy[2030]: 2018/11/03 21:45:57 [INFO][thisheredomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/t3djr2SIN2aYoa8VUidvXLxJnKRf1EU5_GRMbweh0NQ
Nov 03 15:45:57 web caddy[2030]: 2018/11/03 21:45:57 [INFO][thisheredomain.com] acme: Could not find solver for: tls-alpn-01
Nov 03 15:45:57 web caddy[2030]: 2018/11/03 21:45:57 [INFO][thisheredomain.com] acme: Trying to solve DNS-01
Nov 03 15:45:58 web caddy[2030]: 2018/11/03 21:45:58 [thisheredomain.com] failed to get certificate: Error presenting token: Gandi DNS: request failed with HTTP status code 404
Nov 03 15:45:58 web systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Nov 03 15:45:58 web systemd[1]: caddy.service: Unit entered failed state.
Nov 03 15:45:58 web systemd[1]: caddy.service: Failed with result 'exit-code'.

Removing “wildcard” from Caddyfile makes it work just fine.

Am I doing something wrong, or is there a bug?


(Dmitriy Panteleyev) #2

Just to add more (confounding) information…

Taking out the “wildcard” part made it work for the domain and the test. subdomain.

However, once I added more subdomains, the TLS process failed with the same error message with or without wildcard.


(Matthew Fay) #3

Apart from the fact that it looks like thisheredomain.com isn’t currently registered, the error indicates that the Gandi API returned an error code - 404, so maybe Gandi changed their API or there’s an issue with the Gandi provider for xenolf/lego (the library Caddy uses for LetsEncrypt).

Are you able to try with a different DNS provider to confirm?


(Dmitriy Panteleyev) #4

I used a placeholder domain. The real domain is registered, although the A record does not point to the server with this instance of Caddy on it.

Unfortunately I can’t test with a different service.

I guess I’ll post something on the lego library GitHub.


(Matthew Fay) #5

Yeah, that’ll be your best bet to get help troubleshooting this issue.

As for the placeholder, the domain example.com and the .example TLD are specifically reserved for this purpose to avoid accidentally using someone else’s domain.