Yeah, if you don’t provide resolvers, Caddy will check for /etc/resolv.conf. If it’s absent or has nothing, it falls back to 1.1.1.1, 1.0.0.1, 8.8.8.8, and 8.8.4.4.
Nope, I don’t believe it’s a permission thing. It’s actually why I asked about SELinux. It doesn’t need any other privileges.
I’ve soft-forked certmagic to place additional logging around DNS propagation check and early exit. You can build a custom caddy to use it with this command:
Thanks… I built this and think I need to change my caddyfile? I note it doesnt include github.com/caddy-dns/cloudflare … I get a startup error it can’t find dns.providers.cloudflare package.
Tried adding a --with for the cloudflare package to the build but it errors out - and it found a package in multiple modules, I assume your fork has some of the same things as the cloudflare provider package? Tbh I don’t think I understand enough!
Feb 19 10:27:51 caddy caddy[2555]: {"level":"info","ts":1645266471.547268,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"zanj.cc","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Feb 19 10:28:04 caddy caddy[2555]: {"level":"info","ts":1645266484.0333877,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/411599010/65192308520"}
Feb 19 10:28:05 caddy caddy[2555]: {"level":"info","ts":1645266485.11281,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/0329cdfd4e779a609ae24c75a3f388d8a667"}
Feb 19 10:28:05 caddy caddy[2555]: {"level":"info","ts":1645266485.1133802,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"zanj.cc"}
Feb 19 10:28:05 caddy caddy[2555]: {"level":"info","ts":1645266485.1134732,"logger":"tls.obtain","msg":"releasing lock","identifier":"zanj.cc"}
It worked!!!
Mohammed that is brilliant - thank you so much! I have no idea what is different - I thought we were just looking for additional logs…! If there’s anything I can do with this to further troubleshoot (if this is a bug and its not just me…!), let me know!
Nope, I short-circuited the lookup as well. The logic used to lookup the TXT record using the default resolver, then it checks for full propagation by looking up the TXT record on all the nameservers managing the domain name.
Like Francis said, we’ll need bisect tracking to know the exact commit. Since you report it worked earlier then stopped working and now it’s working when short-circuited, the traversal has to be backwards.