DNS Challenge Timeout - DelayBeforeCheck don't work

chrysoberyl · July 22, 2024, 1:41pm

Hello, I'm using my own DNS provider with Bind9. To complete the validation, I need to add a TXT record and a token to my DNS entries. However, I have two issues. First, it seems like the validation tries to check the TXT value before I can add it. Second, when I specify the variable DelayBeforeCheck, it is simply skipped.

I have been reading about how to resolve this, and the opinions are mixed. Some say that using manual as the DNS provider sometimes works, while others suggest using Cloudflare or another API-based DNS.

I understand that the process is: Docker goes up > ACME tries to check the TXT record > fail. But how can I add the TXT record if I cannot see the token before the validation?

Error Message

2024-07-21T16:36:47Z ERR Cannot start the provider *file.Provider error="error adding file watcher: no such file or directory"

lego: Please create the following TXT record in your nudra.cl. zone:

_acme-challenge.local.nudra.cl. 120 IN TXT "cl8b-IHzsEP4OcSGHl81dLs9xlDjj6w36lg2GESD9G8"

lego: Press 'Enter' when you are done

lego: You can now remove this TXT record from your nudra.cl. zone:

_acme-challenge.local.nudra.cl. 120 IN TXT "..."

lego: Please create the following TXT record in your nudra.cl. zone:

_acme-challenge.local.nudra.cl. 120 IN TXT "oqmhSIC2VtbyLYNXvE7gU8unXFzpPsIENe9qnGP1xlQ"

lego: Press 'Enter' when you are done

lego: You can now remove this TXT record from your nudra.cl. zone:

_acme-challenge.local.nudra.cl. 120 IN TXT "..."

2024-07-21T16:37:00Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [local.nudra.cl *.local.nudra.cl]: error: one or more domains had a problem:\n[*.local.nudra.cl] [*.local.nudra.cl] acme: error presenting token: manual: EOF\n[local.nudra.cl] [local.nudra.cl] acme: error presenting token: manual: EOF\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["local.nudra.cl","*.local.nudra.cl"] providerName=manual.acme routerName=traefik-secure@docker rule=Host(`traefik.nudra.cl`)

Compose for Reference

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/ubuntu/traefik/data/traefik.yml:/traefik.yml:ro
      - /home/ubuntu/traefik/data/acme.json:/acme.json
      - /home/ubuntu/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.example.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=USER:BASIC_AUTH_PASSWORD"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.example.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.nudra.cl"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.nudra.cl"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

traefik.yml

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  letsencrypt:
    acme:
      email: soporte@nudra.cl
      storage: acme.json
      dnsChallenge:
        provider: manual
        disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

Error

sudo docker-compose up
WARN[0000] /home/ubuntu/traefik/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
[+] Running 1/0
 ✔ Container traefik  Created                                                                 0.0s
Attaching to traefik
traefik  | 2024-07-22T13:38:38Z ERR Error while building configuration (for the first time) error="error reading configuration file: /config.yml - read /config.yml: is a directory" providerName=file
traefik  | lego: Please create the following TXT record in your nudra.cl. zone:
traefik  | _acme-challenge.local.nudra.cl. 120 IN TXT "pBXuqX8n2YivpYc28RshTE3qKtLe3hWMZcY3QaWqXWI"
traefik  | lego: Press 'Enter' when you are done
traefik  | lego: You can now remove this TXT record from your nudra.cl. zone:
traefik  | _acme-challenge.local.nudra.cl. 120 IN TXT "..."
traefik  | lego: Please create the following TXT record in your nudra.cl. zone:
traefik  | _acme-challenge.local.nudra.cl. 120 IN TXT "eXwMf_6T8Eb0UQx-5c8M2QJo0ChfcnG_opBjU0G1xKA"
traefik  | lego: Press 'Enter' when you are done
traefik  | lego: You can now remove this TXT record from your nudra.cl. zone:
traefik  | _acme-challenge.local.nudra.cl. 120 IN TXT "..."
traefik  | 2024-07-22T13:38:47Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [local.nudra.cl *.local.nudra.cl]: error: one or more domains had a problem:\n[*.local.nudra.cl] [*.local.nudra.cl] acme: error presenting token: manual: EOF\n[local.nudra.cl] [local.nudra.cl] acme: error presenting token: manual: EOF\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["local.nudra.cl","*.local.nudra.cl"] providerName=letsencrypt.acme routerName=traefik-secure@docker rule=Host(`traefik.nudra.cl`)

bluepuma77 · July 25, 2024, 8:06pm

I can enter your domain name in a public network and it gets resolved to your IP? LetsEncrypt servers will connect to your DNS and try to verify the TXT record.

provider: manual is used for manual setting the TXT record, it needs input lego: Press 'Enter' when you are done, which is probably not waiting because you are in a container without input option. And it will probably not use delayBeforeCheck, as it waits for input, why add another wait.

I have also very rarely seen the use of disablePropagationCheck: true.

Not sure if there is an automated way for go-acme to interface with bind9, but there was a support question.

Topic		Replies	Views
dnsChallenge sporadically failing: TXT record invalid Traefik v2 letsencrypt-acme	16	5981	July 2, 2021
DNS-01 challenge not working (No TXT record found) Traefik v2 letsencrypt-acme	1	1030	January 22, 2023
DNS provider time out when trying to read TXT record (with and without delay) Traefik v1 letsencrypt-acme	8	3800	April 24, 2023
.acme.dnschallenge.delaybeforecheck will be ignored Traefik v3 (latest) docker	7	314	October 25, 2024
DNS-01 Challenge sync Traefik v2 letsencrypt-acme	6	818	July 20, 2021

DNS Challenge Timeout - DelayBeforeCheck don't work

Related topics