Comments (9)
Are port 53 DNS queries against your instance working? You are listening on 1053 but will need to port forward this externally from 53 for normal DNS queries to work (you may already be doing that). I'd imagine if that doesn't work then it also won't be able to use itself to complete a DNS challenge for it's own cert. There was/used to be an http-01 challenge mode but I don't know the config to use that instead of DNS validation.
from acme-dns.
Hi @protogenxl, I ran into a similar issue.
In my case, I was running the acme-dns.service as a non-root user, and the user did not have write permission in his home directory. By default, the service uses WorkingDirectory=~
.
Are you running the service as root?
EDIT
Does the user runner the service has write permissions in /etc/acme-dns/api-certs
?
from acme-dns.
@webprofusion-chrisc yes the DNS forward on my firewall seems to working correctly
2022-12-27 08:11:12 Allow 8.0.38.4 8.8.8.8 dns/udp 53597 53 6-WAN 1-Trusted ProxyAllow: DNS question match (LetsEncryptDNS-proxy-00) DNS-Incoming.1 proc_id="dns-proxy" rc="590" msg_id="1DFF-000E" proxy_act="DNS-Incoming.1" rule_name="*" query_type="A" question="nS2.halibut.juggedfish.com" | Traffic
2022-12-27 08:11:12 Allow 8.0.38.4 8.8.8.8 dns/udp 53597 53 6-WAN 1-Trusted Allowed 82 55 (LetsEncryptDNS-proxy-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="10.110.144.53" dst_port_nat="1053" | Traffic
@novakele I am running the service as acme-dns and permissions appear to be correct
[root@halibut ~]# cd /etc/acme-dns/api-certs
[root@halibut api-certs]# ls -lah
total 0
drwx------ 4 992 acme-dns 100 Dec 27 08:03 .
drwxrwxr-x 3 root acme-dns 60 Dec 21 06:17 ..
drwx------ 3 992 acme-dns 60 Dec 20 23:53 acme
drwx------ 2 992 acme-dns 142 Dec 27 08:03 locks
-rw------- 1 992 acme-dns 0 Dec 21 06:17 rw_test_288443979776093768
-rw------- 1 992 acme-dns 0 Dec 21 06:17 rw_test_9142020181166123590
from acme-dns.
It is strange that the owner uid (992) does not resolve to the user acme-dns.
Could you provide the output of id acme-dns
? Should the uid of acme-dns be anything else than 992, that is your problem.
Here are the permissions for my instance:
root@lighthouse:~# tree -pufidg /var/lib/acme-dns/
[drwxr-xr-x acme-dns acme-dns] /var/lib/acme-dns
[drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs
[drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/acme
[drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory
[drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users
[drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users/<EMAIL>
[drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/certificates
[drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/certificates/acme-v02.api.letsencrypt.org-directory
[drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/certificates/acme-v02.api.letsencrypt.org-directory/<DOMAIN>
[drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/locks
[drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/ocsp
Also, here is the output of the same commands you ran (I use /var/lib/acme-dns
instead of /etc/acme-dns
for the home directory):
root@lighthouse:~# cd /var/lib/acme-dns/api-certs/
root@lighthouse:/var/lib/acme-dns/api-certs# ls -lah
total 24K
drwx------ 6 acme-dns acme-dns 4.0K Dec 23 22:19 .
drwxr-xr-x 3 acme-dns acme-dns 4.0K Dec 23 23:31 ..
drwx------ 3 acme-dns acme-dns 4.0K Dec 23 22:19 acme
drwx------ 3 acme-dns acme-dns 4.0K Dec 23 22:19 certificates
drwx------ 2 acme-dns acme-dns 4.0K Dec 23 22:19 locks
drwx------ 2 acme-dns acme-dns 4.0K Dec 23 22:19 ocsp
from acme-dns.
See #315, I encountered similar problems. I am using the Dockerfile to run acme-dns.
The v0.8 release works just fine. In my opinion this is not an environment problem, but a problem of the software itself.
On my profile I've got an improved Dockerfile based on the v0.8 release.
from acme-dns.
I'm seeing similar behavior to what has been reported here and in #315 on a new installation in FreeBSD 13.1-RELEASE-p5 and the current upstream compiled and packaged acme-dns-1.0_3,1
(installed today).
- DNS queries from outside the perimeter, directed at the public DNS name of the delegation, are answered as expected (both expecting a result as well as expecting NXDOMAIN) Edit: SOA record also confirmed served to outside request
- Trying to connect to the HTTP API using curl results in a TLS handshake error
- There are no suggestions in the logs of any issues
- There do not appear to be any permission problems on the file system (other than acme-dns configured by the port author to be running as root)
time="2023-02-01T19:13:53-08:00" level=info msg="Using config file" file=/usr/local/etc/acme-dns/config.cfg
time="2023-02-01T19:13:53-08:00" level=info msg="Connected to database"
time="2023-02-01T19:13:53-08:00" level=debug msg="Adding new record to domain" domain=<DELEGATED_NS_NAME>. recordtype=A
time="2023-02-01T19:13:53-08:00" level=debug msg="Adding new record to domain" domain=<DELEGATED_NS_NAME>. recordtype=NS
time="2023-02-01T19:13:53-08:00" level=debug msg="Adding new record to domain" domain=<DELEGATED_NS_NAME>. recordtype=SOA
time="2023-02-01T19:13:53-08:00" level=info msg="Listening HTTPS" domain=<DELEGATED_NS_NAME> host="0.0.0.0:443"
time="2023-02-01T19:13:53-08:00" level=info msg="Listening DNS" addr= proto=tcp
time="2023-02-01T19:13:53-08:00" level=info msg="Listening DNS" addr= proto=udp
time="2023-02-01T19:14:36-08:00" level=debug msg="Answering question for domain" domain=should.fail.<MY_DOMAIN>. qtype=A rcode=NXDOMAIN
time="2023-02-01T19:15:11-08:00" level=info msg="http: TLS handshake error from <TEST_HOST_IP>:57801: no certificate available for '<DELEGATED_NS_NAME>'"
On a subsequent restart, I additionally get
time="2023-02-01T19:29:33-08:00" level=info msg="2023/02/01 19:29:33 [INFO][FileStorage:/var/db/acme-dns/api-certs] Lock for 'issue_cert_<DELEGATED_NS_NAME>' is stale (created: 2023-02-01 19:13:53.163243238 -0800 PST, last update: 2023-02-01 19:29:23.133675565 -0800 PST); removing then retrying: /var/db/acme-dns/api-certs/locks/issue_cert_<DELEGATED_NS_NAME>.lock"
sudo find var/db/acme-dns/api-certs/ -type d -exec ls -ld {} \;
drwx------ 4 root wheel 4 Feb 1 19:13 var/db/acme-dns/api-certs/
drwx------ 2 root wheel 3 Feb 1 19:13 var/db/acme-dns/api-certs/locks
drwx------ 4 root wheel 4 Feb 1 19:15 var/db/acme-dns/api-certs/acme
drwx------ 3 root wheel 3 Feb 1 19:13 var/db/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory
drwx------ 3 root wheel 3 Feb 1 19:13 var/db/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users
drwx------ 2 root wheel 4 Feb 1 19:13 var/db/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users/<NOTIFICATON_EMAIL>
drwx------ 3 root wheel 3 Feb 1 19:15 var/db/acme-dns/api-certs/acme/acme-staging-v02.api.letsencrypt.org-directory
drwx------ 3 root wheel 3 Feb 1 19:15 var/db/acme-dns/api-certs/acme/acme-staging-v02.api.letsencrypt.org-directory/users
drwx------ 2 root wheel 4 Feb 1 19:15 var/db/acme-dns/api-certs/acme/acme-staging-v02.api.letsencrypt.org-directory/users/<NOTIFICATON_EMAIL>
$ egrep -v '^#' usr/local/etc/acme-dns/config.cfg
[general]
protocol = "both"
domain = "<DELEGATED_NS_NAME>"
nsname = "<DELEGATED_NS_NAME>"
nsadmin = "<[email protected]>"
records = [
# domain pointing to the public IP of your acme-dns server
"<DELEGATED_NS_NAME>. A <DELEGATED_NS_PUBLIC_IP>",
# specify that auth.example.org will resolve any *.auth.example.org records
"<DELEGATED_NS_NAME>. NS <DELEGATED_NS_NAME>.",
]
debug = true
[database]
engine = "sqlite3"
connection = "/var/db/acme-dns/acme-dns.db"
[api]
ip = "0.0.0.0"
disable_registration = false
port = "443"
tls = "letsencrypt"
acme_cache_dir = "/var/db/acme-dns/api-certs"
notification_email = "<NOTIFICATON_EMAIL>"
corsorigins = [
"*"
]
use_header = false
header_name = "X-Forwarded-For"
[logconfig]
loglevel = "debug"
logtype = "stdout"
logformat = "text"
from acme-dns.
Related Issues (20)
- Acme DNS can issue only 1 subdomain HOT 1
- automatic renewals HOT 2
- Odd error once in a while (wsarecvfrom) HOT 3
- Keep track of creation date for unused accounts
- Support of DuckDNS.org API HOT 1
- Build fails with go 1.15
- /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found HOT 4
- auth.acme-dns.io has become unavailable HOT 1
- README adduser command wrong
- acme-dns only saves a single TXT record, not 2
- Configuration questions HOT 1
- error message every 10 minutes about managing the server certificate HOT 8
- Register endpoint with configurable subdomain HOT 3
- CAA issues when higher level domain has a CAA HOT 2
- Add `server_url` to JSON storage file
- nxdomain responses include huge timeouts HOT 2
- Is it possible to add support for Dynamic DNS subdomains
- Add support for PROXY protocol
- Please accept the PR for making registration endpoint configurable HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-dns.