Gandi dns-01 challenge fail: 400 Absolute rrset_name must end with mydomain.org
onny opened this issue · comments
Describe the bug
Getting following error trying to renew tls cert with dns-01 challenge and Gandi: could not get certificate from issuer {"error":"[example.org] solving challenges: presenting for challenge: adding temporary record for zone \"example.org.\": LiveDNS returned a 400 (Absolute rrset_name must end with example.org. (_acme-challenge.)
Was already using it for a while like this but renewing the cert seems to fail
Log files
$(hostname) = mx1.example.org
$(primary_domain) = example.org
$(local_domains) = $(primary_domain)
hostname mx1.example.org
tls {
loader acme {
email onny@project-insanity.org
agreed
hostname mx1.example.org
challenge dns-01
dns gandi {
api_token "{env:GANDI_API_KEY}"
}
}
}
Configuration file
Aug 17 15:07:56 piproxy maddy[759807]: tls.loader.acme/acme_client: trying to solve challenge {"ca":"https://acme-v02.api.letsencrypt.org/directory","challenge_type":"dns-01","identifier":"example.org"}
Aug 17 15:07:57 piproxy maddy[759807]: tls.loader.acme/acme_client: cleaning up solver {"challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.example.org\" (usually OK if presenting also failed)","identifier":"example.org"}
Aug 17 15:07:57 piproxy maddy[759807]: tls.loader.acme/obtain: could not get certificate from issuer {"error":"[example.org] solving challenges: presenting for challenge: adding temporary record for zone \"example.org.\": LiveDNS returned a 400 (Absolute rrset_name must end with example.org. (_acme-challenge.)) (order=https://acme-v02.api.letsencrypt.org/acme/order/1114545927/202211442616) (ca=https://acme-v02.api.letsencrypt.org/directory)","identifier":"example.org","issuer":"acme-v02.api.letsencrypt.org-directory"}
Environment information
- maddy version: 0.7
Hitting the same issue
d9920f0 might fix it, but not sure tbh.
Somehow identifier end ups empty and libdns attempts to create a DNS record for _acme-challenge. (without example.org). No idea why this happens, might be a bug in Certmagic.
hey @foxcpp , I just tried master and the issue continues to manifest itself unfortunately.
I upgraded to certmagic v0.18.2 and the problem still exists. v0.19.x has breaking API changes so it was more difficult to test.
Hey folks, finally had some time to look deeper into the problem. The issue most likely was caused by a change in what kind of data the Gandi API accepts. I created a PR that fixes the issue, in the gandi libdns repo: libdns/gandi#12
Things are moving quite slow in those repo's so in the meantime I created a temporary Docker build base on that libdns PR and this branch on my Maddy fork: https://github.com/nustiueudinastea/maddy/tree/fix-gandi-cert
You can get it from nustiueudinastea/maddy:gandi-fix. This image has been tested and working.
there's a new release of libdns/gandi plugin, has someone tested it? might fix the problem 👀 https://github.com/libdns/gandi/releases/tag/v1.0.3
That’s the fix I submitted, and it does fix it. Will make a maddy PR with the library upgrades today or tomorrow.
@foxcpp, I created a PR with the fix for this issue. Hopefully you will be able to create a new release as well once it's merged. Thanks!