this post was submitted on 16 Jun 2023
4 points (100.0% liked)

Selfhosted

40030 readers
542 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

EDIT: Issue now resolved. Turns out that having an A record point to a DNS server probably wasn't the best idea. My best theory here is that A records pointing to DNS servers means "Find the authority on this domain at this other DNS server", which could never resolve. By pointing it to my VPS, the DNS could resolve to a definitive IP, and the certs were successfully generated.

Hi all, hope someone can help as I'm just confused now!

Long story short I want to host local services (like ntfy) using trusted certificates. I hoped to do this with Caddy and a wildcard domain (I don't want to expose the DNS records of the services I'm running if not necessary).

In my DNS I have an A record for *.local.example.com pointing at a semi-random IP. I have other services on a VPS on other subdomains so I can't just use a wildcard. This looks like:

blog  A  <VPS IP>
*.local  A  1.1.1.1

On the server in my home network (which I do not want to expose) I have dnsmasq running that is handling local DNS records for services on the LAN but carefully not the remote services on the same domain. Using dig I can see that the local and remote DNS are working as expected. Seeing the error on DNS-01 challenged "could not determine zone for domain "_acme-challenge.local.example.com" I have also added an exception in my local DNS for _acme-challenge.local to point to cloudflare's DNS at 1.1.1.1. The dig command confirms this works as expected after restarting dnsmasq.

With the following Caddyfile:

*.local.example.com {
        tls {
                dns <dns provider plugin> <API token>
        }

        @ntfy host ntfy.local.example.com
        handle @ntfy {
                reverse_proxy ntfy
        }
}

Every DNS-01 challenge fails with "...solving challenges: presenting for challenge: could not determine zone for domain "_acme-challenge.local.example.com"...".

I think this should be possible, but I'm not clear what I'm missing so any help greatly appreciated. I'm just dipping my toes into self-hosting and actually getting practical use out of my Raspberry Pi that's been collecting dust for years.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 1 year ago (1 children)

Are.you able to identify what dns provider youa re using, as I read the error as being related to the cert resolver not being able to access the correct zone from the DNS provider. I am using cloudflare and the Caddy file looks pretty similar to mine, so I aren't sure the issue is there.

One other thing to try is to restarts caddy, I found that sometimes reloading my caddy file wasn't enough, and thing seemed to stay working after I restarted the docker image

[–] [email protected] 1 points 1 year ago (2 children)

Yes it's ionos. I think from the other comment and the fact my DNS hasn't been changed (I'd assume I should be able to see the acme challenge record if it was successful) the DNS integration seems to be the culprit. Not sure how to fix it though!

[–] [email protected] 2 points 1 year ago (1 children)

Does Caddy come with the ionos dns challenge plugin built into it or do you need to compile it with the plugin?

https://caddyserver.com/docs/build#xcaddy

[–] [email protected] 1 points 1 year ago

No but it's an important step I didn't cover in the post so good spot. I've solved my issue now, see the edit in the post.

[–] [email protected] 1 points 1 year ago

So I put debug mode on and I see no requests to Ionos which seems like it's the main problem.