lego
lego copied to clipboard
gcloud NS returned REFUSED for _acme-challenge even if DNS propagation is done
Welcome
- [X] Yes, I'm using a binary release within 2 latest releases.
- [X] Yes, I've searched similar issues on GitHub and didn't find any.
- [X] Yes, I've included all information below (version, config, etc).
What did you expect to see?
Lego implementation in Traefik should be able to request a wildcard certificate to Google Cloud DNS
What did you see instead?
Lego fails to renew LE certificates with Google Cloud DNS resolver. Lego just waits forever for DNS propagation even if the DNS is already propagated and the renewal process dies with a REFUSED error from Google's DNS.
How do you use lego?
Through Traefik
Reproduction steps
This issue has been intensevly discussed here (resulting in this ticket) with quite some testing and network capturing that can give a better explanation of the scenario: https://community.letsencrypt.org/t/error-renewing-certificate-from-le-ns-returned-refused-for-acme-challenge/174132
I can provide further information if required.
Version of lego
Whatever is embedded in Traefik version 2.6.1
Logs
time="2022-03-21T10:03:06Z" level=debug msg="legolog: [INFO] [lan.ooo] acme: Waiting for DNS record propagation."
time="2022-03-21T10:03:11Z" level=debug msg="legolog: [INFO] [lan.ooo] acme: Waiting for DNS record propagation."
time="2022-03-21T10:03:16Z" level=debug msg="legolog: [INFO] [*.lan.ooo] acme: Cleaning DNS-01 challenge"
time="2022-03-21T10:03:17Z" level=debug msg="legolog: [INFO] [lan.ooo] acme: Cleaning DNS-01 challenge"
time="2022-03-21T10:03:18Z" level=debug msg="legolog: [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/89922545260 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: \"0001_j5-NnkuFE3aX_llcuosRpw9Iy8txDOrr-xd8EfP8yw\""
time="2022-03-21T10:03:19Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/89922545260"
time="2022-03-21T10:03:19Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/89922545270"
time="2022-03-21T10:03:19Z" level=error msg="Unable to obtain ACME certificate for domains \"lan.ooo,*.lan.ooo\" : unable to generate a certificate for the domains [lan.ooo *.lan.ooo]: error: one or more domains had a problem:\n[*.lan.ooo] time limit exceeded: last error: NS ns-cloud-b4.googledomains.com. returned REFUSED for _acme-challenge.lan.ooo.\n[lan.ooo] time limit exceeded: last error: NS ns-cloud-b4.googledomains.com. returned REFUSED for _acme-challenge.lan.ooo.\n" providerName=googleresolver.acme
Go environment (if applicable)
$ go version && go env
# paste output here