lego icon indicating copy to clipboard operation
lego copied to clipboard

Published 20 hours ago verified publisher icon go-acme

gcloud NS returned REFUSED for _acme-challenge even if DNS propagation is done

Open guarnacciaa opened this issue 2 years ago • 0 comments

Welcome

  • [X] Yes, I'm using a binary release within 2 latest releases.
  • [X] Yes, I've searched similar issues on GitHub and didn't find any.
  • [X] Yes, I've included all information below (version, config, etc).

What did you expect to see?

Lego implementation in Traefik should be able to request a wildcard certificate to Google Cloud DNS

What did you see instead?

Lego fails to renew LE certificates with Google Cloud DNS resolver. Lego just waits forever for DNS propagation even if the DNS is already propagated and the renewal process dies with a REFUSED error from Google's DNS.

How do you use lego?

Through Traefik

Reproduction steps

This issue has been intensevly discussed here (resulting in this ticket) with quite some testing and network capturing that can give a better explanation of the scenario: https://community.letsencrypt.org/t/error-renewing-certificate-from-le-ns-returned-refused-for-acme-challenge/174132

I can provide further information if required.

Version of lego

Whatever is embedded in Traefik version 2.6.1

Logs

time="2022-03-21T10:03:06Z" level=debug msg="legolog: [INFO] [lan.ooo] acme: Waiting for DNS record propagation."
time="2022-03-21T10:03:11Z" level=debug msg="legolog: [INFO] [lan.ooo] acme: Waiting for DNS record propagation."
time="2022-03-21T10:03:16Z" level=debug msg="legolog: [INFO] [*.lan.ooo] acme: Cleaning DNS-01 challenge"
time="2022-03-21T10:03:17Z" level=debug msg="legolog: [INFO] [lan.ooo] acme: Cleaning DNS-01 challenge"
time="2022-03-21T10:03:18Z" level=debug msg="legolog: [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/89922545260 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: \"0001_j5-NnkuFE3aX_llcuosRpw9Iy8txDOrr-xd8EfP8yw\""
time="2022-03-21T10:03:19Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/89922545260"
time="2022-03-21T10:03:19Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/89922545270"
time="2022-03-21T10:03:19Z" level=error msg="Unable to obtain ACME certificate for domains \"lan.ooo,*.lan.ooo\" : unable to generate a certificate for the domains [lan.ooo *.lan.ooo]: error: one or more domains had a problem:\n[*.lan.ooo] time limit exceeded: last error: NS ns-cloud-b4.googledomains.com. returned REFUSED for _acme-challenge.lan.ooo.\n[lan.ooo] time limit exceeded: last error: NS ns-cloud-b4.googledomains.com. returned REFUSED for _acme-challenge.lan.ooo.\n" providerName=googleresolver.acme

Go environment (if applicable)

$ go version && go env
# paste output here

guarnacciaa avatar Mar 25 '22 20:03 guarnacciaa