rancher-letsencrypt icon indicating copy to clipboard operation
rancher-letsencrypt copied to clipboard

Published 20 hours ago verified publisher icon janeczku

Subdomains not working

Open joshbenner opened this issue 7 years ago • 8 comments

I'm trying to use letsencrypt to get certificates for a Route53 hosted zone.

Hosted zone: example.com

Domains given to letsencrypt container: example.com,test.example.com,foo.test.example.com,bar.test.example.com

The container complains about not being able to find the zone for "test.example.com".

This was working in 0.3.0, but broke in 0.4.0. I suspect it may be related to changes for #23?

joshbenner avatar Feb 20 '17 05:02 joshbenner

Im having the same problem I have to dance around to get things to work the way I want.

I startup with 0.4.0 with rancher-nfs volume driver then upgrade service to 0.3.0 to get subdomains working,

if I start with 0.3.0 first it wont create the volumes in rancher-nfs, if I only use 0.4.0 it just timesout

gregkeys avatar Mar 30 '17 01:03 gregkeys

Hello @janeczku, Same issue here. Regressing from v0.4.0 to v0.3.0 worked.

I also have a delegated subdomain, both in R53: Error is:

Error obtaining certificate: Time limit exceeded. Last error: NS ns-0.awsdns-00.com. returned REFUSED for _acme-challenge.mysubdomain.mydomain.com

ap0phi5 avatar Mar 30 '17 11:03 ap0phi5

I'm getting the same problem here after upgrading to 0.4.0. Sticking with 0.3.0 for now.

ampedandwired avatar May 10 '17 23:05 ampedandwired

@rocketeer125 In your case what is the zone name managed by Route53, mysubdomain or mydomain? @ampedandwired Are you using Route53 as well? Delegated subdomain?

janeczku avatar May 11 '17 11:05 janeczku

@janeczku In R53, I have multiple zones in my environment:

mydomain.com [PUBLIC] ... which contains NS records for: mysubdomain.mydomain.com [PUBLIC] <-- This is the zone being used for letsencrypt.

NB, Not sure if relevant as your container references Zone ID, but I also have a private zone: mysubdomain.mydomain.com [PRIVATE]

ap0phi5 avatar May 11 '17 14:05 ap0phi5

v0.4.0 uses the resolvers in /etc/resolv.conf instead of Google's DNS servers. This breaks stuff when there is a private zone with the same name and the host running the service is in a VPC for which the private zone is active. In this case you need to configure the letsencrypt service with a public DNS resolver, which is now supported https://github.com/janeczku/rancher-letsencrypt/commit/e44c644d43d85c0a0d36b5f917d6e8bacba1f52f

janeczku avatar May 14 '17 00:05 janeczku

Yes I'm using Route53: mydomain.com <--- public zone internal.mydomain.com <--- private zone

Encountered this issue while trying to set up a cert for xxx.internal.mydomain.com.

ampedandwired avatar May 22 '17 22:05 ampedandwired

Using NS1 as a provider and getting the same error. I tested with the root domain and is working, only subdomains not

giovannicandido avatar Aug 14 '17 22:08 giovannicandido