zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[HELP] DESEC_PROPAGATION_TIMEOUT environment variable ignored ?

Open palijn opened this issue 1 year ago • 2 comments

ACME certificate generation DNS Challenge from DeSec.io doesn't wait enough time for the propagation to occur, hence fails.

I tried to set the environment variable DESEC_PROPAGATION_TIMEOUT in my docker compose file. However, the logs show that the propagation timeout is always 2m0s .

Docker compose yaml :

services: zoraxy: image: zoraxydocker/zoraxy:latest container_name: zoraxy restart: unless-stopped ports: - 38080:80 - 3443:443 - 28182:28182 volumes: - /home/docker/zoraxy/config:/opt/zoraxy/config/ - /var/run/docker.sock:/var/run/docker.sock - /etc/localtime:/etc/localtime environment: PORT: "28182" FASTGEOIP: "true" DESEC_PROPAGATION_TIMEOUT: "4m0s" dns: - 45.54.76.1 - 1.1.1.1

(Note: github broke the yaml indentation, but the actual file is syntactically correct and compose works fine)

Typical log : zoraxy | [2024-07-28 11:01:25.679657] [auth] [system:info] Authentication session key loaded from database zoraxy | [2024-07-28 11:01:28.763198] [static-webserv] [system:info] Static Web Server started. Listeing on :5487 zoraxy | [2024-07-28 11:01:33.968824] [internal] [system:info] Starting ACME handler zoraxy | [2024-07-28 11:01:33.969796] [internal] [system:info] Serving inbound port 443 zoraxy | [2024-07-28 11:01:33.969796] [internal] [system:info] Force latest TLS mode disabled. Minimum TLS version is set to v1.0 zoraxy | [2024-07-28 11:01:33.969919] [internal] [system:info] TLS mode enabled. Serving proxxy request with TLS zoraxy | [2024-07-28 11:01:33.969995] [internal] [system:info] Port 80 listener disabled zoraxy | [2024-07-28 11:01:33.969984] [internal] [system:info] Development mode enabled. Using no-store Cache Control policy zoraxy | [2024-07-28 11:01:33.970148] [internal] [system:info] Force HTTPS mode disabled zoraxy | [2024-07-28 11:01:33.971592] [proxy-config] [system:info] / -> 127.0.0.1:5487 routing rule loaded zoraxy | [2024-07-28 11:01:34.272729] [internal] [system:info] Dynamic Reverse Proxy service started zoraxy | [2024-07-28 11:01:34.272764] [dprouter] [system:info] Reverse proxy service started in the background (TLS mode) zoraxy | [2024-07-28 11:01:34.282667] [internal] [system:info] Uptime Monitor background service started zoraxy | [2024-07-28 11:01:34.470419] [internal] [system:info] Assigned temporary port:53838 zoraxy | [2024-07-28 11:01:34.470451] [internal] [system:info] Zoraxy started. Visit control panel at http://localhost:28182 zoraxy | [2024-07-28 11:01:59.644746] [internal] [system:info] mDNS Startup scan completed zoraxy | 2024/07/28 11:02:00 [ACME] Obtaining certificate... zoraxy | 2024/07/28 11:02:00 [INFO] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL zoraxy | 2024/07/28 11:02:00 [INFO] acme: Registering account for -redacted- zoraxy | 2024/07/28 11:02:01 [INFO] [-redacted-] acme: Obtaining bundled SAN certificate zoraxy | 2024/07/28 11:02:01 [INFO] [-redacted-] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/382887714507 zoraxy | 2024/07/28 11:02:01 [INFO] [-redacted-] acme: use dns-01 solver zoraxy | 2024/07/28 11:02:01 [INFO] [-redacted-] acme: Preparing to solve DNS-01 zoraxy | 2024/07/28 11:02:01 [DEBUG] GET https://desec.io/api/v1/domains/-redacted-/rrsets/_acme-challenge/TXT/ zoraxy | 2024/07/28 11:02:01 [DEBUG] POST https://desec.io/api/v1/domains/-redacted-/rrsets/ zoraxy | 2024/07/28 11:02:01 [INFO] [-redacted-] acme: Trying to solve DNS-01 zoraxy | 2024/07/28 11:02:01 [INFO] [-redacted-] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53] zoraxy | 2024/07/28 11:02:05 [INFO] Wait for propagation [timeout: 2m0s, interval: 4s] zoraxy | 2024/07/28 11:02:05 [INFO] [-redacted-] acme: Waiting for DNS record propagation. zoraxy | 2024/07/28 11:02:09 [INFO] [-redacted-] acme: Waiting for DNS record propagation. zoraxy | 2024/07/28 11:02:13 [INFO] [-redacted-] acme: Waiting for DNS record propagation. zoraxy | 2024/07/28 11:02:18 [INFO] [-redacted-] acme: Waiting for DNS record propagation. zoraxy | 2024/07/28 11:02:22 [INFO] [-redacted-] acme: Waiting for DNS record propagation. zoraxy | 2024/07/28 11:02:32 [INFO] [-redacted-] acme: Cleaning DNS-01 challenge zoraxy | 2024/07/28 11:02:32 [DEBUG] GET https://desec.io/api/v1/domains/-redacted-/rrsets/_acme-challenge/TXT/ zoraxy | 2024/07/28 11:02:32 [DEBUG] PATCH https://desec.io/api/v1/domains/-redacted-/rrsets/_acme-challenge/TXT/ zoraxy | 2024/07/28 11:02:32 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/382887714507 zoraxy | 2024/07/28 11:02:32 error: one or more domains had a problem: zoraxy | [-redacted-] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: No TXT record found at _acme-challenge.-redacted-

palijn avatar Jul 28 '24 09:07 palijn

Hey @palijn,

Not sure where you get the information of the environment varaible, but Zoraxy don't use environment variable for setting timeout. DNS validation timeout are coded inside Zoraxy acmedns module and currently there is no manual way to set it (i.e. it is using lego default which is usually all right)

You can provide the recommended timeout value for your DNS supplier and the ACME module author will handle it by adding that exceptional rules into the module in next release.

tobychui avatar Jul 28 '24 11:07 tobychui

Hi @tobychui , thanks for your answer. I got the environment variable information from lego itself . See https://go-acme.github.io/lego/dns/desec/ . Since Zoraxy uses lego, I bet (and lost the bet) that lego would still pull its environment variables to run.

Not being able to actually test the proper timeout (where would I do that? I'd love to do it !), I can't be definitive in providing the appropriate value. What I've seen while running my own DNS queries alongside Zoraxy is that

  • DeSec.io management console shows the TXT challenge record in a few seconds at most
  • then the Desec.io DNS servers (45.54.76.1) take their sweet time and actually respond with the TXT record in about 1min.
  • however, propagation to actual recursive servers such as 9.9.9.9 (Quad9) or 1.1.1.1 (Cloudflare) takes several minutes more.

Wouldn't it make sense to let lego pull its environment variables, and give Zoraxy all that flexibility "for free" ?

palijn avatar Jul 28 '24 12:07 palijn

Hi,

I'd like to push this issue as I'm running into the same problem while using a different DNS provider (all-inkl). I can see the TXT being created in the all-inkl logs but the ZORAXY ACME tool fails with "No TXT record found at _acme-challenge.domain.tld".

Traefik also uses LEGO afaik and allows to add a delay before checking the entry which can help to make that work.

Thanks!

SeAIMe avatar Oct 25 '24 10:10 SeAIMe

Propagation timeout option has been introduce in the ACME tool in v3.1.3. 圖片

tobychui avatar Nov 24 '24 07:11 tobychui