tobychui
[BUG] Cloudflare DNS Challenge Not Working
Whenever I try to use the DNS challenge through cloudflare, it just times out. The logs keep saying "Waiting for DNS record propagation" over and over. The auth token is working because the TXT records are added to my DNS as soon as I click the Get Certificate button in Zoraxy. However, it just times out after that as if the TXT records are being ignored and not found. I have it working fine in NPM, so I'm not sure what I'm missing in Zoraxy.
Yeah no problem. Below are the logs. I just changed the fqdn to domain.com so I'm posting my actual domain, but the actual fqdn is being used in zoraxy. I have one domain that is not exposed to the public and one that it is. The logs below are for my internal only domain. I also tried this on the external domain that I have services exposed on. That also resulted in an error stating that it couldn't find the zone for my domain. However, the domain it listed is the domain for my DDNS that I have listed as a cname. It seems like the dns challenge is trying to validate off the wrong info. I'm not sure if this is related to logs below at all since I don't have an A record or CNAME for my internal services domain and that's what causes the issue. However, it is producing the TXT records to validate, so I'm not sure why that isn't enough.
Is this only happening with Zoraxy or have you tried any other proxy?
I think it might be the DNS settings.
Yeah it's only Zoraxy. I'm able to get certs and renew on NPM without any issues and using the same cloudflare token. Caddy is also able to get certs. So I'm not sure if the implementation is different with Zoraxy and that's what is causing the issue.
I have the same problems with cloudflare and ipv64. Both work fine with npm
I have the same problems with cloudflare and ipv64. Both work fine with npm
If you use docker, ipv6 will not work by default, you should use the Host network or configure it specifically
Yeah it's only Zoraxy. I'm able to get certs and renew on NPM without any issues and using the same cloudflare token. Caddy is also able to get certs. So I'm not sure if the implementation is different with Zoraxy and that's what is causing the issue.
It is possible that Zoraxy was accidentally restarted during an ssl certificate request and the record remained. Check your DNS panel and delete any records that you did not create. Something similar happens to me other times, but never like it did to you.
zoraxy has been running without problems for three months since installation, as proxmox lxc. I've always gotten certificates for both without any problems. Now I've noticed that the challenge no longer works for either.
As I said, with npm it works for both without any problems.
I've installed 3.1.6
Entries are created and deleted for both.
It is possible that Zoraxy was accidentally restarted during an ssl certificate request and the record remained. Check your DNS panel and delete any records that you did not create. Something similar happens to me other times, but never like it did to you.
It definitely didn't restart. I've deleted all old dns records and tried to get certs through zoraxy at least two dozen times and two different domains. It always times out and doesn't go through.
I am having the exact same issue. DNS Challenge is not working with Zoraxy but with NPM and caddy.
same for me... DNS Challenge with zoraxy and cloudflare always timed out! no issues with ngnix btw ;)
This is definitely something weird, anyone with the same problem, send me your logs to this email, I will try to fix it [email protected]
Same here fresh install works on other proxys. Just to be clear im i right to think this: CF_API_EMAIL = AuthEmail CF_API_KEY = AuthKey CF_DNS_API_TOKEN = AuthToken CF_ZONE_API_TOKEN = ZoneToken
Get this:
`2025/02/10 15:28:00 [INFO] [zoraxy.mydomain.com] acme: Cleaning DNS-01 challenge 2025/02/10 15:28:01 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2*35/8085 [2025-02-10 15:28:01.541979] [ACME] [system:error] Obtain certificate failed: error: one or more domains had a problem: [zoraxy.mydomain.com] propagation: time limit exceeded: last error: NS elisabeth.ns.cloudflare.com.:53 returned REFUSED for _acme-challenge.zoraxy.mydomain.com.
[2025-02-10 15:28:01.541996] [ACME] [system:info] Restoring HTTP to HTTPS redirect settings [2025-02-10 15:28:01.542017] [dprouter] [system:info] HTTP to HTTPS redirection listener stopped [2025-02-10 15:28:02.342249] [dprouter] [system:info] Starting HTTP-to-HTTPS redirector (port 80) [2025-02-10 15:28:02.342309] [dprouter] [system:info] Reverse proxy service started in the background (TLS mode)
I also get this on cloudflare indicating that something might be wrong?
`
I also changed the lxc to run 1.1.1.1 dns nameserver just to eliminate my dns-over-tls opnsense
Same here with fresh LXC container install, also docker installation on different machine fails, NPM on the other hand works just fine.
I have tried to update lego, can anyone try if this fixed the issue?
https://github.com/tobychui/zoraxy/tree/bugfix_acme_LE_http01
You might need to build from source using the branch in the above link.
I will tomorrow, have to wait for me. Will be 16-18h until then unfortunately
I've been having what seems to be a similar error since I started using Zoraxy a few months ago. I noticed that when the record is updated, Cloudflare will warn that the TXT record does not contain quotation marks around the content.
By immediately adding quotations to the record and saving manually in Cloudflare I've been able to successfully generate the certs many times. If my cert hadn't expired and not auto-renewed as I expected I wouldn't have noticed it was still an issue, I just assumed it was a problem with my setup.
I have tried to update lego, can anyone try if this fixed the issue?
https://github.com/tobychui/zoraxy/tree/bugfix_acme_LE_http01
You might need to build from source using the branch in the above link.
Just to be clear I'm doing it through the WEBGUI and no it did not fix it for me. Still get same error. Fresh lxc container with new v.3.1.8
I've been having what seems to be a similar error since I started using Zoraxy a few months ago. I noticed that when the record is updated, Cloudflare will warn that the TXT record does not contain quotation marks around the content.
By immediately adding quotations to the record and saving manually in Cloudflare I've been able to successfully generate the certs many times. If my cert hadn't expired and not auto-renewed as I expected I wouldn't have noticed it was still an issue, I just assumed it was a problem with my setup.
Actually got the same error on NPMplus and NPM so this should still work...
I have tried to update lego, can anyone try if this fixed the issue? https://github.com/tobychui/zoraxy/tree/bugfix_acme_LE_http01 You might need to build from source using the branch in the above link.
Just to be clear I'm doing it through the WEBGUI and no it did not fix it for me. Still get same error. Fresh lxc container with new v.3.1.8
Ah, exactly the same message I've been getting, I didn't notice your screenshot before.
I've been having what seems to be a similar error since I started using Zoraxy a few months ago. I noticed that when the record is updated, Cloudflare will warn that the TXT record does not contain quotation marks around the content. By immediately adding quotations to the record and saving manually in Cloudflare I've been able to successfully generate the certs many times. If my cert hadn't expired and not auto-renewed as I expected I wouldn't have noticed it was still an issue, I just assumed it was a problem with my setup.
Actually got the same error on NPMplus and NPM so this should still work...
I've gotten certs through DNS challenges without adding the quotes as well but lately have only been able to get it working using Zoraxy if I update the record myself, so its probable that manually updating the record isn't actually relevant.
I have been trying with the proposed bug fix (built with golang 1.24 on Debian 12 in a proxmox LXC container) but haven't had any luck over the last few hours.
Here is a full log
Log from new LXC container:
root@Zoraxy:~# ./zoraxy_linux_amd64
Checking required config update
[2025-02-17 11:58:33.515906] [database] [system:info] Using BoltDB as the database backend
[2025-02-17 11:58:33.517417] [auth] [system:info] Authentication session key loaded from database
[2025-02-17 11:58:33.657472] [LoadBalancer] [system:info] Upstream state cache ticker started
[2025-02-17 11:58:33.661051] [static-webserv] [system:info] Static Web Server started. Listeing on :5487
2025/02/17 11:58:33 Environment variable ZT_AUTH not defined. Trying to load authtoken from file.
2025/02/17 11:58:33 Unable to read authkey at /var/lib/zerotier-one/authtoken.secret: exec: "sudo": executable file not found in $PATH
[2025-02-17 11:58:33.662000] [internal] [system:info] Failed to load ZeroTier controller API authtoken
2025/02/17 11:58:33 ZeroTier connection failed: Get "http://localhost:9993/status": dial tcp [::1]:9993: connect: connection refused
[2025-02-17 11:58:33.665848] [internal] [system:info] Starting ACME handler
[2025-02-17 11:58:33.665891] [cert-renew] [system:info] ACME early renew set to 30 days and check interval set to 86400 seconds
[2025-02-17 11:58:34.667111] [internal] [system:info] Force HTTPS mode enabled
[2025-02-17 11:58:34.667121] [internal] [system:info] Development mode enabled. Using no-store Cache Control policy
[2025-02-17 11:58:34.667130] [internal] [system:info] TLS mode enabled. Serving proxy request with TLS
[2025-02-17 11:58:34.667136] [internal] [system:info] Port 80 listener enabled
[2025-02-17 11:58:34.667114] [internal] [system:info] Force latest TLS mode disabled. Minimum TLS version is set to v1.0
[2025-02-17 11:58:34.667127] [internal] [system:info] Inbound port not set. Using default (443)
[2025-02-17 11:58:34.967447] [internal] [system:info] Uptime Monitor background service started
[2025-02-17 11:58:34.967492] [dprouter] [system:info] Reverse proxy service started in the background (TLS mode)
[2025-02-17 11:58:34.967499] [internal] [system:info] Dynamic Reverse Proxy service started
[2025-02-17 11:58:34.967445] [dprouter] [system:info] Starting HTTP-to-HTTPS redirector (port 80)
[2025-02-17 11:58:35.167794] [internal] [system:info] Zoraxy started. Visit control panel at http://localhost:8000
[2025-02-17 11:58:35.167800] [internal] [system:info] Assigned temporary port:59360
[2025-02-17 11:59:03.662572] [internal] [system:info] mDNS Startup scan completed
[2025-02-17 11:59:23.183862] [ACME] [system:info] Obtaining certificate for: zoraxy.mydomain.com
[2025-02-17 11:59:23.183868] [ACME] [system:info] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
2025/02/17 11:59:23 [INFO] acme: Registering account for [email protected]
2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] acme: Obtaining bundled SAN certificate
2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2******0*5/******5****
2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] acme: Could not find solver for: tls-alpn-01
2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] acme: Could not find solver for: http-01
2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] acme: use dns-01 solver
2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] acme: Preparing to solve DNS-01
2025/02/17 11:59:26 [INFO] cloudflare: new record for zoraxy.mydomain.com, ID c******************************a
2025/02/17 11:59:26 [INFO] [zoraxy.mydomain.com] acme: Trying to solve DNS-01
2025/02/17 11:59:26 [INFO] [zoraxy.mydomain.com] acme: Checking DNS record propagation. [nameservers=8.8.8.8:53,8.8.4.4:53,1.1.1.1:53,1.0.0.1:53]
2025/02/17 11:59:28 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2025/02/17 11:59:28 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:30 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:32 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:34 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:36 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:38 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:40 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:42 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:44 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:46 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:48 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:50 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:52 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:54 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:56 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 11:59:58 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:00 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:02 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:04 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:06 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:08 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:10 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:12 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:14 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:16 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:18 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:20 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:22 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:24 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:26 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:28 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:30 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:32 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:34 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:36 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:38 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:40 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:42 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:44 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:46 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:48 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:50 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:52 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:54 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:56 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:00:58 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:00 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:02 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:04 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:06 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:08 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:10 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:12 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:14 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:16 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:18 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:20 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:22 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:24 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:26 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation.
2025/02/17 12:01:28 [INFO] [zoraxy.mydomain.com] acme: Cleaning DNS-01 challenge
2025/02/17 12:01:29 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2******0*5/******5****
[2025-02-17 12:01:29.779894] [ACME] [system:info] Restoring HTTP to HTTPS redirect settings
[2025-02-17 12:01:29.779900] [dprouter] [system:info] HTTP to HTTPS redirection listener stopped
[2025-02-17 12:01:29.779897] [ACME] [system:error] Obtain certificate failed: error: one or more domains had a problem:
[zoraxy.mydomain.com] propagation: time limit exceeded: last error: NS jermaine.ns.cloudflare.com.:53 returned REFUSED for _acme-challenge.zoraxy.mydomain.com.
[2025-02-17 12:01:30.580855] [dprouter] [system:info] Starting HTTP-to-HTTPS redirector (port 80)
[2025-02-17 12:01:30.580889] [dprouter] [system:info] Reverse proxy service started in the background (TLS mode)
Here is a full log
Log from new LXC container:
root@Zoraxy:~# ./zoraxy_linux_amd64 Checking required config update [2025-02-17 11:58:33.515906] [database] [system:info] Using BoltDB as the database backend [2025-02-17 11:58:33.517417] [auth] [system:info] Authentication session key loaded from database [2025-02-17 11:58:33.657472] [LoadBalancer] [system:info] Upstream state cache ticker started [2025-02-17 11:58:33.661051] [static-webserv] [system:info] Static Web Server started. Listeing on :5487 2025/02/17 11:58:33 Environment variable ZT_AUTH not defined. Trying to load authtoken from file. 2025/02/17 11:58:33 Unable to read authkey at /var/lib/zerotier-one/authtoken.secret: exec: "sudo": executable file not found in $PATH [2025-02-17 11:58:33.662000] [internal] [system:info] Failed to load ZeroTier controller API authtoken 2025/02/17 11:58:33 ZeroTier connection failed: Get "http://localhost:9993/status": dial tcp [::1]:9993: connect: connection refused [2025-02-17 11:58:33.665848] [internal] [system:info] Starting ACME handler [2025-02-17 11:58:33.665891] [cert-renew] [system:info] ACME early renew set to 30 days and check interval set to 86400 seconds [2025-02-17 11:58:34.667111] [internal] [system:info] Force HTTPS mode enabled [2025-02-17 11:58:34.667121] [internal] [system:info] Development mode enabled. Using no-store Cache Control policy [2025-02-17 11:58:34.667130] [internal] [system:info] TLS mode enabled. Serving proxy request with TLS [2025-02-17 11:58:34.667136] [internal] [system:info] Port 80 listener enabled [2025-02-17 11:58:34.667114] [internal] [system:info] Force latest TLS mode disabled. Minimum TLS version is set to v1.0 [2025-02-17 11:58:34.667127] [internal] [system:info] Inbound port not set. Using default (443) [2025-02-17 11:58:34.967447] [internal] [system:info] Uptime Monitor background service started [2025-02-17 11:58:34.967492] [dprouter] [system:info] Reverse proxy service started in the background (TLS mode) [2025-02-17 11:58:34.967499] [internal] [system:info] Dynamic Reverse Proxy service started [2025-02-17 11:58:34.967445] [dprouter] [system:info] Starting HTTP-to-HTTPS redirector (port 80) [2025-02-17 11:58:35.167794] [internal] [system:info] Zoraxy started. Visit control panel at http://localhost:8000 [2025-02-17 11:58:35.167800] [internal] [system:info] Assigned temporary port:59360 [2025-02-17 11:59:03.662572] [internal] [system:info] mDNS Startup scan completed [2025-02-17 11:59:23.183862] [ACME] [system:info] Obtaining certificate for: zoraxy.mydomain.com [2025-02-17 11:59:23.183868] [ACME] [system:info] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL 2025/02/17 11:59:23 [INFO] acme: Registering account for [email protected] 2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] acme: Obtaining bundled SAN certificate 2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/205/5 2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] acme: Could not find solver for: tls-alpn-01 2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] acme: Could not find solver for: http-01 2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] acme: use dns-01 solver 2025/02/17 11:59:24 [INFO] [zoraxy.mydomain.com] acme: Preparing to solve DNS-01 2025/02/17 11:59:26 [INFO] cloudflare: new record for zoraxy.mydomain.com, ID c****************a 2025/02/17 11:59:26 [INFO] [zoraxy.mydomain.com] acme: Trying to solve DNS-01 2025/02/17 11:59:26 [INFO] [zoraxy.mydomain.com] acme: Checking DNS record propagation. [nameservers=8.8.8.8:53,8.8.4.4:53,1.1.1.1:53,1.0.0.1:53] 2025/02/17 11:59:28 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] 2025/02/17 11:59:28 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:30 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:32 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:34 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:36 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:38 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:40 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:42 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:44 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:46 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:48 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:50 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:52 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:54 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:56 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 11:59:58 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:00 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:02 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:04 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:06 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:08 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:10 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:12 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:14 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:16 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:18 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:20 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:22 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:24 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:26 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:28 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:30 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:32 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:34 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:36 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:38 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:40 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:42 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:44 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:46 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:48 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:50 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:52 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:54 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:56 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:00:58 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:00 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:02 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:04 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:06 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:08 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:10 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:12 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:14 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:16 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:18 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:20 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:22 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:24 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:26 [INFO] [zoraxy.mydomain.com] acme: Waiting for DNS record propagation. 2025/02/17 12:01:28 [INFO] [zoraxy.mydomain.com] acme: Cleaning DNS-01 challenge 2025/02/17 12:01:29 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/205/**5 [2025-02-17 12:01:29.779894] [ACME] [system:info] Restoring HTTP to HTTPS redirect settings [2025-02-17 12:01:29.779900] [dprouter] [system:info] HTTP to HTTPS redirection listener stopped [2025-02-17 12:01:29.779897] [ACME] [system:error] Obtain certificate failed: error: one or more domains had a problem: [zoraxy.mydomain.com] propagation: time limit exceeded: last error: NS jermaine.ns.cloudflare.com.:53 returned REFUSED for _acme-challenge.zoraxy.mydomain.com.
[2025-02-17 12:01:30.580855] [dprouter] [system:info] Starting HTTP-to-HTTPS redirector (port 80) [2025-02-17 12:01:30.580889] [dprouter] [system:info] Reverse proxy service started in the background (TLS mode)
How do you have your DNS configured?
How do you have your DNS configured?
I have DNS-over-TLS in opnsense which everything is pointing to. Also port 53 is converted into DOT.
I have no problems in npm or npmplus. But last version i did try using dns in the clear pointing to cloudflare
I'm referring to your dns config in Cloudflare, this is mine and I've never had any problems:
How do you have your DNS configured?
I have DNS-over-TLS in opnsense which everything is pointing to. Also port 53 is converted into DOT.
I have no problems in npm or npmplus. But last version i did try using dns in the clear pointing to cloudflare
I'm referring to your dns config in Cloudflare, this is mine and I've never had any problems:
How do you have your DNS configured?
I have DNS-over-TLS in opnsense which everything is pointing to. Also port 53 is converted into DOT. I have no problems in npm or npmplus. But last version i did try using dns in the clear pointing to cloudflare
Sorry late reply, but yea i shouldn't have any issues i tried using without proxy, but no luck. I have currently 50 A records that is working fine with NPMplus
@Fridasbabe Since all of you are using Cloudflare here, does anyone considered using full strict mode that utilize CF's 15 years renew-free certificate instead?
@Fridasbabe Since all of you are using Cloudflare here, does anyone considered using full strict mode that utilize CF's 15 years renew-free certificate instead?
Not sure what you mean with "15 years renew-free certificate" but i do use "Current encryption mode: Full (strict)" under mydomain.com - SSL/TLS - Overview
I'm just pointing cloudflare to my IP so single A record, it's NMP IP since zoraxy does not work, then everything is done via NPM & Authentik, and everything is within Tailscale network.
@Fridasbabe You can use CF's 15 year Origin Certificate to serve your web content and let CF do the certificate renew for you within those 15 yrs.
I am doing this in my homelab and if I need a new rule, I just add it in Zoraxy and it just works. ACME module was added by @yeungalan because he didn't know this exists for a while.
I really don't like this approach, the future is also there and if so it should work. You want to minimize permissions as much as possible. I got some new information from the last update (3.1.9) that i would like to share. Note that i also changed the permissions to allow all zones but that didnt change anything.
[2025-03-26 13:23:25.918486] [ACME] [system:info] Obtaining certificate for: zoraxy.mydomain.com
[2025-03-26 13:23:25.918574] [ACME] [system:info] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
2025/03/26 13:23:26 [INFO] acme: Registering account for myemail.com
2025/03/26 13:23:26 [INFO] [zoraxy.mydomain.com] acme: Obtaining bundled SAN certificate
2025/03/26 13:23:27 [INFO] [zoraxy.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2304094546/495727363216
2025/03/26 13:23:27 [INFO] [zoraxy.mydomain.com] acme: Could not find solver for: tls-alpn-01
2025/03/26 13:23:27 [INFO] [zoraxy.mydomain.com] acme: Could not find solver for: http-01
2025/03/26 13:23:27 [INFO] [zoraxy.mydomain.com] acme: use dns-01 solver
2025/03/26 13:23:27 [INFO] [zoraxy.mydomain.com] acme: Preparing to solve DNS-01
2025/03/26 13:23:57 [INFO] [zoraxy.mydomain.com] acme: Cleaning DNS-01 challenge
2025/03/26 13:24:27 [WARN] [zoraxy.mydomain.com] acme: cleaning up failed: cloudflare: failed to find zone mydomain.com.: ListZonesContext command failed: HTTP request failed: Get "https://api.cloudflare.com/client/v4/zones?name=mydomain.com&per_page=50": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2025/03/26 13:24:27 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/223124015146/4951232736326
[2025-03-26 13:24:28.164207] [dprouter] [system:info] HTTP to HTTPS redirection listener stopped
[2025-03-26 13:24:28.164209] [ACME] [system:error] Obtain certificate failed: error: one or more domains had a problem:
[zoraxy.mydomain.com] [zoraxy.mydomain.com] acme: error presenting token: cloudflare: failed to find zone mydomain.com.: ListZonesContext command failed: HTTP request failed: Get "https://api.cloudflare.com/client/v4/zones?name=mydomain.com&per_page=50": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[2025-03-26 13:24:28.164208] [ACME] [system:info] Restoring HTTP to HTTPS redirect settings
[2025-03-26 13:24:28.264685] [dprouter] [system:info] Starting HTTP-to-HTTPS redirector (port 80)
[2025-03-26 13:24:28.264714] [dprouter] [system:info] Reverse proxy service started in the background (TLS mode)
[2025-03-26 13:24:29.505884] [uptime-monitor] [system:info] Uptime updated - 1742991869
[2025-03-26 13:27:07.112133] [ACME] [system:info] Obtaining certificate for: zoraxy.mydomain.com
[2025-03-26 13:27:07.112299] [ACME] [system:info] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
2025/03/26 13:27:07 [INFO] acme: Registering account for myemail.com
2025/03/26 13:27:07 [INFO] [zoraxy.mydomain.com] acme: Obtaining bundled SAN certificate
2025/03/26 13:27:08 [INFO] [zoraxy.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2304101846/495728623676
2025/03/26 13:27:08 [INFO] [zoraxy.mydomain.com] acme: Could not find solver for: tls-alpn-01
2025/03/26 13:27:08 [INFO] [zoraxy.mydomain.com] acme: Could not find solver for: http-01
2025/03/26 13:27:08 [INFO] [zoraxy.mydomain.com] acme: use dns-01 solver
2025/03/26 13:27:08 [INFO] [zoraxy.mydomain.com] acme: Preparing to solve DNS-01
2025/03/26 13:27:38 [INFO] [zoraxy.mydomain.com] acme: Cleaning DNS-01 challenge
2025/03/26 13:28:08 [WARN] [zoraxy.mydomain.com] acme: cleaning up failed: cloudflare: failed to find zone mydomain.com.: ListZonesContext command failed: HTTP request failed: Get "https://api.cloudflare.com/client/v4/zones?name=mydomain.com&per_page=50": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2025/03/26 13:28:08 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2304101846/495728623676
[2025-03-26 13:28:08.968986] [ACME] [system:error] Obtain certificate failed: error: one or more domains had a problem:
[zoraxy.mydomain.com] [zoraxy.mydomain.com] acme: error presenting token: cloudflare: failed to find zone mydomain.com.: ListZonesContext command failed: HTTP request failed: Get "https://api.cloudflare.com/client/v4/zones?name=mydomain.com&per_page=50": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[2025-03-26 13:28:08.968992] [ACME] [system:info] Restoring HTTP to HTTPS redirect settings
[2025-03-26 13:28:08.969017] [dprouter] [system:info] HTTP to HTTPS redirection listener stopped
[2025-03-26 13:28:09.069518] [dprouter] [system:info] Starting HTTP-to-HTTPS redirector (port 80)
[2025-03-26 13:28:09.069550] [dprouter] [system:info] Reverse proxy service started in the background (TLS mode)
[2025-03-26 13:29:29.506273] [uptime-monitor] [system:info] Uptime updated - 1742992169
@Fridasbabe Sadly the ACME module maintainer @yeungalan has gone missing for a while now. You wanna be the next maintainer for this module and do some rewrite / big upgrade?