Support for subdomain wildcards #103
Labels
Comments
|
|
|
Here is the full log. Anything I've "scrubbed" I've enclosed in ** ** (i.e. scrubbedName).
|
|
P.S. In regards to items 2 and 4, those were just typos when I posted. Those items are actually configured correctly in the App Service. |
|
I tracked down the exception to this line: https://github.com/sjkp/letsencrypt-azure/blob/master/src/LetsEncrypt.Azure.Core.V2/DnsLookupService.cs#L61 Basically you will see this if private static LookupClient GetDnsClient(params string[] hostnames)
{
LookupClient generalClient = new LookupClient();
LookupClient dnsClient = null;
generalClient.UseCache = false;
foreach (var hostname in hostnames)
{
var ns = generalClient.Query(hostname, QueryType.NS);
if (!ns.Answers.NsRecords().Any()) throw new Exception(); // <== THIS IS THE KEY
var ip = ns.Answers.NsRecords().Select(s => generalClient.GetHostEntry(s.NSDName.Value));
dnsClient = new LookupClient(ip.SelectMany(i => i.AddressList).Where(s => s.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork).ToArray());
dnsClient.UseCache = false;
}
return dnsClient;
} |
|
Thanks for looking into this; although, I'm a bit confused as to how to go about configuring this service for my situation. Here is what I have:
Now I need a certificate for
I'm wondering if maybe my use of Update Thanks for your help. |
|
I'm afraid Anyway, I don't think the error you saw was related. Did you try executing the |
|
@ohadschn , So maybe I'm trying to do something that isn't supported. I ran the above code. It ran fine when I did However, stepping through the code, I can see that the code IS finding the CNAME entry for
It just appears that the |
|
You can find the implementation here - basically it's I think I see what's going on. It looks like only naked domains get NS answers. Can you change your cert to |
|
Progress! So, I realized that i had two CNAME entries in my DNS Zone -- one for I re-ran my web job and we definitely got much further. This time, it actually created my DNS challenge token in my DNS; however, it errors out trying to validate the dns challenge. Again, looking in my DNS, I can see that the I can see the following in the log: |
|
|
Also, since you already know how to debug this, might as well debug the real thing: You can run that loop on your dev machine (just as you have the NS lookup code above) and see if you're getting the TXT DNS entries. |
|
Specifically, you need to make sure the TXT record is named the way it's expecting it. In your case I believe that would be |
|
In my case, it was named |
|
No that's not it, I just checked in my Azure DNS and it has that one too. I think this line: var dnsRes = dnsClient.QueryServer(new[] { ns.Endpoint.Address }, $"_acme-challenge.{hostname}", QueryType.TXT);Means that it looks for an And again, if you use |
|
@ohadschn - Looks like what I'm trying to do is not yet supported. However, it looks like someone has added a pull request to make it possible. How quickly will you update your project to work with the updated |
|
I doubt I'll be the bottleneck - look at that PR, it's been open for more than a year... |
|
Shoot - I didn't even notice the 2019 date. I guess my only option at this point then is to fork my own copy of letsencrypt-webapp-renewer as well as letsencrypt-azure and make the changes myself? Or is there some other option that I'm overlooking? BTW -- thanks for all of your help with this! Also, you had mentioned earlier that non-wildcard certs could not be verified by ACME challenge. I'm not sure I understand how the HTTP verification works -- do I have to have special code in my app to handle a specific request? |
|
|
Thanks @ohadschn. In regards to question 2 -- I was pretty sure I tried that at one point and it didn't work -- I can give it another shot though because if it did work, that might save me a lot of headache. Thanks for the info in items 3 and 4. Again, thanks for all of your help on this! |
|
Just an FYI, from what I've found, the wildcard cert doesn't appear to cover the root domain edit https://www.instantssl.com/multi-level-wildcard https://stackoverflow.com/questions/2115611/wildcard-ssl-on-sub-subdomain |
Definitely worth a shot IMO
True, which is why you'd need bullet (4) regardless (HTTP challenge). I should probably clarify that better in the docs... |
|
One last question about the HTTP challenge. Does that challenge happen against the web app hosting the letsencrypt webjob or against the actual web app for which you are adding the cert? I'm guessing its the actual web app but just wanted to be certain. |
|
You are correct, it's against the actual web app |
|
@ohadschn , I've done the following:
Each time I try to create the web job, I get a very basic error: Failed to add --webjobname-- This is way out of my league -- I've never done any of this stuff before. Is there something special I have to do to create this zip file for the web job? |
|
So I found that if I right click the Thanks for all your help! |
|
Nice! Glad you sorted it out :) Let's leave this bug open until the PR (sjkp/letsencrypt-azure#5) is merged to the main repo and I can update this project. |
ohadschn
changed the title
|
Hello again. I hadn't been paying attention to this for a while and just logged in today to see how things were going with my cert management. I noticed that my web job has failed the last two times it ran -- automated. However, when I log in and run the job it runs fine. I got the following error: It looks like maybe its a permissions thing, but I'm not sure exactly what to check. |
|
I don't think it's a permissions error, the error is 400 bad request due to a "networking error" (permissions issues would have been 401 Unauthorized / 403 Forbidden). I suspect retries are the way to go here: #114 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm running into this error when I run the web job in Azure:
Error: At least one name server must be configured.The Parameter that is listed is:
nameServers. I'm sure there is something wrong in my configuration but I'm not sure where I'm going wrong.I have a dedicated Azure App Service for hosting the lets-encrypt-webapp-renewer web job. (All my stuff -- DNS zone, Web Apps, etc -- are in the same resource group and subscription). I have the following configured (I'm leaving out resource group, etc.)
What am I doing wrong here? Also, the documentation seems to indicate that I can only obtain wildcard certs when using DNS Zone challenge. Does this mean I cannot obtain a certificate for my root domain -- mydomain.com?
The text was updated successfully, but these errors were encountered: