-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide an option to verify propagation against a custom list of DNS-servers #2276
Comments
Hello, you can already do that:
|
We have tried the disable-cp option: Our problem is the reverse, the authoritative name servers replies correct and do so straight away. But the servers the PKI uses for validation are slow to serve the record. What we need to do is either:
I tried using the options you suggested but it does not wait for any propagation at all, unless of course I use |
Today we looked into why cert-manager has had more success and it looks like cert-manager has this option: dns01-recursive-nameservers-only documented here
|
Welcome
How do you use lego?
Binary and Traefik.
Detailed Description
Hi, we've hit an issue using DNS-01 challenge with EAB and CNAME delegation with EJBCA as the CA, but this deployment scenario is probably going to be more common as ACME has started to be adopted in enterprise.
I have included a diagram to try and explain our interpretation of the current flow, and where we see an issue.
--dns.resolvers
that points to the same DNS-server as the PKI will query for the challenge. These servers are used by lego to find the authoritative servers only as specified here.It finds the authoritative servers and can successfully query to verify they serve the TXT record with the correct value.
So now to the problem:
Essentially we'd want something like this (behind a flag such as
--dns.propagation-servers
of[]string
type) to specify what additional servers we'd want to append to thecheckAuthoritativeNss
function.https://github.com/Jonher937/lego/blob/a152249a1a02146604936099d3bf1a9d13999280/challenge/dns01/precheck.go#L76-L88
Full commit can be found here and acts as an example. I have not found a good way to pass down a flag this deep into the process, but this issue is created as a topic for discussing how and if this could be implemented.
In the end our issues comes down to the DNS topology/implementation and slow (60+ seconds) propagations to the company DNS-service which the PKI verifies against.
We have also tries with the newly added
--dns.propagation-wait
option and have successfully managed to obtain certificates if we tweak it high enough for the propagation to happen, but this might randomly fail if the zone update has not yet made it's way to the company DNS-service.The text was updated successfully, but these errors were encountered: