Comments (10)
Interesting π€
I think I first have to update and fix some dependencies, but then I'll look more closely into this matter. AFAIK there should be no reason not to support this. Quite the contrary, that the authoritative name server is not used sounds more like a bug.
from fritz-tls.
Yes I'm a bit confused and was trying to dig through the lego source to see why it behaves differently on these two systems. On one, it defaulted to going to the authoratative nameservers... and on the other, it used the system resolver. I can't figure out why the difference in behaviour.
It's not the end of the world, it just means waiting 1.5 hours for full propogation to have completed instead of ~10-15 mins for the authoratative nameserver to show the new record being there.
from fritz-tls.
Hey @lozzd π
Can you check out if v0.10.0 solves this issue for you? I just published a new version.
In afcc8d3 I added the option to use a custom DNS resolver. In my testing it got picked up, so I hope this solves your issue.
PS: Be aware that I dropped --auto-cert
and made it the default with this release as well. I got tiered typing it over and over again π
from fritz-tls.
Thanks, I'll give it a shot!
It's still using my system resolvers by default (tried that firt) versus on that other system where it immediately fell back to using the authoratative nameservers, I really don't understand why. It'd make way more sense if it always went straight to the authoratative to skip any caching issues. π€
Hopefully it'll work, because now the solving of the DNS takes so long that the Fritzbox session has expired by the time the DNS caches have cleared, so the upload fails! π I guess if that continues it raises the question - chicken or egg - login to the Fritzbox to see if the auth works, or skip that, try the cert first, and then hope the login works - or just have code to renew the session I guess.
Thanks again!
from fritz-tls.
Hmmm - well. This was a vast improvement, it took just 22 minutes to verify the DNS entries - amazing!
But upload still failed because I got kicked back to the login page on the FritzBox. That's really bizare - this worked once! With a much longer propogation time. I wonder what the session expiry is on the Fritzbox?
from fritz-tls.
I think I have to read more of lego
code to properly understand this. The resolver option I've added is only used for the client to check if the entry has been propagated and then triggers the check by Let's Encrypt. Let's Encrypt is of corse not using the resolver you specify, because that would defeat the whole verification purpose π
I'm not sure about the timeout duration. My guess is something around 10 minutes. I found this document where it states it is 20 minutes. The problem with the timed out session is maybe a slightly different one. My initial idea was that I want to check that the login works first before continuing. But it should be no problem to re-authenticate if the session is lost π€
from fritz-tls.
Could you try --dns-resolver
with the authoritative name server for the domain you're trying to obtain a cert for? That should be much quicker if this is a DNS propagation issue.
from fritz-tls.
I've dug a bit deeper into the lego
code and this is what I think is going on:
- lego is doing a "pre check" to see if the DNS entry has been propagated. This is being handled by
dns01.Solve
in https://github.com/go-acme/lego/blob/v4.5.3/challenge/dns01/dns_challenge.go#L131-L137 - First the system resolver (or the resolver specified by
--dns-resolver
infritz-tls
) is being used to check for the updated DNS entry, seecheckDNSPropagation
https://github.com/go-acme/lego/blob/v4.5.3/challenge/dns01/precheck.go#L55-L76. - if this check is successful, only then are the authoritative name servers asked directly in
checkAuthoritativeNss
https://github.com/go-acme/lego/blob/v4.5.3/challenge/dns01/precheck.go#L79-L110
As far as I can tell, there is no way to change this behaviour. I my guess would be, that they don't want to hit authoritative name servers unnecessarily. I'm collecting a bit more information and will open an issue with lego for clarification.
In the meantime, I just pushed v0.11.0 which should work as a workaround for you: The FRITZ!Box session is checked before the certificate upload and another login is performed if necessary. It won't be a speed up in your case, but it might help to succeed.
from fritz-tls.
Hey,
Confirmed both the --dns-resolver
and session renewal are now working perfectly:
2021/10/20 09:04:07 Session expired, re-authenticating...
2021/10/20 09:04:14 TLS certificate upload successful!
2021/10/20 09:04:17 TLS certificate installation verified!
It was roughly ~30 minutes start to finish for this to work, which is totaly fine for my purposes.
from fritz-tls.
Nice, glad to hear!
It's still quite strange that it takes so longβ¦
from fritz-tls.
Related Issues (5)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fritz-tls.