starred/acme-dns
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 21:05:49 +03:00
Code Issues 178 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #324] ACME-DNS-API not pulling a certificate for itself #177

New issue
Open
opened 2026-03-13 16:02:50 +03:00 by kerem · 13 comments
kerem commented 2026-03-13 16:02:50 +03:00
Owner
Copy link

Originally created by @protogenxl on GitHub (Dec 22, 2022).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/324

Hi
I have been working on setting up a acme-dns and have ran into an issue where the web API is not pulling it's own let's encrypt cert. I feel like I am missing something simple but I am to far in to see what is behind me.

Any help would be appreciated

halibut.juggedfish.com will be playing the part of my public dns record
and 8.8.8.8 will be playing the part of my public ip address

ERROR

root@halibut ~]# systemctl status acme-dns -l
? acme-dns.service - Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely
   Loaded: loaded (/etc/systemd/system/acme-dns.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2022-12-22 09:49:24 EST; 46min ago
 Main PID: 737 (acme-dns)
   CGroup: /system.slice/acme-dns.service
           +-737 /usr/local/bin/acme-dns

Dec 22 09:49:24 halibut.juggedfish.com systemd[1]: Started Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
Dec 22 09:49:24 halibut.juggedfish.com acme-dns[737]: time="2022-12-22T09:49:24-05:00" level=info msg="Using config file" file=/etc/acme-dns/config.cfg
Dec 22 09:49:48 halibut.juggedfish.com acme-dns[737]: time="2022-12-22T09:49:48-05:00" level=info msg="http: TLS handshake error from 10.248.2.1:55191: no certificate available for 'halibut.juggedfish.com'"
Dec 22 09:49:48 halibut.juggedfish.com acme-dns[737]: time="2022-12-22T09:49:48-05:00" level=info msg="http: TLS handshake error from 10.248.2.1:55192: no certificate available for 'halibut.juggedfish.com'"
Dec 22 09:49:48 halibut.juggedfish.com acme-dns[737]: time="2022-12-22T09:49:48-05:00" level=info msg="http: TLS handshake error from 10.248.2.1:55193: no certificate available for 'halibut.juggedfish.com'"
Dec 22 09:49:48 halibut.juggedfish.com acme-dns[737]: time="2022-12-22T09:49:48-05:00" level=info msg="http: TLS handshake error from 10.248.2.1:55194: no certificate available for 'halibut.juggedfish.com'"

CONFIG

# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#

[general]
# dns interface
listen = "10.110.144.53:1053"
# protocol, "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6"
protocol = "both"
# domain name to serve the requests off of
domain = "halibut.juggedfish.com"
# zone name server
nsname = "ns1.halibut.juggedfish.com"
# admin email address, where @ is substituted with .
nsadmin = "halibut@juggedfish.com"
# predefined records served in addition to the TXT
records = [
    # default A
    "halibut.juggedfish.com. A 8.8.8.8",
    # A
    "ns1.halibut.juggedfish.com. A 8.8.8.8",
    "ns2.halibut.juggedfish.com. A 8.8.8.8",
    # NS
    "halibut.juggedfish.com. NS ns1.halibut.juggedfish.com.",
    "halibut.juggedfish.com. NS ns2.halibut.juggedfish.com.",
]
# debug messages from CORS etc
debug = true

[database]
# Database engine to use, sqlite3 or postgres
engine = "sqlite3"
connection = "/etc/acme-dns/acme-dns.db"


[api]
# listen ip eg. 127.0.0.1
ip = "10.110.144.53"
# disable registration endpoint
disable_registration = false
# listen port, eg. 443 for default HTTPS
port = "443"
# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
tls = "letsencrypt"
# only used if tls = "letsencrypt"
acme_cache_dir = "/etc/acme-dns/api-certs"
# CORS AllowOrigins, wildcards can be used
corsorigins = [
    "*"
]
# use HTTP header to get the client ip
use_header = false
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"


[logconfig]
# logging level: "error", "warning", "info" or "debug"
loglevel = "warning"
# possible values: stdout, TODO file & integrations
logtype = "stdout"
# file path for logfile TODO
# logfile = "./acme-dns.log"
# format, either "json" or "text"
logformat = "text"

PUBLIC DNS


A
ns1.halibut
8.8.8.8
15 minutes


A
ns2.halibut
8.8.8.8
15 minutes


CNAME
_acme-challenge.halibut
halibut.juggedfish.com
15 minutes


NS
halibut
ns2.halibut.juggedfish.com
15 minutes

NS
halibut
ns1.halibut.juggedfish.com
15 minutes
Originally created by @protogenxl on GitHub (Dec 22, 2022). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/324 Hi I have been working on setting up a acme-dns and have ran into an issue where the web API is not pulling it's own let's encrypt cert. I feel like I am missing something simple but I am to far in to see what is behind me. Any help would be appreciated halibut.juggedfish.com will be playing the part of my public dns record and 8.8.8.8 will be playing the part of my public ip address **ERROR** ``` root@halibut ~]# systemctl status acme-dns -l ? acme-dns.service - Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely Loaded: loaded (/etc/systemd/system/acme-dns.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2022-12-22 09:49:24 EST; 46min ago Main PID: 737 (acme-dns) CGroup: /system.slice/acme-dns.service +-737 /usr/local/bin/acme-dns Dec 22 09:49:24 halibut.juggedfish.com systemd[1]: Started Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. Dec 22 09:49:24 halibut.juggedfish.com acme-dns[737]: time="2022-12-22T09:49:24-05:00" level=info msg="Using config file" file=/etc/acme-dns/config.cfg Dec 22 09:49:48 halibut.juggedfish.com acme-dns[737]: time="2022-12-22T09:49:48-05:00" level=info msg="http: TLS handshake error from 10.248.2.1:55191: no certificate available for 'halibut.juggedfish.com'" Dec 22 09:49:48 halibut.juggedfish.com acme-dns[737]: time="2022-12-22T09:49:48-05:00" level=info msg="http: TLS handshake error from 10.248.2.1:55192: no certificate available for 'halibut.juggedfish.com'" Dec 22 09:49:48 halibut.juggedfish.com acme-dns[737]: time="2022-12-22T09:49:48-05:00" level=info msg="http: TLS handshake error from 10.248.2.1:55193: no certificate available for 'halibut.juggedfish.com'" Dec 22 09:49:48 halibut.juggedfish.com acme-dns[737]: time="2022-12-22T09:49:48-05:00" level=info msg="http: TLS handshake error from 10.248.2.1:55194: no certificate available for 'halibut.juggedfish.com'" ``` **CONFIG** ``` # ================= DO NOT MODIFY THIS FILE ================= # # Manual changes will be lost when this file is regenerated. # # Please read the developer's guide, which is available # at NethServer official site: https://www.nethserver.org # # [general] # dns interface listen = "10.110.144.53:1053" # protocol, "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6" protocol = "both" # domain name to serve the requests off of domain = "halibut.juggedfish.com" # zone name server nsname = "ns1.halibut.juggedfish.com" # admin email address, where @ is substituted with . nsadmin = "halibut@juggedfish.com" # predefined records served in addition to the TXT records = [ # default A "halibut.juggedfish.com. A 8.8.8.8", # A "ns1.halibut.juggedfish.com. A 8.8.8.8", "ns2.halibut.juggedfish.com. A 8.8.8.8", # NS "halibut.juggedfish.com. NS ns1.halibut.juggedfish.com.", "halibut.juggedfish.com. NS ns2.halibut.juggedfish.com.", ] # debug messages from CORS etc debug = true [database] # Database engine to use, sqlite3 or postgres engine = "sqlite3" connection = "/etc/acme-dns/acme-dns.db" [api] # listen ip eg. 127.0.0.1 ip = "10.110.144.53" # disable registration endpoint disable_registration = false # listen port, eg. 443 for default HTTPS port = "443" # possible values: "letsencrypt", "letsencryptstaging", "cert", "none" tls = "letsencrypt" # only used if tls = "letsencrypt" acme_cache_dir = "/etc/acme-dns/api-certs" # CORS AllowOrigins, wildcards can be used corsorigins = [ "*" ] # use HTTP header to get the client ip use_header = false # header name to pull the ip address / list of ip addresses from header_name = "X-Forwarded-For" [logconfig] # logging level: "error", "warning", "info" or "debug" loglevel = "warning" # possible values: stdout, TODO file & integrations logtype = "stdout" # file path for logfile TODO # logfile = "./acme-dns.log" # format, either "json" or "text" logformat = "text" ``` PUBLIC DNS ``` A ns1.halibut 8.8.8.8 15 minutes A ns2.halibut 8.8.8.8 15 minutes CNAME _acme-challenge.halibut halibut.juggedfish.com 15 minutes NS halibut ns2.halibut.juggedfish.com 15 minutes NS halibut ns1.halibut.juggedfish.com 15 minutes ```
kerem commented 2026-03-13 16:02:57 +03:00
Author
Owner
Copy link

@webprofusion-chrisc commented on GitHub (Dec 23, 2022):

Are port 53 DNS queries against your instance working? You are listening on 1053 but will need to port forward this externally from 53 for normal DNS queries to work (you may already be doing that). I'd imagine if that doesn't work then it also won't be able to use itself to complete a DNS challenge for it's own cert. There was/used to be an http-01 challenge mode but I don't know the config to use that instead of DNS validation.

<!-- gh-comment-id:1363472676 --> @webprofusion-chrisc commented on GitHub (Dec 23, 2022): Are port 53 DNS queries against your instance working? You are listening on 1053 but will need to port forward this externally from 53 for normal DNS queries to work (you may already be doing that). I'd imagine if that doesn't work then it also won't be able to use itself to complete a DNS challenge for it's own cert. There was/used to be an http-01 challenge mode but I don't know the config to use that instead of DNS validation.
kerem commented 2026-03-13 16:03:02 +03:00
Author
Owner
Copy link

@novakele commented on GitHub (Dec 23, 2022):

Hi @protogenxl, I ran into a similar issue.

In my case, I was running the acme-dns.service as a non-root user, and the user did not have write permission in his home directory. By default, the service uses WorkingDirectory=~.

Are you running the service as root?

EDIT
Does the user runner the service has write permissions in /etc/acme-dns/api-certs?

<!-- gh-comment-id:1364366988 --> @novakele commented on GitHub (Dec 23, 2022): Hi @protogenxl, I ran into a similar issue. In my case, I was running the acme-dns.service as a non-root user, and the user did not have write permission in his home directory. By default, the service uses `WorkingDirectory=~`. Are you running the service as root? EDIT Does the user runner the service has write permissions in `/etc/acme-dns/api-certs`?
kerem commented 2026-03-13 16:03:07 +03:00
Author
Owner
Copy link

@protogenxl commented on GitHub (Dec 27, 2022):

@webprofusion-chrisc yes the DNS forward on my firewall seems to working correctly

2022-12-27 08:11:12 Allow 8.0.38.4 8.8.8.8 dns/udp 53597 53 6-WAN 1-Trusted ProxyAllow: DNS question match   (LetsEncryptDNS-proxy-00) DNS-Incoming.1 proc_id="dns-proxy" rc="590" msg_id="1DFF-000E" proxy_act="DNS-Incoming.1" rule_name="*" query_type="A" question="nS2.halibut.juggedfish.com" | Traffic

2022-12-27 08:11:12 Allow 8.0.38.4 8.8.8.8 dns/udp 53597 53 6-WAN 1-Trusted Allowed 82 55 (LetsEncryptDNS-proxy-00)  proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="10.110.144.53" dst_port_nat="1053" | Traffic

@novakele I am running the service as acme-dns and permissions appear to be correct

[root@halibut ~]# cd /etc/acme-dns/api-certs
[root@halibut api-certs]# ls -lah
total 0
drwx------ 4  992 acme-dns 100 Dec 27 08:03 .
drwxrwxr-x 3 root acme-dns  60 Dec 21 06:17 ..
drwx------ 3  992 acme-dns  60 Dec 20 23:53 acme
drwx------ 2  992 acme-dns 142 Dec 27 08:03 locks
-rw------- 1  992 acme-dns   0 Dec 21 06:17 rw_test_288443979776093768
-rw------- 1  992 acme-dns   0 Dec 21 06:17 rw_test_9142020181166123590
<!-- gh-comment-id:1365896002 --> @protogenxl commented on GitHub (Dec 27, 2022): @webprofusion-chrisc yes the DNS forward on my firewall seems to working correctly ``` 2022-12-27 08:11:12 Allow 8.0.38.4 8.8.8.8 dns/udp 53597 53 6-WAN 1-Trusted ProxyAllow: DNS question match (LetsEncryptDNS-proxy-00) DNS-Incoming.1 proc_id="dns-proxy" rc="590" msg_id="1DFF-000E" proxy_act="DNS-Incoming.1" rule_name="*" query_type="A" question="nS2.halibut.juggedfish.com" | Traffic 2022-12-27 08:11:12 Allow 8.0.38.4 8.8.8.8 dns/udp 53597 53 6-WAN 1-Trusted Allowed 82 55 (LetsEncryptDNS-proxy-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="10.110.144.53" dst_port_nat="1053" | Traffic ``` @novakele I am running the service as acme-dns and permissions appear to be correct ``` [root@halibut ~]# cd /etc/acme-dns/api-certs [root@halibut api-certs]# ls -lah total 0 drwx------ 4 992 acme-dns 100 Dec 27 08:03 . drwxrwxr-x 3 root acme-dns 60 Dec 21 06:17 .. drwx------ 3 992 acme-dns 60 Dec 20 23:53 acme drwx------ 2 992 acme-dns 142 Dec 27 08:03 locks -rw------- 1 992 acme-dns 0 Dec 21 06:17 rw_test_288443979776093768 -rw------- 1 992 acme-dns 0 Dec 21 06:17 rw_test_9142020181166123590 ```
kerem commented 2026-03-13 16:03:12 +03:00
Author
Owner
Copy link

@novakele commented on GitHub (Dec 27, 2022):

It is strange that the owner uid (992) does not resolve to the user acme-dns.

Could you provide the output of id acme-dns? Should the uid of acme-dns be anything else than 992, that is your problem.

Here are the permissions for my instance:

root@lighthouse:~# tree -pufidg /var/lib/acme-dns/
[drwxr-xr-x acme-dns acme-dns]  /var/lib/acme-dns
[drwx------ acme-dns acme-dns]  /var/lib/acme-dns/api-certs
[drwx------ acme-dns acme-dns]  /var/lib/acme-dns/api-certs/acme
[drwx------ acme-dns acme-dns]  /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory
[drwx------ acme-dns acme-dns]  /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users
[drwx------ acme-dns acme-dns]  /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users/<EMAIL>
[drwx------ acme-dns acme-dns]  /var/lib/acme-dns/api-certs/certificates
[drwx------ acme-dns acme-dns]  /var/lib/acme-dns/api-certs/certificates/acme-v02.api.letsencrypt.org-directory
[drwx------ acme-dns acme-dns]  /var/lib/acme-dns/api-certs/certificates/acme-v02.api.letsencrypt.org-directory/<DOMAIN>
[drwx------ acme-dns acme-dns]  /var/lib/acme-dns/api-certs/locks
[drwx------ acme-dns acme-dns]  /var/lib/acme-dns/api-certs/ocsp

Also, here is the output of the same commands you ran (I use /var/lib/acme-dns instead of /etc/acme-dns for the home directory):

root@lighthouse:~# cd /var/lib/acme-dns/api-certs/

root@lighthouse:/var/lib/acme-dns/api-certs# ls -lah
total 24K
drwx------ 6 acme-dns acme-dns 4.0K Dec 23 22:19 .
drwxr-xr-x 3 acme-dns acme-dns 4.0K Dec 23 23:31 ..
drwx------ 3 acme-dns acme-dns 4.0K Dec 23 22:19 acme
drwx------ 3 acme-dns acme-dns 4.0K Dec 23 22:19 certificates
drwx------ 2 acme-dns acme-dns 4.0K Dec 23 22:19 locks
drwx------ 2 acme-dns acme-dns 4.0K Dec 23 22:19 ocsp
<!-- gh-comment-id:1365918002 --> @novakele commented on GitHub (Dec 27, 2022): It is strange that the owner uid (992) does not resolve to the user acme-dns. Could you provide the output of `id acme-dns`? Should the uid of acme-dns be anything else than 992, that is your problem. Here are the permissions for my instance: ```shell root@lighthouse:~# tree -pufidg /var/lib/acme-dns/ [drwxr-xr-x acme-dns acme-dns] /var/lib/acme-dns [drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs [drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/acme [drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory [drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users [drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users/<EMAIL> [drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/certificates [drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/certificates/acme-v02.api.letsencrypt.org-directory [drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/certificates/acme-v02.api.letsencrypt.org-directory/<DOMAIN> [drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/locks [drwx------ acme-dns acme-dns] /var/lib/acme-dns/api-certs/ocsp ``` Also, here is the output of the same commands you ran (I use `/var/lib/acme-dns` instead of `/etc/acme-dns` for the home directory): ```shell root@lighthouse:~# cd /var/lib/acme-dns/api-certs/ root@lighthouse:/var/lib/acme-dns/api-certs# ls -lah total 24K drwx------ 6 acme-dns acme-dns 4.0K Dec 23 22:19 . drwxr-xr-x 3 acme-dns acme-dns 4.0K Dec 23 23:31 .. drwx------ 3 acme-dns acme-dns 4.0K Dec 23 22:19 acme drwx------ 3 acme-dns acme-dns 4.0K Dec 23 22:19 certificates drwx------ 2 acme-dns acme-dns 4.0K Dec 23 22:19 locks drwx------ 2 acme-dns acme-dns 4.0K Dec 23 22:19 ocsp ```
kerem commented 2026-03-13 16:03:17 +03:00
Author
Owner
Copy link

@p3l1 commented on GitHub (Dec 31, 2022):

See #315, I encountered similar problems. I am using the Dockerfile to run acme-dns.
The v0.8 release works just fine. In my opinion this is not an environment problem, but a problem of the software itself.

On my profile I've got an improved Dockerfile based on the v0.8 release.

<!-- gh-comment-id:1368221494 --> @p3l1 commented on GitHub (Dec 31, 2022): See #315, I encountered similar problems. I am using the Dockerfile to run acme-dns. The v0.8 release works just fine. In my opinion this is not an environment problem, but a problem of the software itself. On my profile I've got an improved Dockerfile based on the v0.8 release.
kerem commented 2026-03-13 16:03:22 +03:00
Author
Owner
Copy link

@jeffsf commented on GitHub (Feb 2, 2023):

I'm seeing similar behavior to what has been reported here and in #315 on a new installation in FreeBSD 13.1-RELEASE-p5 and the current upstream compiled and packaged acme-dns-1.0_3,1 (installed today).

  • DNS queries from outside the perimeter, directed at the public DNS name of the delegation, are answered as expected (both expecting a result as well as expecting NXDOMAIN) Edit: SOA record also confirmed served to outside request
  • Trying to connect to the HTTP API using curl results in a TLS handshake error
  • There are no suggestions in the logs of any issues
  • There do not appear to be any permission problems on the file system (other than acme-dns configured by the port author to be running as root)
time="2023-02-01T19:13:53-08:00" level=info msg="Using config file" file=/usr/local/etc/acme-dns/config.cfg
time="2023-02-01T19:13:53-08:00" level=info msg="Connected to database"
time="2023-02-01T19:13:53-08:00" level=debug msg="Adding new record to domain" domain=<DELEGATED_NS_NAME>. recordtype=A
time="2023-02-01T19:13:53-08:00" level=debug msg="Adding new record to domain" domain=<DELEGATED_NS_NAME>. recordtype=NS
time="2023-02-01T19:13:53-08:00" level=debug msg="Adding new record to domain" domain=<DELEGATED_NS_NAME>. recordtype=SOA
time="2023-02-01T19:13:53-08:00" level=info msg="Listening HTTPS" domain=<DELEGATED_NS_NAME> host="0.0.0.0:443"
time="2023-02-01T19:13:53-08:00" level=info msg="Listening DNS" addr= proto=tcp
time="2023-02-01T19:13:53-08:00" level=info msg="Listening DNS" addr= proto=udp
time="2023-02-01T19:14:36-08:00" level=debug msg="Answering question for domain" domain=should.fail.<MY_DOMAIN>. qtype=A rcode=NXDOMAIN
time="2023-02-01T19:15:11-08:00" level=info msg="http: TLS handshake error from <TEST_HOST_IP>:57801: no certificate available for '<DELEGATED_NS_NAME>'"

On a subsequent restart, I additionally get

time="2023-02-01T19:29:33-08:00" level=info msg="2023/02/01 19:29:33 [INFO][FileStorage:/var/db/acme-dns/api-certs] Lock for 'issue_cert_<DELEGATED_NS_NAME>' is stale (created: 2023-02-01 19:13:53.163243238 -0800 PST, last update: 2023-02-01 19:29:23.133675565 -0800 PST); removing then retrying: /var/db/acme-dns/api-certs/locks/issue_cert_<DELEGATED_NS_NAME>.lock"

sudo find var/db/acme-dns/api-certs/ -type d -exec ls -ld {} \;
drwx------  4 root  wheel  4 Feb  1 19:13 var/db/acme-dns/api-certs/
drwx------  2 root  wheel  3 Feb  1 19:13 var/db/acme-dns/api-certs/locks
drwx------  4 root  wheel  4 Feb  1 19:15 var/db/acme-dns/api-certs/acme
drwx------  3 root  wheel  3 Feb  1 19:13 var/db/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory
drwx------  3 root  wheel  3 Feb  1 19:13 var/db/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users
drwx------  2 root  wheel  4 Feb  1 19:13 var/db/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users/<NOTIFICATON_EMAIL>
drwx------  3 root  wheel  3 Feb  1 19:15 var/db/acme-dns/api-certs/acme/acme-staging-v02.api.letsencrypt.org-directory
drwx------  3 root  wheel  3 Feb  1 19:15 var/db/acme-dns/api-certs/acme/acme-staging-v02.api.letsencrypt.org-directory/users
drwx------  2 root  wheel  4 Feb  1 19:15 var/db/acme-dns/api-certs/acme/acme-staging-v02.api.letsencrypt.org-directory/users/<NOTIFICATON_EMAIL>

$ egrep -v '^#' usr/local/etc/acme-dns/config.cfg
[general]
protocol = "both"
domain = "<DELEGATED_NS_NAME>"
nsname = "<DELEGATED_NS_NAME>"
nsadmin = "<HOSTMASTER@DOMAIN.NAME>"
records = [
    # domain pointing to the public IP of your acme-dns server
    "<DELEGATED_NS_NAME>. A <DELEGATED_NS_PUBLIC_IP>",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "<DELEGATED_NS_NAME>. NS <DELEGATED_NS_NAME>.",
]
debug = true

[database]
engine = "sqlite3"
connection = "/var/db/acme-dns/acme-dns.db"

[api]
ip = "0.0.0.0"
disable_registration = false
port = "443"
tls = "letsencrypt"
acme_cache_dir = "/var/db/acme-dns/api-certs"
notification_email = "<NOTIFICATON_EMAIL>"
corsorigins = [
    "*"
]
use_header = false
header_name = "X-Forwarded-For"

[logconfig]
loglevel = "debug"
logtype = "stdout"
logformat = "text"
<!-- gh-comment-id:1413108492 --> @jeffsf commented on GitHub (Feb 2, 2023): I'm seeing similar behavior to what has been reported here and in #315 on a new installation in FreeBSD 13.1-RELEASE-p5 and the current upstream compiled and packaged `acme-dns-1.0_3,1` (installed today). - DNS queries from outside the perimeter, directed at the public DNS name of the delegation, are answered as expected (both expecting a result as well as expecting NXDOMAIN) _Edit: SOA record also confirmed served to outside request_ - Trying to connect to the HTTP API using curl results in a TLS handshake error - There are no suggestions in the logs of any issues - There do not appear to be any permission problems on the file system (other than acme-dns configured by the port author to be running as root) ``` time="2023-02-01T19:13:53-08:00" level=info msg="Using config file" file=/usr/local/etc/acme-dns/config.cfg time="2023-02-01T19:13:53-08:00" level=info msg="Connected to database" time="2023-02-01T19:13:53-08:00" level=debug msg="Adding new record to domain" domain=<DELEGATED_NS_NAME>. recordtype=A time="2023-02-01T19:13:53-08:00" level=debug msg="Adding new record to domain" domain=<DELEGATED_NS_NAME>. recordtype=NS time="2023-02-01T19:13:53-08:00" level=debug msg="Adding new record to domain" domain=<DELEGATED_NS_NAME>. recordtype=SOA time="2023-02-01T19:13:53-08:00" level=info msg="Listening HTTPS" domain=<DELEGATED_NS_NAME> host="0.0.0.0:443" time="2023-02-01T19:13:53-08:00" level=info msg="Listening DNS" addr= proto=tcp time="2023-02-01T19:13:53-08:00" level=info msg="Listening DNS" addr= proto=udp time="2023-02-01T19:14:36-08:00" level=debug msg="Answering question for domain" domain=should.fail.<MY_DOMAIN>. qtype=A rcode=NXDOMAIN time="2023-02-01T19:15:11-08:00" level=info msg="http: TLS handshake error from <TEST_HOST_IP>:57801: no certificate available for '<DELEGATED_NS_NAME>'" ``` On a subsequent restart, I additionally get ``` time="2023-02-01T19:29:33-08:00" level=info msg="2023/02/01 19:29:33 [INFO][FileStorage:/var/db/acme-dns/api-certs] Lock for 'issue_cert_<DELEGATED_NS_NAME>' is stale (created: 2023-02-01 19:13:53.163243238 -0800 PST, last update: 2023-02-01 19:29:23.133675565 -0800 PST); removing then retrying: /var/db/acme-dns/api-certs/locks/issue_cert_<DELEGATED_NS_NAME>.lock" ``` ``` sudo find var/db/acme-dns/api-certs/ -type d -exec ls -ld {} \; drwx------ 4 root wheel 4 Feb 1 19:13 var/db/acme-dns/api-certs/ drwx------ 2 root wheel 3 Feb 1 19:13 var/db/acme-dns/api-certs/locks drwx------ 4 root wheel 4 Feb 1 19:15 var/db/acme-dns/api-certs/acme drwx------ 3 root wheel 3 Feb 1 19:13 var/db/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory drwx------ 3 root wheel 3 Feb 1 19:13 var/db/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users drwx------ 2 root wheel 4 Feb 1 19:13 var/db/acme-dns/api-certs/acme/acme-v02.api.letsencrypt.org-directory/users/<NOTIFICATON_EMAIL> drwx------ 3 root wheel 3 Feb 1 19:15 var/db/acme-dns/api-certs/acme/acme-staging-v02.api.letsencrypt.org-directory drwx------ 3 root wheel 3 Feb 1 19:15 var/db/acme-dns/api-certs/acme/acme-staging-v02.api.letsencrypt.org-directory/users drwx------ 2 root wheel 4 Feb 1 19:15 var/db/acme-dns/api-certs/acme/acme-staging-v02.api.letsencrypt.org-directory/users/<NOTIFICATON_EMAIL> ``` ``` $ egrep -v '^#' usr/local/etc/acme-dns/config.cfg [general] protocol = "both" domain = "<DELEGATED_NS_NAME>" nsname = "<DELEGATED_NS_NAME>" nsadmin = "<HOSTMASTER@DOMAIN.NAME>" records = [ # domain pointing to the public IP of your acme-dns server "<DELEGATED_NS_NAME>. A <DELEGATED_NS_PUBLIC_IP>", # specify that auth.example.org will resolve any *.auth.example.org records "<DELEGATED_NS_NAME>. NS <DELEGATED_NS_NAME>.", ] debug = true [database] engine = "sqlite3" connection = "/var/db/acme-dns/acme-dns.db" [api] ip = "0.0.0.0" disable_registration = false port = "443" tls = "letsencrypt" acme_cache_dir = "/var/db/acme-dns/api-certs" notification_email = "<NOTIFICATON_EMAIL>" corsorigins = [ "*" ] use_header = false header_name = "X-Forwarded-For" [logconfig] loglevel = "debug" logtype = "stdout" logformat = "text" ```
kerem commented 2026-03-13 16:03:27 +03:00
Author
Owner
Copy link

@jeffsf commented on GitHub (Dec 24, 2023):

Confirmed still an issue in FreeBSD 13.2 and package acme-dns-1.0_12,1

No changes in behavior identified

<!-- gh-comment-id:1868432997 --> @jeffsf commented on GitHub (Dec 24, 2023): Confirmed still an issue in FreeBSD 13.2 and package acme-dns-1.0_12,1 No changes in behavior identified
kerem commented 2026-03-13 16:03:32 +03:00
Author
Owner
Copy link

@tigeli commented on GitHub (Feb 9, 2024):

Might be related to this https://github.com/joohoi/acme-dns/issues/339#issuecomment-1935928848

<!-- gh-comment-id:1935935418 --> @tigeli commented on GitHub (Feb 9, 2024): Might be related to this [https://github.com/joohoi/acme-dns/issues/339#issuecomment-1935928848](url)
kerem commented 2026-03-13 16:03:37 +03:00
Author
Owner
Copy link

@jeffsf commented on GitHub (Feb 12, 2024):

I did try adding the CAA record as described on #339 with no change in behavior

Removing the entire /var/db/acme-dns/api-certs directory and allowing it to be recreated also did not change the behavior.

It appears that the query is coming in for the TXT record. The following appears to repeat periodically.

time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR
time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=_Acme-cHALlENgE.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR
time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR
time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=_AcMe-chaLLEnGe.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR
time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR
time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<f4...UUID...b1>.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR
time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR
time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=_aCME-CHALlENgE.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR
time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR
time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<f4...UUID...b1>.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR
time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR
time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<f4...UUID...b1>.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR

The requests for the TXT record come in from a variety of IP addresses, including one that reverse-resolves to outbound1g.letsencrypt.org and another to outbound2e.letsencrypt.org

There is no certificate present anywhere under /var/db/acme-dns/api-certs and openssl s_client confirms that there is no certificate available.

Edit: For clarity, the instance works through the API to have other clients renew certificates. It just isn't able to take care of its own.

<!-- gh-comment-id:1937978800 --> @jeffsf commented on GitHub (Feb 12, 2024): I did try adding the CAA record as described on #339 with no change in behavior Removing the entire `/var/db/acme-dns/api-certs` directory and allowing it to be recreated also did not change the behavior. It appears that the query is coming in for the TXT record. The following appears to repeat periodically. ``` time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=_Acme-cHALlENgE.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=_AcMe-chaLLEnGe.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<f4...UUID...b1>.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=_aCME-CHALlENgE.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<f4...UUID...b1>.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<DELEGATED_NS_NAME>. qtype=AAAA rcode=NOERROR time="2024-02-11T17:41:11-08:00" level=debug msg="Answering question for domain" domain=<f4...UUID...b1>.<DELEGATED_NS_NAME>. qtype=TXT rcode=NOERROR ``` The requests for the TXT record come in from a variety of IP addresses, including one that reverse-resolves to outbound1g.letsencrypt.org and another to outbound2e.letsencrypt.org There is no certificate present anywhere under /var/db/acme-dns/api-certs and `openssl s_client` confirms that there is no certificate available. _Edit: For clarity, the instance works through the API to have other clients renew certificates. It just isn't able to take care of its own._
kerem commented 2026-03-13 16:03:42 +03:00
Author
Owner
Copy link

@strobelm commented on GitHub (Apr 17, 2025):

I am observing the same behavior like @jeffsf. Certificates for other domains work well, but acme-dns cannot pull a cert for itself. I am now using certbot to get a certificate, which is at least a workaround. Anyone got a proper solution?

I am running docker compose. My configuration is

$ cat docker-compose.yml
services:
  acmedns:
    image: joohoi/acme-dns:latest
    ports:
      - "443:443"
      - "53:53"
      - "53:53/udp"
      - "80:80"
    volumes:
      - ./config:/etc/acme-dns:ro
      - ./data:/var/lib/acme-dns
      - ./api-certs:/api-certs
    restart: unless-stopped

$ grep -v '^#' config/config.cfg

[general]
listen = "0.0.0.0:53"
protocol = "both"
domain = "<my-domain>"
nsname = "<my-domain>"
nsadmin = "<my-domain>"
records = [
    "<DELEGATED_NS_NAME>. A <IPv4>",
    "<DELEGATED_NS_NAME>. AAAA  <IPv6>",
    "<DELEGATED_NS_NAME>. NS <DELEGATED_NS_NAME>.",
]
debug = true

[database]
engine = "sqlite3"
connection = "/var/lib/acme-dns/acme-dns.db"

[api]
ip = "0.0.0.0"
disable_registration = false
port = "443"
tls = "letsencrypt"
acme_cache_dir = "/api-certs"
corsorigins = [
    "*"
]
use_header = false

[logconfig]
loglevel = "debug"
logtype = "stdout"
logformat = "json"
<!-- gh-comment-id:2812477676 --> @strobelm commented on GitHub (Apr 17, 2025): I am observing the same behavior like @jeffsf. Certificates for other domains work well, but acme-dns cannot pull a cert for itself. I am now using certbot to get a certificate, which is at least a workaround. Anyone got a proper solution? I am running docker compose. My configuration is ``` $ cat docker-compose.yml services: acmedns: image: joohoi/acme-dns:latest ports: - "443:443" - "53:53" - "53:53/udp" - "80:80" volumes: - ./config:/etc/acme-dns:ro - ./data:/var/lib/acme-dns - ./api-certs:/api-certs restart: unless-stopped $ grep -v '^#' config/config.cfg [general] listen = "0.0.0.0:53" protocol = "both" domain = "<my-domain>" nsname = "<my-domain>" nsadmin = "<my-domain>" records = [ "<DELEGATED_NS_NAME>. A <IPv4>", "<DELEGATED_NS_NAME>. AAAA <IPv6>", "<DELEGATED_NS_NAME>. NS <DELEGATED_NS_NAME>.", ] debug = true [database] engine = "sqlite3" connection = "/var/lib/acme-dns/acme-dns.db" [api] ip = "0.0.0.0" disable_registration = false port = "443" tls = "letsencrypt" acme_cache_dir = "/api-certs" corsorigins = [ "*" ] use_header = false [logconfig] loglevel = "debug" logtype = "stdout" logformat = "json" ```
kerem commented 2026-03-13 16:03:47 +03:00
Author
Owner
Copy link

@jeffsf commented on GitHub (Sep 8, 2025):

Still looking for a clean solution to this.

Having to hack in the server's own IP address to be able to pull certificates for its own use is annoying, especially in environments where that address changes regularly. Failure to make the proper adjustment doesn't show up until renewals start failing.

<!-- gh-comment-id:3267588753 --> @jeffsf commented on GitHub (Sep 8, 2025): Still looking for a clean solution to this. Having to hack in the server's own IP address to be able to pull certificates for its own use is annoying, especially in environments where that address changes regularly. Failure to make the proper adjustment doesn't show up until renewals start failing.
kerem commented 2026-03-13 16:03:52 +03:00
Author
Owner
Copy link

@jeffsf commented on GitHub (Feb 2, 2026):

Still broken, as its expired certificate has caused a cascade of problems

<!-- gh-comment-id:3837893008 --> @jeffsf commented on GitHub (Feb 2, 2026): Still broken, as its expired certificate has caused a cascade of problems
kerem commented 2026-03-13 16:03:58 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Feb 3, 2026):

The need to configure the actual ip address of the external interface comes
from systemd-resolved hogging the port 53 on a loopback interface, making
it impossible to bind to 0.0.0.0 unfortunately.

On Tue, Feb 3, 2026 at 1.54 Jeff Kletsky @.***> wrote:

jeffsf left a comment (joohoi/acme-dns#324)
https://github.com/joohoi/acme-dns/issues/324#issuecomment-3837893008

Still broken, as its expired certificate has caused a cascade of problems


Reply to this email directly, view it on GitHub
https://github.com/joohoi/acme-dns/issues/324#issuecomment-3837893008,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABH6DJIF6FPUGII6ZOJEVBL4J7PUNAVCNFSM6AAAAAB3KRPQH6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTQMZXHA4TGMBQHA
.
You are receiving this because you are subscribed to this thread.Message
ID: @.***>

<!-- gh-comment-id:3837936361 --> @joohoi commented on GitHub (Feb 3, 2026): The need to configure the actual ip address of the external interface comes from systemd-resolved hogging the port 53 on a loopback interface, making it impossible to bind to 0.0.0.0 unfortunately. On Tue, Feb 3, 2026 at 1.54 Jeff Kletsky ***@***.***> wrote: > *jeffsf* left a comment (joohoi/acme-dns#324) > <https://github.com/joohoi/acme-dns/issues/324#issuecomment-3837893008> > > Still broken, as its expired certificate has caused a cascade of problems > > — > Reply to this email directly, view it on GitHub > <https://github.com/joohoi/acme-dns/issues/324#issuecomment-3837893008>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABH6DJIF6FPUGII6ZOJEVBL4J7PUNAVCNFSM6AAAAAB3KRPQH6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTQMZXHA4TGMBQHA> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.***> >
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix_dockerhub
dockerhub
readme2.0
goreleaser_action
refactoring
linter_update_config
update_deps_122
dependabot/go_modules/github.com/valyala/fasthttp-1.34.0
deps_bump
update_goreleaser
update_golint
deps_update
update_dockerfile
v2.0.2
v2.0.1
v2.0
v1.1
v1.0
v0.8
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3.2
v0.3.1
v0.3
v0.2
v0.1
Labels
Clear labels   
Documentation

   
Documentation

   
bug

   
enhancement

   
feature request

   
feature request

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
security

   
security

   
testing
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns#177
No description provided.