starred/acme-dns
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 04:45:48 +03:00
Code Issues 178 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #354] How do you bootstrap when you have a split-DNS? #197

New issue
Closed
opened 2026-03-13 16:07:35 +03:00 by kerem · 5 comments
kerem commented 2026-03-13 16:07:35 +03:00
Owner
Copy link

Originally created by @gctwnl on GitHub (Jun 8, 2024).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/354

[Update: this is a dumb question. Ignore]

I need to get the acme-dns server running locally, on a server that is already running an instance of my split-DNS (so 53 is not available).

Outside public DNS for mydomain.tld:

acmedns     IN    NS   usedname.mydomain.tld
usedname    IN    A    100.11.12.13
linuxserver IN    A    100.11.12.14

Inside private DNS for mydomain.tld:

linuxserver IN    A    192.168.10.10

acme-dns is running as a container via docker compose, with this:

    ports:
      - "943:443"
      - "953:53"
      - "953:53/udp"
      - "980:80"

It starts fine:

acmedns-1  | time="2024-06-08T12:46:06Z" level=info msg="Using config file" file=/etc/acme-dns/config.cfg
acmedns-1  | time="2024-06-08T12:46:06Z" level=info msg="Connected to database"
acmedns-1  | time="2024-06-08T12:46:06Z" level=debug msg="Adding new record to domain" domain=vanroodewierda.rna.nl. recordtype=A
acmedns-1  | time="2024-06-08T12:46:06Z" level=debug msg="Adding new record to domain" domain=acmedns.rna.nl. recordtype=NS
acmedns-1  | time="2024-06-08T12:46:06Z" level=debug msg="Adding new record to domain" domain=acmedns.rna.nl. recordtype=SOA
acmedns-1  | time="2024-06-08T12:46:06Z" level=info msg="Listening HTTPS" domain=acmedns.rna.nl host="0.0.0.0:443"
acmedns-1  | time="2024-06-08T12:46:06Z" level=info msg="Listening DNS" addr="0.0.0.0:53" proto=udp
acmedns-1  | time="2024-06-08T12:46:06Z" level=info msg="Listening DNS" addr="0.0.0.0:53" proto=tcp

NAT is like

100.11.12.13:53 -> 192.168.10.10:953

From the outside, my acme-dns is reachable:

nc -v -z -u usedname.mydomain.tld 53
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected to k.l.m.n:53.
Ncat: UDP packet sent successfully
Ncat: 1 bytes sent, 0 bytes received in 2.01 seconds.

From the inside as well:

nc -v -z -u linuxserver.mydomain.tld 953
Connection to linuxserver port 953 [udp/*] succeeded!

Now, when on the inside I try to register, I get

root@linuxserver:/srv/docker/nameserver# curl -X POST https://linuxserver.mydomain.tld:943/register
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

and the log says:

acmedns-1  | time="2024-06-08T12:47:43Z" level=info msg="http: TLS handshake error from 192.168.10.10:53822: no certificate available for 'linuxserver.mydomain.tld'"

My config is a mess, of course, because I don't understand this all very well.

# domain name to serve the requests off of
domain = "acmedns.mydomain.tld"
# zone name server
nsname = "usedname.mydomain.tld"
# admin email address, where @ is substituted with .
nsadmin = "hostmaster.mydomain.tld"
# predefined records served in addition to the TXT
records = [
    # domain pointing to the public IP of your acme-dns server 
    "usedname.rna.nl. A 100.11.12.13",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "acmedns.mydomain.tld. NS usedname.mydomain.tld.",
]

Is there a way to get the acme-dns running self-hosted in this situation?

Originally created by @gctwnl on GitHub (Jun 8, 2024). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/354 [Update: this is a dumb question. Ignore] I need to get the acme-dns server running locally, on a server that is already running an instance of my split-DNS (so 53 is not available). Outside public DNS for `mydomain.tld`: ``` acmedns IN NS usedname.mydomain.tld usedname IN A 100.11.12.13 linuxserver IN A 100.11.12.14 ``` Inside private DNS for `mydomain.tld`: ``` linuxserver IN A 192.168.10.10 ``` acme-dns is running as a container via docker compose, with this: ``` ports: - "943:443" - "953:53" - "953:53/udp" - "980:80" ``` It starts fine: ``` acmedns-1 | time="2024-06-08T12:46:06Z" level=info msg="Using config file" file=/etc/acme-dns/config.cfg acmedns-1 | time="2024-06-08T12:46:06Z" level=info msg="Connected to database" acmedns-1 | time="2024-06-08T12:46:06Z" level=debug msg="Adding new record to domain" domain=vanroodewierda.rna.nl. recordtype=A acmedns-1 | time="2024-06-08T12:46:06Z" level=debug msg="Adding new record to domain" domain=acmedns.rna.nl. recordtype=NS acmedns-1 | time="2024-06-08T12:46:06Z" level=debug msg="Adding new record to domain" domain=acmedns.rna.nl. recordtype=SOA acmedns-1 | time="2024-06-08T12:46:06Z" level=info msg="Listening HTTPS" domain=acmedns.rna.nl host="0.0.0.0:443" acmedns-1 | time="2024-06-08T12:46:06Z" level=info msg="Listening DNS" addr="0.0.0.0:53" proto=udp acmedns-1 | time="2024-06-08T12:46:06Z" level=info msg="Listening DNS" addr="0.0.0.0:53" proto=tcp ``` NAT is like ``` 100.11.12.13:53 -> 192.168.10.10:953 ``` From the outside, my acme-dns is reachable: ``` nc -v -z -u usedname.mydomain.tld 53 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Connected to k.l.m.n:53. Ncat: UDP packet sent successfully Ncat: 1 bytes sent, 0 bytes received in 2.01 seconds. ``` From the inside as well: ``` nc -v -z -u linuxserver.mydomain.tld 953 Connection to linuxserver port 953 [udp/*] succeeded! ``` Now, when on the inside I try to register, I get ``` root@linuxserver:/srv/docker/nameserver# curl -X POST https://linuxserver.mydomain.tld:943/register curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error ``` and the log says: ``` acmedns-1 | time="2024-06-08T12:47:43Z" level=info msg="http: TLS handshake error from 192.168.10.10:53822: no certificate available for 'linuxserver.mydomain.tld'" ``` My config is a mess, of course, because I don't understand this all very well. ``` # domain name to serve the requests off of domain = "acmedns.mydomain.tld" # zone name server nsname = "usedname.mydomain.tld" # admin email address, where @ is substituted with . nsadmin = "hostmaster.mydomain.tld" # predefined records served in addition to the TXT records = [ # domain pointing to the public IP of your acme-dns server "usedname.rna.nl. A 100.11.12.13", # specify that auth.example.org will resolve any *.auth.example.org records "acmedns.mydomain.tld. NS usedname.mydomain.tld.", ] ``` Is there a way to get the `acme-dns` running self-hosted in this situation?
kerem closed this issue 2026-03-13 16:07:41 +03:00
kerem commented 2026-03-13 16:07:47 +03:00
Author
Owner
Copy link

@gctwnl commented on GitHub (Jun 8, 2024):

I worked around it by copying a valid cert over from another machine and setting

# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
tls = "cert"
# only used if tls = "cert"
tls_cert_privkey = "/etc/letsencrypt/live/mydomain.tld/privkey.pem"
tls_cert_fullchain = "/etc/letsencrypt/live/mydomain.tld/fullchain.pem"

That is of course not a real solution.

<!-- gh-comment-id:2156087109 --> @gctwnl commented on GitHub (Jun 8, 2024): I worked around it by copying a valid cert over from another machine and setting ``` # possible values: "letsencrypt", "letsencryptstaging", "cert", "none" tls = "cert" # only used if tls = "cert" tls_cert_privkey = "/etc/letsencrypt/live/mydomain.tld/privkey.pem" tls_cert_fullchain = "/etc/letsencrypt/live/mydomain.tld/fullchain.pem" ``` That is of course not a real solution.
kerem commented 2026-03-13 16:07:52 +03:00
Author
Owner
Copy link

@gctwnl commented on GitHub (Jun 8, 2024):

I can now successfully use the API, but not entirely:

% curl -X POST https://linuxserver.mydomain.tld:943/update -H "X-Api-User: <snip>" -H "X-Api-Key: <snip>" --data '{"subdomain": "<snip>", "txt": "___validation_token_recieved_from_the_ca___"}'| python3 -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   161  100    54  100   107    688   1364 --:--:-- --:--:-- --:--:--  2064
{
    "txt": "___validation_token_recieved_from_the_ca___"
}

That is a call on the inside. 443 is not available from outside (no NAT). The log says:

acmedns-1  | time="2024-06-08T16:06:57Z" level=info msg="  Actual request no headers added: missing origin"
acmedns-1  | time="2024-06-08T16:06:57Z" level=debug msg="TXT updated" subdomain=<snip> txt=___validation_token_recieved_from_the_ca___

But when I try to read this from the outside:

$ dig _acme-challenge.acmedns.mydomain.tld txt

; <<>> DiG 9.11.36-RedHat-9.11.36-14.el8_10 <<>> _acme-challenge.acmedns.mydomain.tld txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42965
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 327e502452512e255ca948b766647f7248f5c0f8d3a99f53 (good)
;; QUESTION SECTION:
;_acme-challenge.acmedns.mydomain.tld.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.acmedns.mydomain.tld.	1 IN	TXT	""

;; AUTHORITY SECTION:
acmedns.mydomain.tld.		207	IN	NS	usedname.mydomain.tld.

;; Query time: 37 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun 08 17:57:38 CEST 2024
;; MSG SIZE  rcvd: 129

So, almost there?

<!-- gh-comment-id:2156089591 --> @gctwnl commented on GitHub (Jun 8, 2024): I can now successfully use the API, but not entirely: ``` % curl -X POST https://linuxserver.mydomain.tld:943/update -H "X-Api-User: <snip>" -H "X-Api-Key: <snip>" --data '{"subdomain": "<snip>", "txt": "___validation_token_recieved_from_the_ca___"}'| python3 -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 161 100 54 100 107 688 1364 --:--:-- --:--:-- --:--:-- 2064 { "txt": "___validation_token_recieved_from_the_ca___" } ``` That is a call on the inside. 443 is not available from outside (no NAT). The log says: ``` acmedns-1 | time="2024-06-08T16:06:57Z" level=info msg=" Actual request no headers added: missing origin" acmedns-1 | time="2024-06-08T16:06:57Z" level=debug msg="TXT updated" subdomain=<snip> txt=___validation_token_recieved_from_the_ca___ ``` But when I try to read this from the outside: ``` $ dig _acme-challenge.acmedns.mydomain.tld txt ; <<>> DiG 9.11.36-RedHat-9.11.36-14.el8_10 <<>> _acme-challenge.acmedns.mydomain.tld txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42965 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 327e502452512e255ca948b766647f7248f5c0f8d3a99f53 (good) ;; QUESTION SECTION: ;_acme-challenge.acmedns.mydomain.tld. IN TXT ;; ANSWER SECTION: _acme-challenge.acmedns.mydomain.tld. 1 IN TXT "" ;; AUTHORITY SECTION: acmedns.mydomain.tld. 207 IN NS usedname.mydomain.tld. ;; Query time: 37 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Jun 08 17:57:38 CEST 2024 ;; MSG SIZE rcvd: 129 ``` So, almost there?
kerem commented 2026-03-13 16:07:57 +03:00
Author
Owner
Copy link

@gctwnl commented on GitHub (Jun 8, 2024):

Never mind @joohoi, it was in part a dumb question (there is a 'none' option).

<!-- gh-comment-id:2156108627 --> @gctwnl commented on GitHub (Jun 8, 2024): Never mind @joohoi, it was in part a dumb question (there is a 'none' option).
kerem commented 2026-03-13 16:08:02 +03:00
Author
Owner
Copy link

@gctwnl commented on GitHub (Jun 9, 2024):

Never mind, the error was mine (no surprise here). I had CNAME'd _acme-challenge.acmedns.mydomain.tld to <acme-dns-subdomain>.acmedns.mydomain.tld but I should have CNAME'd _acme-challenge.mydomain.tld of course because that is where LE CA will look... 😬 Now just see if I can get it working in full.

So, probably the bootstrap would have worked too, maybe. I'll probably check later.

<!-- gh-comment-id:2156518828 --> @gctwnl commented on GitHub (Jun 9, 2024): Never mind, the error was mine (no surprise here). I had CNAME'd `_acme-challenge.acmedns.mydomain.tld` to `<acme-dns-subdomain>.acmedns.mydomain.tld` but I should have CNAME'd `_acme-challenge.mydomain.tld` of course because that is where LE CA will look... 😬 Now just see if I can get it working in full. So, probably the bootstrap would have worked too, maybe. I'll probably check later.
kerem commented 2026-03-13 16:08:07 +03:00
Author
Owner
Copy link

@gctwnl commented on GitHub (Jun 13, 2024):

This was (as least in part) a dumb question.

<!-- gh-comment-id:2165492224 --> @gctwnl commented on GitHub (Jun 13, 2024): This was (as least in part) a dumb question.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix_dockerhub
dockerhub
readme2.0
goreleaser_action
refactoring
linter_update_config
update_deps_122
dependabot/go_modules/github.com/valyala/fasthttp-1.34.0
deps_bump
update_goreleaser
update_golint
deps_update
update_dockerfile
v2.0.2
v2.0.1
v2.0
v1.1
v1.0
v0.8
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3.2
v0.3.1
v0.3
v0.2
v0.1
Labels
Clear labels   
Documentation

   
Documentation

   
bug

   
enhancement

   
feature request

   
feature request

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
security

   
security

   
testing
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns#197
No description provided.