DNS challenge fails with ZeroSSL in Caddy in production, works in staging
Opened this issue · 2 comments
Having tested with Route53 plug in, I can generate a staging cert. After running remove_staging.sh this fails. This is because the current config uses LetEncrypt for staging:
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
When that line is commented out in Caddyfile, ACME defaults to ZeroSSL nowadays. Perhaps the reason validation fails, I suspect, may be related to ZeroSSL requiring longer challenge timeouts, see this discussion: https://caddy.community/t/zerossl-dns-challenge-failing-often-route53-plugin/13822/24
A simple workaround is to continue using LetsEncrypt. Instead of commenting out the staging line in Caddyfile, replace it with:
acme_ca https://acme-v02.api.letsencrypt.org/directory
It also makes more sense to use the same staging and production server. Tested and working with Route53.
The error is below. Unsure if this is a time out, or some other ZeroSSL issue—though "context deadline exceeded" suggests a timeout. Works with LetsEncrypt.
{"level":"info","ts":1702149009.1373146,"logger":"tls.issuance.zerossl","msg":"generated EAB credentials","key_id":"O9hmAZ8y3Z2Wqpy5W0LUpg"}
{"level":"info","ts":1702149037.2634928,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["******.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"hostmaster@projectbotticelli.com"}
{"level":"info","ts":1702149037.263566,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rate limiter","identifiers":["******.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"hostmaster@projectbotticelli.com"}
{"level":"info","ts":1702149089.7283485,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"******.net","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1702149094.7885842,"logger":"tls.issuance.zerossl.acme_client","msg":"cleaning up solver","identifier":"******.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.******.net\" (usually OK if presenting also failed)"}
{"level":"error","ts":1702149094.9637642,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"******.net","issuer":"acme.zerossl.com-v2-DV90","error":"[******.net] solving challenges: presenting for challenge: adding temporary record for zone \"******.net.\": operation error Route 53: ListHostedZonesByName, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded (order=https://acme.zerossl.com/v2/DV90/order/RAPb9UJUbbNniG39OgmuQA) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1702149094.9638958,"logger":"tls.obtain","msg":"will retry","error":"[******.net] Obtain: [******.net] solving challenges: presenting for challenge: adding temporary record for zone \"******.net.\": operation error Route 53: ListHostedZonesByName, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded (order=https://acme.zerossl.com/v2/DV90/order/RAPb9UJUbbNniG39OgmuQA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":94.647129347,"max_duration"/%%:2592000}
"A simple workaround is to continue using LetsEncrypt. Instead of commenting out the staging line in Caddyfile, replace it with:
acme_ca https://acme-v02.api.letsencrypt.org/directory
"
This ended up working for me, thank you.