DNS challenge for Traefik and PowerDNS

[jokay]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

Trying to setup the DNS challenge for Traefik and PowerDNS to get a wildcard certificate.

What did you see instead?

Some error message.

How do you use lego?

Through Traefik

Reproduction steps

1. Setup environment variables on Traefik

environment:
  - TRAEFIK_ENTRYPOINTS_HTTP=true
  - TRAEFIK_ENTRYPOINTS_HTTP_ADDRESS=:80
  - TRAEFIK_ENTRYPOINTS_HTTPS=true
  - TRAEFIK_ENTRYPOINTS_HTTPS_ADDRESS=:443
  - TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS=true
  - TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS_CERTRESOLVER=default
  - TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS_DOMAINS_0_MAIN=mydomain.net
  - TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS_DOMAINS_0_SANS=*.mydomain.net
  - TRAEFIK_PROVIDERS_DOCKER=true
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT=true
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_EMAIL=info@mydomain.net
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE=true
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE_PROVIDER=pdns
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE_RESOLVERS=8.8.8.8:53
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE_DELAYBEFORECHECK=15
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_STORAGE=/data/acme.json
  - PDNS_API_URL=http://192.168.123.10:8081/
  - PDNS_API_KEY=pdns-api-key

2. Start Traefik

---

The ACME challenges get created correctly in PowerDNS (and the SOA serial increments):

Already tried to increase DELAYBEFORECHECK and to set a RESOLVER without success.

Version of lego

• Lego 4.4.0
• Traefik 2.5.2
• PowerDNS 4.4.1

Logs

{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"mydomain.net\"]...","providerName":"default.acme","time":"2021-09-06T13:19:22+02:00"}
{"level":"debug","msg":"Domains [\"mydomain.net\"] need ACME certificates generation for domains \"mydomain.net\".","providerName":"default.acme","time":"2021-09-06T13:19:22+02:00"}
{"level":"debug","msg":"Loading ACME certificates [mydomain.net]...","providerName":"default.acme","time":"2021-09-06T13:19:22+02:00"}
{"level":"debug","msg":"Building ACME client...","providerName":"default.acme","time":"2021-09-06T13:19:22+02:00"}
{"level":"debug","msg":"https://acme-v02.api.letsencrypt.org/directory","providerName":"default.acme","time":"2021-09-06T13:19:22+02:00"}
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"mydomain.net\"]...","providerName":"default.acme","time":"2021-09-06T13:19:22+02:00"}
{"level":"debug","msg":"No ACME certificate generation required for domains [\"mydomain.net\"].","providerName":"default.acme","time":"2021-09-06T13:19:22+02:00"}
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"mydomain.net\"]...","providerName":"default.acme","time":"2021-09-06T13:19:22+02:00"}
{"level":"debug","msg":"No ACME certificate generation required for domains [\"mydomain.net\"].","providerName":"default.acme","time":"2021-09-06T13:19:22+02:00"}
{"level":"debug","msg":"Using DNS Challenge provider: pdns","providerName":"default.acme","time":"2021-09-06T13:19:22+02:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.net] acme: Obtaining bundled SAN certificate","time":"2021-09-06T13:19:22+02:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/28497608120","time":"2021-09-06T13:19:23+02:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.net] acme: Could not find solver for: tls-alpn-01","time":"2021-09-06T13:19:23+02:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.net] acme: Could not find solver for: http-01","time":"2021-09-06T13:19:23+02:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.net] acme: use dns-01 solver","time":"2021-09-06T13:19:23+02:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.net] acme: Preparing to solve DNS-01","time":"2021-09-06T13:19:23+02:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.net] acme: Trying to solve DNS-01","time":"2021-09-06T13:19:23+02:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.net] acme: Checking DNS record propagation using [8.8.8.8:53]","time":"2021-09-06T13:19:23+02:00"}
{"level":"debug","msg":"legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]","time":"2021-09-06T13:19:25+02:00"}
{"level":"debug","msg":"Delaying 120000000000 rather than validating DNS propagation now.","providerName":"default.acme","time":"2021-09-06T13:19:25+02:00"}
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"mydomain.net\"]...","providerName":"default.acme","time":"2021-09-06T13:19:51+02:00"}
{"level":"debug","msg":"No ACME certificate generation required for domains [\"mydomain.net\"].","providerName":"default.acme","time":"2021-09-06T13:19:51+02:00"}
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"mydomain.net\"]...","providerName":"default.acme","time":"2021-09-06T13:19:51+02:00"}
{"level":"debug","msg":"No ACME certificate generation required for domains [\"mydomain.net\"].","providerName":"default.acme","time":"2021-09-06T13:19:51+02:00"}
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"mydomain.net\"]...","providerName":"default.acme","time":"2021-09-06T13:19:51+02:00"}
{"level":"debug","msg":"No ACME certificate generation required for domains [\"mydomain.net\"].","providerName":"default.acme","time":"2021-09-06T13:19:51+02:00"}
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"mydomain.net\"]...","providerName":"default.acme","time":"2021-09-06T13:19:51+02:00"}
{"level":"debug","msg":"No ACME certificate generation required for domains [\"mydomain.net\"].","providerName":"default.acme","time":"2021-09-06T13:19:51+02:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.net] acme: Waiting for DNS record propagation.","time":"2021-09-06T13:21:36+02:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.net] acme: Cleaning DNS-01 challenge","time":"2021-09-06T13:21:38+02:00"}
{"level":"debug","msg":"legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/28497608120","time":"2021-09-06T13:21:38+02:00"}
{"level":"error","msg":"Unable to obtain ACME certificate for domains \"mydomain.net\" : unable to generate a certificate for the domains [mydomain.net]: error: one or more domains had a problem:\n[mydomain.net] time limit exceeded: last error: read udp 172.28.0.2:52637-\u003e195.141.155.147:53: i/o timeout\n","providerName":"default.acme","time":"2021-09-06T13:21:38+02:00"}
{"level":"debug","msg":"Serving default certificate for request: \"media.mydomain.net\"","time":"2021-09-06T13:21:42+02:00"}

Go environment (if applicable)

No response

[ldez]

Hello,

time limit exceeded: last error: read udp 172.28.0.2:52637-\u003e195.141.155.147:53: i/o timeout

You have an issue with your networking, maybe you have a firewall, or DNS if really really slow.

[jokay]

Well the TXT records are perfectly readable, not sure if this can really be a networking issue ...

[jokay]

It was indeed a networking issue. NAT reflection via UDP was not correctly setup. Now it works.