DNS-01: errors during certificate request with Zoraxy reverse proxy

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: elsinga.net

I ran this command: unknown, but requested elsing.net and *.elsinga.net through GUI of Zoraxy reverse proxy, run on Docker.

It produced this output:
rror: one or more domains had a problem: [.elsinga.net] [.elsinga.net] acme: error presenting token: ClouDNS: zone elsinga.net not found for authFQDN _acme-challenge.elsinga.net.

Error: one or more domains had a problem: [elsinga.net] [elsinga.net] acme: error presenting token: ClouDNS: zone elsinga.net not found for authFQDN _acme-challenge.elsinga.net.

My web server is (include version): docker image zoraxydocker/zoraxy:latest (installed today)

The operating system my web server runs on is (include version): Linux (Ugreen DXP8800 Plus NAS)

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Zoraxy reverse proxy

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): unknown, commands not found in SSH CLI

Long story: I am in the proces of migrating from my Synology DS918+, where normal non-DNS-01 requests for certificates work just fine, to a new Ugreen DXP8800 Plus NAS. The 8800 does not have a Web Station or built in reverse proxy, so I am running a Nginx/Php container for my website and Zoraxy as the reverse proxy. The 8800 is not yet getting traffic forwarded from the internet (the DS918+ is, since I want my websites to stay up) on ports 8 or 443. However, putting elsinga.net and www.elsinga.net in my Windows hosts file and point them to the 8800's local LAN IP address, everything works just fine (apart from certificate warnings on HTTPS, which is expected while not having certificates yet).

In Zoraxy I am now trying to request LE certificates (either a domain wildcard one, which would be prefferred, or a normal one with both elsinga.net and www.elsinga.net). I am using ClouDNS as my nameserver, where I have enabled an API auth-id and set a password.

In Zoraxy's ACME Tool I enter the Domain(s) either as elsinga.net or *.elsinga.net or elsinga.net,www.elsinga.net (all three produce the same error), enter the AuthID and AuthPassword, with Pollinginterval 2s and PropagationTimeout 600s. When clicking Get Certificate I quickly get the error (shown for elsinga.net): Error: one or more domains had a problem: [elsinga.net] [elsinga.net] acme: error presenting token: ClouDNS: zone elsinga.net not found for authFQDN _acme-challenge.elsinga.net.

I tried setting a _acme-challenge TXT record at ClouDNS for elsinga.net with the value elsinga.net, but that also did not help. I expect to either get the unique token to set in that TXT record or that the ACME tool sets it itself using the API user.

If that might matter: I have 3 domains in the same ClouDNS account: elsinga.net, elsinga.org and pc5e.nl.

What am I doing wrong?

P.S. I also tried to use the non-DNS-01 method, forwarding 80/443 to my 8800, but I keep getting other errors there: like rror: one or more domains had a problem: [elsinga.net] invalid authorization: acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 86.84.51.73: Invalid response from https://elsinga.net/.well-known/acme-challenge/gIyS9WQjn524thsLKT5z0eTR9Sf1qLoGCpN6kG5b4Dk: 404

First, the DNS method is very different than HTTP method. Debugging one won't help resolving problems with the other.

The HTTP Challenge is usually easier to setup. The '404' in the error message is an HTTP "Not Found". It means when Let's Encrypt sent an HTTP request asking for the challenge token your server said it was not found. I am not familiar with Zoraxy so can't say much. But, it usually means the "webroot" path for your server did not match the path Zoraxy placed the token in. Perhaps it has a log that provides more info.

The DNS Challenge failure could be several things. The normal process is to add a TXT record value and then delete it. The error you are getting is the ClouDNS server telling your Zoraxy client it can't do what it requested. Again, I don't know Zoraxy so maybe it does other things too but adding/deleting a TXT record is minimum.

You should manually test ClouDNS API requests using curl or similar. I think this ClouDNS page has a good example: ClouDNS: Add record

Note you also have a problem with your DNS delegation configuration. I don't think this is causing this particular problem but you should fix it. It can cause other problems if not this one. From: elsinga.net | DNSViz

net to elsinga.net: The following NS name(s) were found in the delegation NS RRset (i.e., in the net zone), but not in the authoritative NS RRset: ns2.cloudns.net See RFC 1034, Sec. 4.2.2.

Thanks for your comments. HTTP Challenge will probably not work because the reverse proxy (that is requedting the certificate) is a seperate Docker container than the website(s). It only knows to forward traffic to :. So the 403 and 404 are no surprise...

I will test the ClouDNS API manually, to see if it works at all. There probably is an error there, but I hope I can find out what it is and can fix it. Then I at least do not have the HTTP Challenge issues.

The setup on my Synology NAS is differente, I guess. There it is one system and the LE part probably has write rights on all websites there. Maybe I can do some regexp redirecting inside Zoraxy (it has at least some filtering on that), so I can redirect all .well-known traffic to the static (and internal) Zoray's website. It should have rights there. But I rather get DNS-01 working.

Okay, I have found the source of the DNS_01 Challenge not working for me. At ClouDNS I am on the Free (pre 2018) plan, which gives me 3 zones and lots of features for free. But: API access is not included... For that I need a paid subscription...

When running a JSON query against the API, this is what I get as a reply for all but the Login query:

[code]
|status|"Failed"|
|statusDescription|"You don't have access to the HTTP API. Check your plan."|

[code]

And I not have the option to get the HTTP Challenge working, since all my reverse proxy targets run in their own container, where Zoraxy has no way of inserting the well-know file and I cannot get Zoraxy to redirect all well-known PUT/GET HTTP request to it's own static HTMLsite (where this might work).

So, I am going to upgrade to a paid subscription. Then API access is included and I can use the DNS-01 Challenge (I hope, but I am quite sure).

Good find and a good option.

But, maybe the HTTP Challenge could work.

Why can't the Zoraxy use the HTTP Challenge to get a cert to use for itself? You don't have to use HTTPS between that and your other services. Those can remain HTTP. Now, if you want to use HTTPS between Zoraxy and your other services that's different.

I don't know why Zoraxy can't automagically let de ACME Tool create the well-know folder and file on a filesystem that it controls, but that is not a problem anymore.

I can confirm that a paid subscription at ClouDNS allows for the DNS-01 Challenge to work with the Zoraxy reverse proxy ACME Tool. I requested 4 certificates this way, elsinga.net, *.elsinga.net, pc5e.nl and *.pc5e.nl. That way I can have HTTPS for all reverse proxied webservices.

And because it being around Black Friday, the paid subscription was 30% off.

Fair enough. Note there are DNS providers that offer API access for free Cloudflare is one such. They don't need to be your registrar just the provider.

You should still fix your delegation problem I described earlier. You have ns2 at the registrar but not in your authoritative

Fixed the nameserver list at my registrars. And all is working well, my new NAS is now my primary webserver.