Need help with HTTP and DNS failures using Pebble

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
spidershomelab.net
I ran this command:
lego --dns pdns --email SpiderUnderUrBed@proton.me --domains spidershomelab.net --server https://localhost:14000/dir --accept-tos run

It produced this output:

My web server is (include version):
nginx latest

The operating system my web server runs on is (include version):
Debian (raspberry pi os)
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
spiderunderurbed@raspberrypi:~ $ lego --version
lego version dev linux/arm64

Onto describing my issue:
I am trying to set up a local CA (purely because i can, i dont have a pratical use case, i just want to see how to set it up and maybe ill use it as a backup incase i have a issue with renewals) So i am using letsencrypt's pebble, and i am using powerdns (all hosted on my pi)I tried lego and certbot, and the DNS-01 and Http-01 challanges but i get issues with both challanges, i just need one of them to work, here is my attempt with the DNS-01 challange,

also i tried using dig _acme-challange.spidershomelab.net, it cant find it that way either

My command:
lego --dns pdns --email SpiderUnderUrBed@proton.me --domains spidershomelab.net --server https://localhost:14000/dir --accept-tos run

Output:

2024/05/22 19:15:26 [INFO] [spidershomelab.net] acme: Waiting for DNS record propagation. 2024/05/22 19:15:28 [INFO] [spidershomelab.net] acme: Cleaning DNS-01 challenge 2024/05/22 19:15:28 [INFO] Deactivating auth: https://localhost:14000/authZ/-unszpQ3heXcBWajI9XIfMaC8uf7PtD_Kis2tslB7YE 2024/05/22 19:15:28 Could not obtain certificates: error: one or more domains had a problem: [spidershomelab.net] time limit exceeded: last error: NS ns1.spidershomelab.net. returned NXDOMAIN for _acme-challenge.spidershomelab.net. root@raspberrypi:~#

Image of powerdns:

Screenshot_20240522_1929421651×527 54.6 KB

And it should not return nxdomain, because _acme-challange does exist!

I am using pebble via docker, since thats kinda the only way to run it, i am purely using the stock configuration, but i thought i ought to share the whole docker-compose in case that MAY be related:

A local CA will not produce certificates valid on the public internet. So, are not helpful as a backup to those. You could use a different Certificate Authority (CA) for that. ACME CA Comparison - Posh-ACME

As for all the rest you'll have to wait for other volunteers. I have never setup Pebble.

I changed the title to draw people with that experience

@SpiderUnderUrBed in your example the acme client may not be waiting long enough before proceeding with the challenge submission, so pebbles checks DNS and the answer isn't there yet, or pebble may be using a test resolver and not checking your real DNS at all

Pebble is only a test CA, If you want to run an internal CA I'd suggest smallstep step-ca or Hashicorp Vault, both of with have ACME enabled CAs and are products you might encounter in the real world.

Oh, I was thinking about using boulder, boulder however was a resource intensive application, I dont know what benifits boulder had over smallstep, or hashi corps solution, but I knew it was for enterprise production and not homelab, I was originally planning to use pebble to be my local CA, then I tried boulder and immediatelt stopped using it after seeing the system resources it was using, then my next plan was to using pebble for its intended purpose, testing, before i get better hardware.

The testing went badly, as I stated, ill try and use another service as my local CA, not boulder but small-step or hashi corp's vault.

I hope i dont encounter this issue:

When i attempt the DNS-01 challenge

Iirc pebble unless configed otherwise will resolve everything to localhost and look at nameserver at localhsot

these are not the same. there's a typo. not sure if that's the problem.

Well im using lego, I thought lego would be the thing caring about where my DNS server is? Also do you understand my issue? anything i could try?

I talked about this issue here:

if you need extra info (its only 20 messages)

But if you would like any info here i'd be happy to share

I am intent of running a full CA like boulder still, i will have small-step on one of my servers for things i perfer to keep strictly local, but i have a bunch of people/friends who like to develop stuff, we share vms, system resources and stuff like that, so i was thinking about making a CA with group policy.

But my hardware are being used for other stuff so, until i can get better hardware, i want to make sure things work, with pebble.

I described my new issue here:
https://www.reddit.com/r/dns/comments/1d0l98d/powerdns_dns01_challange_with_letsencrypts_pebble/

Its just i realized some stuff on why it might not be working.
There is some miscommunication between docker, lego and pdns which i would like to fix, like, for powerdns when i change the nameserver for my domain (ns1.spidershomelab.net), lego or pebble will first use that as a resolver, so depending on what ip i set the subdomain to resolve too, my recursive or authoritative server, i get a diffrent error, it seems like i need both recursive and my authoriative server to be aware of the ongoing DNS-01 challange for it to work

My issue has changed a bit:
https://www.reddit.com/r/dns/comments/1d0l98d/powerdns_dns01_challange_with_letsencrypts_pebble/

So it isnt a typo issue, I just re-wrote it wrong
I dont expect you to read all that i just linked, the reddit posts captures the essence of the issue, turns out, in simple terms, there is miscommunication between lego, docker, and pdns, when I set the ip to my recursor (on localhost) it just loops until it times out, if i set the ip to my authoritative server, it just ends with a "TXT record not found" atleast when i set it to localhost i creates the ACME challange.

Is there any logs you need? i feel like i badly explained my issue in the post, do you understand my issue?

How pebble is configured?
By default it try port 5001 instead of 80 so non root test is possible

pebble -dnsserver 8.8.8.8:53 

And change ports from config file given to pebble

Also note that you can just configure pebble to skip validation: GitHub - letsencrypt/pebble: A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server not suited for a production certificate authority.

In your scenario I'm not sure if it even matters if validation is performed or not, since it's all internal.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.