Switched from duckdns to inwx and get no longer certificates for subdomains

malikwirin · December 18, 2024, 10:33am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hetzbox.de former hetzbox.duckdns.org

I ran this command:
I am using the NixOS module so the setup looks like this

{ pkgs, config, ... }:
let
  domain = config.networking.domain;
in
{
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "abdelmalik.najhi@stud.hs-kempten.de";
      dnsProvider = "inwx";
      environmentFile = "${pkgs.writeText "inwx-creds" ''
        INWX_USERNAME=redacted
        INWX_PASSWORD_FILE=${config.sops.secrets.inwx-pass.path};
      ''}";
    };

    certs = {
      "${domain}" = {
        domain = "*.${domain}";
        extraDomainNames = [ domain ];
        group = config.services.nginx.group;
      };
    };
  };

  systemd.tmpfiles.rules = [ "d /var/lib/acme 0750 acme acme -" ];

  users.groups.acme = {
    members = [ config.services.nginx.user ];
  };
}

It produced this output:

Dez 18 11:30:36 hetzbox systemd[1]: Starting Renew ACME certificate for hetzbox.de...
Dez 18 11:30:37 hetzbox acme-hetzbox.de-start[120100]: Waiting to acquire lock /run/acme/1.lock
Dez 18 11:30:37 hetzbox acme-hetzbox.de-start[120100]: Acquired lock /run/acme/1.lock
Dez 18 11:30:37 hetzbox acme-hetzbox.de-start[120100]: + set -euo pipefail
Dez 18 11:30:37 hetzbox acme-hetzbox.de-start[120102]: + mkdir -p /var/lib/acme/acme-challenge/.well-known/acme-challenge
Dez 18 11:30:37 hetzbox acme-hetzbox.de-start[120102]: + chgrp nginx /var/lib/acme/acme-challenge/.well-known/acme-challenge
Dez 18 11:30:37 hetzbox acme-hetzbox.de-start[120100]: + echo da3d340b9ba2cc5e3d75
Dez 18 11:30:37 hetzbox acme-hetzbox.de-start[120100]: + cmp -s domainhash.txt certificates/domainhash.txt
Dez 18 11:30:37 hetzbox acme-hetzbox.de-start[120100]: + lego --accept-tos --path . -d '*.hetzbox.de' --email abdelmalik.najhi@stud.hs-kempten.de --key-type ec256 --http --http.webroot /var/lib/acme/acme-challenge --server https://acme-v02.api.letsencrypt.org/directory -d hetzbox.de run
Dez 18 11:30:37 hetzbox acme-hetzbox.de-start[120105]: 2024/12/18 11:30:37 [INFO] [*.hetzbox.de, hetzbox.de] acme: Obtaining bundled SAN certificate
Dez 18 11:30:38 hetzbox acme-hetzbox.de-start[120105]: 2024/12/18 11:30:38 [INFO] [*.hetzbox.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/1991045097/446694395755
Dez 18 11:30:38 hetzbox acme-hetzbox.de-start[120105]: 2024/12/18 11:30:38 [INFO] [hetzbox.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/1991045097/446711661725
Dez 18 11:30:38 hetzbox acme-hetzbox.de-start[120105]: 2024/12/18 11:30:38 [INFO] [hetzbox.de] acme: authorization already valid; skipping challenge
Dez 18 11:30:38 hetzbox acme-hetzbox.de-start[120105]: 2024/12/18 11:30:38 [INFO] [*.hetzbox.de] acme: Could not find solver for: dns-01
Dez 18 11:30:38 hetzbox acme-hetzbox.de-start[120105]: 2024/12/18 11:30:38 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/1991045097/446694395755
Dez 18 11:30:38 hetzbox acme-hetzbox.de-start[120105]: 2024/12/18 11:30:38 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/1991045097/446711661725
Dez 18 11:30:39 hetzbox acme-hetzbox.de-start[120105]: 2024/12/18 11:30:39 Could not obtain certificates:
Dez 18 11:30:39 hetzbox acme-hetzbox.de-start[120105]:         error: one or more domains had a problem:
Dez 18 11:30:39 hetzbox acme-hetzbox.de-start[120105]: [*.hetzbox.de] [*.hetzbox.de] acme: could not determine solvers
Dez 18 11:30:39 hetzbox acme-hetzbox.de-start[120100]: + echo Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.
Dez 18 11:30:39 hetzbox acme-hetzbox.de-start[120100]: Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.
Dez 18 11:30:39 hetzbox acme-hetzbox.de-start[120100]: + exit 10
Dez 18 11:30:39 hetzbox systemd[1]: acme-hetzbox.de.service: Main process exited, code=exited, status=10/n/a
Dez 18 11:30:39 hetzbox systemd[1]: acme-hetzbox.de.service: Failed with result 'exit-code'.
Dez 18 11:30:39 hetzbox systemd[1]: Failed to start Renew ACME certificate for hetzbox.de.
Dez 18 11:30:39 hetzbox systemd[1]: acme-hetzbox.de.service: Consumed 298ms CPU time, 21.3M memory peak, 256K read from disk, 15.9K incoming IP traffic, 6.9K outgoing IP traffic.

My web server is (include version):
nginx v1.26.2

The operating system my web server runs on is (include version):
NixOS 24.11

My hosting provider, if applicable, is:
Hetzner Cloud

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2.11.0

Osiris · December 18, 2024, 2:46pm

malikwirin:

Dez 18 11:30:38 hetzbox acme-hetzbox.de-start[120105]: 2024/12/18 11:30:38 [INFO] [*.hetzbox.de] acme: Could not find solver for: dns-01
(...)
Dez 18 11:30:39 hetzbox acme-hetzbox.de-start[120105]: [*.hetzbox.de] [*.hetzbox.de] acme: could not determine solvers

Weird.. The lego documentation states:

--dns.resolvers value [ --dns.resolvers value ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.

But that's the CLI info.. Maybe it's different when lego is used as a library?

Maybe forcefully set dns.resolvers somewhere in your configuration (where?) of the lego ACME client that NixOS uses under the hood to e.g. 1.1.1.1?

Because this error is not caused by Let's Encrypt. If you look at the authz https://acme-v02.api.letsencrypt.org/acme/authz/1991045097/446711661725, you can see from a Let's Encrypt point of view, the challenge was never activated (still "pending"). It's just deactivated by lego once it got this earlier error..

Probably a good idea to ask the NixOS people about this, because I have no clue how NixOS interfaces with lego..

system · January 17, 2025, 2:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Acme-challenge failed (solved) Help	10	24968	June 23, 2021
Please help mail in box tls renew Help	2	1089	May 23, 2021
Problem with creating certificate for subdomain Help	2	419	November 2, 2022
Verify error:"error":{ Help	22	2540	March 17, 2023
A certificate is not issued for a subdomain Help	7	415	April 13, 2024

Switched from duckdns to inwx and get no longer certificates for subdomains

Related topics