Trouble setting up pebble-challtestsrv in local docker env

Client dev
#1

Hi all,

I'm developing an ACMEv2 client app and having some trouble getting the HTTP challenges to work when pebble is configured to do dns resolution via pebble-challtestsrv (the DNS records just need to point to my service which is answering the HTTP challenge). I've gotten it all working if I link my service to the pebble container in my docker-compose file and use the default resolver. But I can't seem to figure out how to get it to work with pebble-chaltestsrv, which I need for more complete testing.

Here's my docker-compose config:

custom-domain:
    image: internal_repo/custom-domain:latest
    ports:
      - 80:80
dns-server:
    image: letsencrypt/pebble-challtestsrv:latest
    command: pebble-challtestsrv
    ports:
      - 8053:8053
      - 8055:8055
pebble:
    image: letsencrypt/pebble:latest
    command: pebble -config /test/pebble-config.json -dnsserver dns-server:8053
    links:
      - dns-server
      - custom-domain
    ports:
      - 14000:14000  # ACME port
      - 15000:15000  # Management port
    environment:
      - PEBBLE_VA_NOSLEEP=1
    volumes:
      - ./platform/files/pebble-config.json:/test/pebble-config.json
      - ./platform/certs/cert.pem:/platform/certs/cert.pem
      - ./platform/certs/key.pem:/platform/certs/key.pem

httpPort is set to 80 in the pebble config and I've added the default ipv4, and created A record and CNAME records via the management port (logs are showing the correct ip address).

Here are the relevant logs for both pebble and pebble-challtestsrv services:

dns-server_1     | pebble-challtestsrv - 2020/10/12 20:08:40 Creating HTTP-01 challenge server on :5002
dns-server_1     | pebble-challtestsrv - 2020/10/12 20:08:40 Creating HTTPS HTTP-01 challenge server on :5003
dns-server_1     | pebble-challtestsrv - 2020/10/12 20:08:40 Creating TCP and UDP DNS-01 challenge server on :8053
dns-server_1     | pebble-challtestsrv - 2020/10/12 20:08:40 Creating TLS-ALPN-01 challenge server on :5001
dns-server_1     | pebble-challtestsrv - 2020/10/12 20:08:40 Answering A queries with 127.0.0.1 by default
dns-server_1     | pebble-challtestsrv - 2020/10/12 20:08:40 Answering AAAA queries with ::1 by default
dns-server_1     | pebble-challtestsrv - 2020/10/12 20:08:40 Starting management server on :8055
dns-server_1     | pebble-challtestsrv - 2020/10/12 20:08:40 Starting challenge servers
dns-server_1     | pebble-challtestsrv - 2020/10/12 20:08:44 Set default IPv4 address for DNS A queries to "172.17.0.7"
dns-server_1     | pebble-challtestsrv - 2020/10/12 20:08:44 Added response for DNS A queries to "local.io" : 172.17.0.7
dns-server_1     | pebble-challtestsrv - 2020/10/12 20:08:44 Added response for DNS CNAME queries to "custom-domain.local.io" targeting "local.io"
pebble_1         | Pebble 2020/10/12 20:09:09 Attempting to validate w/ HTTP: http://custom-domain.local.io:80/.well-known/acme-challenge/PhjgNZwmUa1DCMG855AWhMMMLpiq161N6JgJIvbUlNw
pebble_1         | Pebble 2020/10/12 20:09:10 POST /my-order/ -> calling handler()
pebble_1         | Pebble 2020/10/12 20:09:11 authz Xg4K9EWjF-Za2Aapjc88a0n8FQtPRjJXSKyc0e4hQ_Q set INVALID by completed challenge DTHoBTQsu3tsEEEHbye5DJb8uJlmd7eGq_rKio7-GGQ

Any advice here would be greatly appreciated.

2 Likes
#2

Hi @bkorty,

What is the trouble?

Is it that Pebble did not actually connect to custom-domain (172.17.0.7) when fetching http://custom-domain.local.io:80/.well-known/acme-challenge/PhjgNZwmUa1DCMG855AWhMMMLpiq161N6JgJIvbUlNw?

Do you have the error message that Pebble gave to your ACME client?

2 Likes
#3

This is the error I'm seeing in the poll for the order status following the http challenge setup confirmation.

'error': {
    'type': 'urn:ietf:params:acme:error:connection', 
    'detail': 'Get http://custom-domain.internal.io:80/.well-known/acme-challenge/8Mn0Pm3WXk2NOeG9HItoEsbOrgT4erxjDkw-lHPXJdU: dial tcp [::1]:80: connect: cannot assign requested address',
    'status': 400
}

Seems like it can't connect, but when I docker exec into the pebble container, nslookup of "custom-domain" resolves to the expected ip address that I've put in the DNS records (172.17.0.7) and I'm able to use wget to make http requests to the endpoints successfully. (I'm able to use just custom-domain hostname and docker routing when I'm not using pebble-challtestsrv).

2 Likes
#4

Thanks!

I tried this out myself, and I think you need to blank out the default AAAA record in challtestsrv.

curl -X POST -d '{"ip":""}' http://localhost:8055/set-default-ipv6

Otherwise, Pebble sees the default ::1 IPv6 for all domains, tries it, and disregards the A record you registered..

2 Likes
#5

That was it. I really appreciate both the correct answer and the quick response.

3 Likes