Zone lookup errors

hax1 · July 4, 2023, 11:13pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cjcloud.us

I ran this command:
Script executes the following
iocage exec "${JAIL_NAME}" xcaddy build --output /usr/local/bin/caddy --with github.com/caddy-dns/"${DNS_PLUGIN}" where DNS_PLUGIN = cloudflare

#iocage exec "${JAIL_NAME}" sed -i '' "s/DNS-PLACEHOLDER/${DNS_SETTING}/" /usr/local/www/Caddyfile
iocage exec "${JAIL_NAME}" sed -i '' "s/dns_plugin/${DNS_PLUGIN}/" /usr/local/www/Caddyfile
iocage exec "${JAIL_NAME}" sed -i '' "s/api_token/${DNS_TOKEN}/" /usr/local/www/Caddyfile
iocage exec "${JAIL_NAME}" sed -i '' "s/jail_ip/${IP}/" /usr/local/www/Caddyfile
iocage exec "${JAIL_NAME}" sed -i '' "s/youremailhere/${CERT_EMAIL}/" /usr/local/www/Caddyfile
iocage exec "${JAIL_NAME}" sed -i '' "s|mytimezone|${TIME_ZONE}|" /usr/local/etc/php.ini

iocage exec "${JAIL_NAME}" sysrc caddy_enable="YES"
iocage exec "${JAIL_NAME}" sysrc caddy_config="/usr/local/www/Caddyfile"```

It produced this output:

{"level":"error","ts":1688183097.7550597,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cjcloud.us","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[cjcloud.us] solving challenges: presenting for challenge: adding temporary record for zone \"us.\": expected 1 zone, got 0 for us. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/109035384/9519756664) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1688183097.7552269,"logger":"tls.obtain","msg":"will retry","error":"[cjcloud.us] Obtain: [cjcloud.us] solving challenges: presenting for challenge: adding temporary record for zone \"us.\": expected 1 zone, got 0 for us. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/109035384/9519756664) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":12,"retrying_in":21600,"elapsed":21608.943635038,"max_duration":2592000}

My web server is (include version):
Caddy v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
The operating system my web server runs on is (include version):

FreeBSD 13.1-RELEASE-p2 n245412-484f039b1d0 TRUENAS

My hosting provider, if applicable, is: cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A

Bruce5051 · July 4, 2023, 11:39pm

Hello @hax1, welcome to the Let's Encrypt community.

It seems like the "Zone lookup errors" start with adding temporary record for zone
Since you are using the DNS-01 challenge of the Challenge Types - Let's Encrypt make sure the DNS Provider has a supported API for the DNS-01 challenge

_az · July 4, 2023, 11:55pm

@mholt do you know why Caddy is searching for an us zone rather than cjcloud.us?

mholt · July 5, 2023, 5:10am

This usually happens when there is a misconfiguration of the local DNS resolver, or the authoritative nameserver.

I don't know what iocage is, but it looks like a potential culprit.

_az · July 5, 2023, 5:39am

Thanks. Is it because it is recursively climbing for an SOA record, and didn't find one for cjcloud.us?

hax1 · July 5, 2023, 12:10pm

Thank you all for the replies. I am installing a nextcloud instance on my freeBSD truenas server using a very reputable script. I managed to successfully get it up and running, but attempted to install Caddy and reverse proxy which ended up not working. I went back and reinstalled nextcloud and set it up as I had previously and have since gotten these errors. iocage is the command to execute the nextcloud commands from outside of the nextcloud instance. The link to the script is here https://github.com/danb35/freenas-iocage-nextcloud/blob/master/nextcloud-jail.sh and has been used by hundreds, maybe thousands of people. I was assuming somehow LetsEncrypt has blocked my requests for a cert or something. If you open the API that the errors are referencing, you can see that the cert is Inactive, further selection within the subsequent API URLs and you can see a 405, malformed request is occurring. Attached is my cloudflare configuration. None of which has changed since I had this working.

When you say

Are you referring to the DNS resolver on my router?

Thank you again for all the quick support.

mholt · July 5, 2023, 4:48pm

Perhaps, but if it knows it couldn't find any SOA it should return an error (which we have seen in the past):

github.com

caddyserver/certmagic/blob/d8b13df4d123be9737c6855b78fe3417df8bad11/dnsutil.go#L99-L103


      
          		case dns.RcodeNameError:
          			// NXDOMAIN
          		default:
          			// Any response code other than NOERROR and NXDOMAIN is treated as error
          			return nil, fmt.Errorf("unexpected response code '%s' for %s", dns.RcodeToString[in.Rcode], domain)

I think more likely is a misconfigured zone or perhaps something funky like split-horizon DNS or similar advanced DNS setup gone a little wrong. We've also seen this before, too.

Based on the details above I'm guessing a local issue, related to iocage and/or NextCloud setup.

Possibly, or any DNS resolver between the Caddy process and the nameserver. (OS, ISP, etc.)

hax1 · July 6, 2023, 12:10am

Okay I added the following to the TLS block of my Caddyfile

     dns cloudflare token
     resolvers 1.1.1.1
}```

And the the following was outputted. And I am able to get to the nextcloud login screen. However, I am unable to reach it from outside my IP address. And also in the past, i would leave my computer and come back to set things up and I would continue to see INTERNAL CERT errors. 

```{"level":"info","ts":1688601841.2383645,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1688601841.2383964,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cjcloud.us"]}
{"level":"info","ts":1688601841.2387397,"msg":"autosaved config (load with --resume flag)","file":"/var/db/caddy/config/caddy/autosave.json"}
{"level":"info","ts":1688601841.238762,"msg":"serving initial configuration"}
{"level":"info","ts":1688601841.2393012,"logger":"tls.obtain","msg":"acquiring lock","identifier":"cjcloud.us"}
Successfully started Caddy (pid=63458) - Caddy is running in the background
{"level":"info","ts":1688601841.2430677,"logger":"tls.obtain","msg":"lock acquired","identifier":"cjcloud.us"}
{"level":"info","ts":1688601841.243366,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"cjcloud.us"}
{"level":"info","ts":1688601841.2447152,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["cjcloud.us"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"justinmhaxton@gmail.com"}
{"level":"info","ts":1688601841.2448504,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["cjcloud.us"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"justinmhaxton@gmail.com"}
{"level":"info","ts":1688601841.5531971,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"cjcloud.us","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"info","ts":1688601845.4622574,"logger":"http.acme_client","msg":"authorization finalized","identifier":"cjcloud.us","authz_status":"valid"}
{"level":"info","ts":1688601845.462371,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/1189567567/193083902917"}
{"level":"info","ts":1688601846.3183908,"logger":"http.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/04f0d3a45a61b7ad909d300cc08576a0e85f"}
{"level":"info","ts":1688601846.3192246,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"cjcloud.us"}
{"level":"info","ts":1688601846.3192954,"logger":"tls.obtain","msg":"releasing lock","identifier":"cjcloud.us"}
root@nextcloud:~ #

mholt · July 6, 2023, 1:51am

Great! This shows that there is a misconfiguration in your local DNS settings. A public resolver, 1.1.1.1, works correctly.

This is usually due to a router or firewall misconfiguration.

system · August 5, 2023, 1:51am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.