なつねこメモ

主にプログラミング関連のメモ帳 ♪(✿╹ヮ╹)ノ 書いてあるコードは自己責任でご自由にどうぞ。記事本文の無断転載は禁止です。

Lego で DNS のマニュアル認証が通らない

セキュリティ

Lego という Let's Encrypt の証明書を上手いこと取得してくれるツールがある。 基本的には DNS-01 チャレンジを使う場合、対応している DNS プロバイダーであれば環境変数を渡すことで自動化できるのだが、ちょっと手元で証明書欲しいナ~というときは手動 (manual) 認証を使える。 そして、なぜかローカル環境では手動認証ができないという不思議現象に出会った。

$ lego --email "xxx" --domains "*.local.natsuneko.net" --domains "local.natsuneko.net" --dns "manual" run
∙
2024/05/23 23:10:23 [INFO] [*.local.natsuneko.net, local.natsuneko.net] acme: Obtaining bundled SAN certificate
2024/05/23 23:10:24 [INFO] [*.local.natsuneko.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/x
2024/05/23 23:10:24 [INFO] [local.natsuneko.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/x
2024/05/23 23:10:24 [INFO] [*.local.natsuneko.net] acme: use dns-01 solver
2024/05/23 23:10:24 [INFO] [local.natsuneko.net] acme: Could not find solver for: tls-alpn-01
2024/05/23 23:10:24 [INFO] [local.natsuneko.net] acme: Could not find solver for: http-01
2024/05/23 23:10:24 [INFO] [local.natsuneko.net] acme: use dns-01 solver
2024/05/23 23:10:24 [INFO] [*.local.natsuneko.net] acme: Preparing to solve DNS-01
2024/05/23 23:10:24 [INFO] [*.local.natsuneko.net] acme: Cleaning DNS-01 challenge
2024/05/23 23:10:24 [WARN] [*.local.natsuneko.net] acme: cleaning up failed: manual: could not find zone: [fqdn=_acme-challenge.local.natsuneko.net.] could not find the start of authority for '_acme-challenge.local.natsuneko.net.': DNS call error: dial udp: lookup google-public-dns-a.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-a.google.com:53, question='net. IN  SOA']
DNS call error: dial udp: lookup google-public-dns-b.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-b.google.com:53, question='net. IN  SOA']
2024/05/23 23:10:24 [INFO] [local.natsuneko.net] acme: Preparing to solve DNS-01
2024/05/23 23:10:24 [INFO] [local.natsuneko.net] acme: Cleaning DNS-01 challenge
2024/05/23 23:10:24 [WARN] [local.natsuneko.net] acme: cleaning up failed: manual: could not find zone: [fqdn=_acme-challenge.local.natsuneko.net.] could not find the start of authority for '_acme-challenge.local.natsuneko.net.': DNS call error: dial udp: lookup google-public-dns-a.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-a.google.com:53, question='net. IN  SOA']
DNS call error: dial udp: lookup google-public-dns-b.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-b.google.com:53, question='net. IN  SOA']
2024/05/23 23:10:24 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/x
2024/05/23 23:10:25 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/x
2024/05/23 23:10:25 Could not obtain certificates:
        error: one or more domains had a problem:
[*.local.natsuneko.net] [*.local.natsuneko.net] acme: error presenting token: manual: could not find zone: [fqdn=_acme-challenge.local.natsuneko.net.] could not find the start of authority for '_acme-challenge.local.natsuneko.net.': DNS call error: dial udp: lookup google-public-dns-a.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-a.google.com:53, question='net. IN  SOA']
DNS call error: dial udp: lookup google-public-dns-b.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-b.google.com:53, question='net. IN  SOA']
[local.natsuneko.net] [local.natsuneko.net] acme: error presenting token: manual: could not find zone: [fqdn=_acme-challenge.local.natsuneko.net.] could not find the start of authority for '_acme-challenge.local.natsuneko.net.': DNS call error: dial udp: lookup google-public-dns-a.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-a.google.com:53, question='net. IN  SOA']
DNS call error: dial udp: lookup google-public-dns-b.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-b.google.com:53, question='net. IN  SOA']

本来は DNS-01 チャレンジのためのトークンが出力されるはずなのだが、それすら出力されずに異常終了する。 結論としては、手元で使っている DNS サーバーが Google Public DNS (google-public-dns-*.google.com) をブロックしていたからだった。 Google Public DNS をブロック......というか Public DNS サーバーをブロックしていることはそうそう無いとは思うが、なぜか死んだときは見てみると良い。

(ログに DNS call error: dial udp: lookup google-public-dns-a.google.com と出てはいるけど、まさかブロックしてるとは思わないじゃん)