Lego という Let's Encrypt の証明書を上手いこと取得してくれるツールがある。
基本的には DNS-01 チャレンジを使う場合、対応している DNS プロバイダーであれば環境変数を渡すことで自動化できるのだが、ちょっと手元で証明書欲しいナ~というときは手動 (manual
) 認証を使える。
そして、なぜかローカル環境では手動認証ができないという不思議現象に出会った。
$ lego --email "xxx" --domains "*.local.natsuneko.net" --domains "local.natsuneko.net" --dns "manual" run ∙ 2024/05/23 23:10:23 [INFO] [*.local.natsuneko.net, local.natsuneko.net] acme: Obtaining bundled SAN certificate 2024/05/23 23:10:24 [INFO] [*.local.natsuneko.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/x 2024/05/23 23:10:24 [INFO] [local.natsuneko.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/x 2024/05/23 23:10:24 [INFO] [*.local.natsuneko.net] acme: use dns-01 solver 2024/05/23 23:10:24 [INFO] [local.natsuneko.net] acme: Could not find solver for: tls-alpn-01 2024/05/23 23:10:24 [INFO] [local.natsuneko.net] acme: Could not find solver for: http-01 2024/05/23 23:10:24 [INFO] [local.natsuneko.net] acme: use dns-01 solver 2024/05/23 23:10:24 [INFO] [*.local.natsuneko.net] acme: Preparing to solve DNS-01 2024/05/23 23:10:24 [INFO] [*.local.natsuneko.net] acme: Cleaning DNS-01 challenge 2024/05/23 23:10:24 [WARN] [*.local.natsuneko.net] acme: cleaning up failed: manual: could not find zone: [fqdn=_acme-challenge.local.natsuneko.net.] could not find the start of authority for '_acme-challenge.local.natsuneko.net.': DNS call error: dial udp: lookup google-public-dns-a.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-a.google.com:53, question='net. IN SOA'] DNS call error: dial udp: lookup google-public-dns-b.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-b.google.com:53, question='net. IN SOA'] 2024/05/23 23:10:24 [INFO] [local.natsuneko.net] acme: Preparing to solve DNS-01 2024/05/23 23:10:24 [INFO] [local.natsuneko.net] acme: Cleaning DNS-01 challenge 2024/05/23 23:10:24 [WARN] [local.natsuneko.net] acme: cleaning up failed: manual: could not find zone: [fqdn=_acme-challenge.local.natsuneko.net.] could not find the start of authority for '_acme-challenge.local.natsuneko.net.': DNS call error: dial udp: lookup google-public-dns-a.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-a.google.com:53, question='net. IN SOA'] DNS call error: dial udp: lookup google-public-dns-b.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-b.google.com:53, question='net. IN SOA'] 2024/05/23 23:10:24 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/x 2024/05/23 23:10:25 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/x 2024/05/23 23:10:25 Could not obtain certificates: error: one or more domains had a problem: [*.local.natsuneko.net] [*.local.natsuneko.net] acme: error presenting token: manual: could not find zone: [fqdn=_acme-challenge.local.natsuneko.net.] could not find the start of authority for '_acme-challenge.local.natsuneko.net.': DNS call error: dial udp: lookup google-public-dns-a.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-a.google.com:53, question='net. IN SOA'] DNS call error: dial udp: lookup google-public-dns-b.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-b.google.com:53, question='net. IN SOA'] [local.natsuneko.net] [local.natsuneko.net] acme: error presenting token: manual: could not find zone: [fqdn=_acme-challenge.local.natsuneko.net.] could not find the start of authority for '_acme-challenge.local.natsuneko.net.': DNS call error: dial udp: lookup google-public-dns-a.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-a.google.com:53, question='net. IN SOA'] DNS call error: dial udp: lookup google-public-dns-b.google.com: getaddrinfow: The requested name is valid, but no data of the requested type was found. [ns=google-public-dns-b.google.com:53, question='net. IN SOA']
本来は DNS-01 チャレンジのためのトークンが出力されるはずなのだが、それすら出力されずに異常終了する。
結論としては、手元で使っている DNS サーバーが Google Public DNS (google-public-dns-*.google.com
) をブロックしていたからだった。
Google Public DNS をブロック......というか Public DNS サーバーをブロックしていることはそうそう無いとは思うが、なぜか死んだときは見てみると良い。
(ログに DNS call error: dial udp: lookup google-public-dns-a.google.com
と出てはいるけど、まさかブロックしてるとは思わないじゃん)