EDIT: Issue now resolved. Turns out that having an A record point to a DNS server probably wasn’t the best idea. My best theory here is that A records pointing to DNS servers means “Find the authority on this domain at this other DNS server”, which could never resolve. By pointing it to my VPS, the DNS could resolve to a definitive IP, and the certs were successfully generated.
Hi all, hope someone can help as I’m just confused now!
Long story short I want to host local services (like ntfy) using trusted certificates. I hoped to do this with Caddy and a wildcard domain (I don’t want to expose the DNS records of the services I’m running if not necessary).
In my DNS I have an A record for *.local.example.com pointing at a semi-random IP. I have other services on a VPS on other subdomains so I can’t just use a wildcard. This looks like:
blog A <VPS IP>
*.local A 1.1.1.1
On the server in my home network (which I do not want to expose) I have dnsmasq running that is handling local DNS records for services on the LAN but carefully not the remote services on the same domain. Using dig I can see that the local and remote DNS are working as expected. Seeing the error on DNS-01 challenged "could not determine zone for domain “_acme-challenge.local.example.com” I have also added an exception in my local DNS for _acme-challenge.local to point to cloudflare’s DNS at 1.1.1.1. The dig command confirms this works as expected after restarting dnsmasq.
With the following Caddyfile:
*.local.example.com {
tls {
dns <dns provider plugin> <API token>
}
@ntfy host ntfy.local.example.com
handle @ntfy {
reverse_proxy ntfy
}
}
Every DNS-01 challenge fails with “…solving challenges: presenting for challenge: could not determine zone for domain "_acme-challenge.local.example.com"…”.
I think this should be possible, but I’m not clear what I’m missing so any help greatly appreciated. I’m just dipping my toes into self-hosting and actually getting practical use out of my Raspberry Pi that’s been collecting dust for years.
Rereading what you have in the zone file, if that is a standard bind zone file, a subzone definition would look like
` ; sub-domain definitions $ORIGIN local.example.com.
What you have might work, but doesn’t follow the dns RFCs the dns label is “*.local” in the “example.com” zone/domain.
This may come up after you get the API to the public DNS provider working, as the software will add/update a “_acme-challenge” label in the zone you point it to which would be “example.com”
If the dns provider makes setting up a proper subzones hard, you can work around it by adding a cname record
_acme-challenge.local in CNAME _acme-challenge.example.comThanks for the suggestion. That wasn’t a standard format I was just trying to write them out in a way that represented what I was seeing in my DNS controller and now realise it probably would have been clearer as a table. I honestly wasn’t sure if
*.localwould work either but it’s working great now.Wildcard DNS entries are not part of an RFC afaik, so the behavior is completely determined by the dns software in use. AD and I think bind state to only use them in an otherwise empty zones, though one case I have at work we have to have the wild and an A record in the zone. Hit strange intermittent failures to resolve without the record in for some reason.