this post was submitted on 16 Jun 2023
4 points (100.0% liked)

Selfhosted

40329 readers
390 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

EDIT: Issue now resolved. Turns out that having an A record point to a DNS server probably wasn't the best idea. My best theory here is that A records pointing to DNS servers means "Find the authority on this domain at this other DNS server", which could never resolve. By pointing it to my VPS, the DNS could resolve to a definitive IP, and the certs were successfully generated.

Hi all, hope someone can help as I'm just confused now!

Long story short I want to host local services (like ntfy) using trusted certificates. I hoped to do this with Caddy and a wildcard domain (I don't want to expose the DNS records of the services I'm running if not necessary).

In my DNS I have an A record for *.local.example.com pointing at a semi-random IP. I have other services on a VPS on other subdomains so I can't just use a wildcard. This looks like:

blog  A  <VPS IP>
*.local  A  1.1.1.1

On the server in my home network (which I do not want to expose) I have dnsmasq running that is handling local DNS records for services on the LAN but carefully not the remote services on the same domain. Using dig I can see that the local and remote DNS are working as expected. Seeing the error on DNS-01 challenged "could not determine zone for domain "_acme-challenge.local.example.com" I have also added an exception in my local DNS for _acme-challenge.local to point to cloudflare's DNS at 1.1.1.1. The dig command confirms this works as expected after restarting dnsmasq.

With the following Caddyfile:

*.local.example.com {
        tls {
                dns <dns provider plugin> <API token>
        }

        @ntfy host ntfy.local.example.com
        handle @ntfy {
                reverse_proxy ntfy
        }
}

Every DNS-01 challenge fails with "...solving challenges: presenting for challenge: could not determine zone for domain "_acme-challenge.local.example.com"...".

I think this should be possible, but I'm not clear what I'm missing so any help greatly appreciated. I'm just dipping my toes into self-hosting and actually getting practical use out of my Raspberry Pi that's been collecting dust for years.

you are viewing a single comment's thread
view the rest of the comments

Wildcard DNS entries are not part of an RFC afaik, so the behavior is completely determined by the dns software in use. AD and I think bind state to only use them in an otherwise empty zones, though one case I have at work we have to have the wild and an A record in the zone. Hit strange intermittent failures to resolve without the record in for some reason.