Option --dns.disable-cp not working

[Klaus-Tockloth]

It seems that the option '--dns.disable-cp' isn't working. I have that ...

sudo \
LEGO_CA_CERTIFICATES=./pebble.minica.pem \
EXEC_PATH=./update-dns.sh \
./lego \
--server https://127.0.0.1:14000/dir \
--email [email protected] \
--accept-tos \
--domains gany-veggies.com \
--dns.disable-cp \
--dns exec \
run

... and get this result:

...
2019/02/21 14:27:57 [INFO] [gany-veggies.com] acme: Trying to solve DNS-01
2019/02/21 14:27:57 [INFO] [gany-veggies.com] acme: Checking DNS record propagation using [192.168.178.1:53 [fd00::3a10:d5ff:febe:db74]:53]
2019/02/21 14:27:57 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2019/02/21 14:27:57 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/02/21 14:27:59 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/02/21 14:28:01 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/02/21 14:28:03 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
...

My expectation is, that with the option '--dns.disable-cp' (set to true) the DNS record propagation check is omitted.

Tested with lego 2.2.0.

[ldez]

All our e2e tests for the DNS challenges use --disable-cp. (and failed if the flag is omited)

Then seems weird.

[Klaus-Tockloth]

Just to avoid duplicate work: Any progress or new infos here?

If not, I could look deeper into this issue. It's an important feature for me. I'm using 'pebble-challtestsrv' for testing. And 'pebble-challtestsrv' hasn't any propagation functionality.

[Klaus-Tockloth]

It seems that the issue depends on the operating system and/or environment.

Linux (OK):

./lego --version
lego version 2.4.0 linux/amd64

LEGO_CA_CERTIFICATES=./pebble.minica.pem \
EXEC_PATH=./update-dns.sh \
./lego \
--server https://127.0.0.1:14000/dir \
--email [email protected] \
--accept-tos \
--domains gany-veggies.com \
--dns.disable-cp \
--dns exec \
--cert.timeout 60 \
run
2019/04/04 13:19:50 No key found for account [email protected]. Generating a P384 key.
2019/04/04 13:19:51 Saved key to /home/evallx034/Lego/.lego/accounts/127.0.0.1_14000/[email protected]/keys/[email protected]
2019/04/04 13:19:51 [INFO] acme: Registering account for [email protected]
!!!! HEADS UP !!!!

		Your account credentials have been saved in your Let's Encrypt
		configuration directory at "/home/evallx034/Lego/.lego/accounts".
		You should make a secure backup	of this folder now. This
		configuration directory will also contain certificates and
		private keys obtained from Let's Encrypt so making regular
		backups of this folder is ideal.2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Obtaining bundled SAN certificate
2019/04/04 13:19:51 [INFO] [gany-veggies.com] AuthURL: https://127.0.0.1:14000/authZ/Iwvj67Femm42YKg25x_rHA9jhFKMOdnTS1xBP1e2i_s
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Could not find solver for: tls-alpn-01
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Could not find solver for: http-01
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: use dns-01 solver
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Preparing to solve DNS-01
2019/04/04 13:19:51 ./update-dns.sh present _acme-challenge.gany-veggies.com. 2_vc05F-uF9u4bWo-iOxT9aM3558-GWYByslj7369b0 --> return code 0 at 'present'
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Trying to solve DNS-01
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Checking DNS record propagation using [141.36.249.9:53 141.36.1.5:53 141.36.251.10:53]
2019/04/04 13:19:51 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2019/04/04 13:19:51 [INFO] [gany-veggies.com] The server validated our request
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Cleaning DNS-01 challenge
2019/04/04 13:19:51 ./update-dns.sh cleanup _acme-challenge.gany-veggies.com. 2_vc05F-uF9u4bWo-iOxT9aM3558-GWYByslj7369b0 --> return code 0 at 'cleanup'
2019/04/04 13:19:51 [INFO] [gany-veggies.com] acme: Validations succeeded; requesting certificates
2019/04/04 13:19:51 [INFO] Wait for certificate [timeout: 1m0s, interval: 1s]
2019/04/04 13:19:51 [INFO] [gany-veggies.com] Server responded with a certificate.

macOS (NOK):

./lego --version
lego version 2.4.0 darwin/amd64

LEGO_CA_CERTIFICATES=./pebble.minica.pem \
EXEC_PATH=./update-dns.sh \
./lego \
--server https://127.0.0.1:14000/dir \
--email [email protected] \
--accept-tos \
--domains gany-veggies.com \
--dns.disable-cp \
--dns exec \
--cert.timeout 60 \
run
2019/04/04 13:43:09 No key found for account [email protected]. Generating a P384 key.
2019/04/04 13:43:09 Saved key to /Users/klaustockloth/Work/Lego-Mac/.lego/accounts/127.0.0.1_14000/[email protected]/keys/[email protected]
2019/04/04 13:43:09 [INFO] acme: Registering account for [email protected]
!!!! HEADS UP !!!!

		Your account credentials have been saved in your Let's Encrypt
		configuration directory at "/Users/klaustockloth/Work/Lego-Mac/.lego/accounts".
		You should make a secure backup	of this folder now. This
		configuration directory will also contain certificates and
		private keys obtained from Let's Encrypt so making regular
		backups of this folder is ideal.2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Obtaining bundled SAN certificate
2019/04/04 13:43:09 [INFO] [gany-veggies.com] AuthURL: https://127.0.0.1:14000/authZ/J5vC_VNdpIds9EGJGkjiEN23ujGkJ23cVnRGnaSAe0s
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Could not find solver for: tls-alpn-01
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Could not find solver for: http-01
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: use dns-01 solver
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Preparing to solve DNS-01
2019/04/04 13:43:09 ./update-dns.sh present _acme-challenge.gany-veggies.com. 4sMo1CNyzVda80ZDLk_KP8K8Ng3zjaVnZUwf7qC9hbk --> return code 0 at 'present'
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Trying to solve DNS-01
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Checking DNS record propagation using [192.168.178.1:53 [fd00::3a10:d5ff:febe:db74]:53]
2019/04/04 13:43:09 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2019/04/04 13:43:09 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/04/04 13:43:11 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
...
2019/04/04 13:44:06 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/04/04 13:44:08 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/04/04 13:44:10 [INFO] [gany-veggies.com] acme: Cleaning DNS-01 challenge
2019/04/04 13:44:10 ./update-dns.sh cleanup _acme-challenge.gany-veggies.com. 4sMo1CNyzVda80ZDLk_KP8K8Ng3zjaVnZUwf7qC9hbk --> return code 0 at 'cleanup'
2019/04/04 13:44:10 Could not obtain certificates:
	acme: Error -> One or more domains had a problem:
[gany-veggies.com] time limit exceeded: last error: dial udp [fd00::3a10:d5ff:febe:db74]:53: connect: no route to host

Any ideas where to start further investigations?

[ldez]

Maybe it's a bug inside https://github.com/urfave/cli

[Klaus-Tockloth]

I looked deeper into this issue and dumped the content of "preCheck":

type preCheck struct {
	// checks DNS propagation before notifying ACME that the DNS challenge is ready.
	checkFunc WrapPreCheckFunc
	// require the TXT record to be propagated to all authoritative name servers
	requireCompletePropagation bool
}

The "requireCompletePropagation" value is set correctly to "true or false", but "checkFunc" is always nil.

preCheck: (dns01.preCheck) {
 checkFunc: (dns01.WrapPreCheckFunc) <nil>,
 requireCompletePropagation: (bool) false
},

preCheck: (dns01.preCheck) {
 checkFunc: (dns01.WrapPreCheckFunc) <nil>,
 requireCompletePropagation: (bool) true
},

That's the reason why "checkDNSPropagation()" is always called.

func (p preCheck) call(domain, fqdn, value string) (bool, error) {
	if p.checkFunc == nil {
		return p.checkDNSPropagation(fqdn, value)
	}

	return p.checkFunc(domain, fqdn, value, p.checkDNSPropagation)
}

The function "WrapPreCheck()" sets "checkFunc":

// WrapPreCheck Allow to define checks before notifying ACME that the DNS challenge is ready.
func WrapPreCheck(wrap WrapPreCheckFunc) ChallengeOption {
	return func(chlg *Challenge) error {
		chlg.preCheck.checkFunc = wrap
		return nil
	}
}

My understanding is, that "checkFunc()" allows it to define a (user implemented) mechanism to check the DNS propagation. In my case I don't want such a check. How to achieve this?

[ldez]

Maybe the issue is related to

lego/cmd/setup_challenges.go

Lines 110 to 111 in f0cfdff

	dns01.CondOption(ctx.GlobalIsSet("dns.disable-cp"),
	dns01.DisableCompletePropagationRequirement()),

I fixed this in #868

[ldez]

The goal of --dns.disable-cp is only to to check all NS but tbut the propagation is ckecked with at least 1 NS in all cases.

The WrapPreCheck is something new (v2.3 #783) but the previous behavior has not been changed.

checkDNSPropagation

[ldez]

Your last message don't seems related to your previous message on weird behavior on Mac.

I think the Mac behavior is related to the bug #868.

[Klaus-Tockloth]

Just for clarification: The last analysis based on my own client. That means that https://github.com/urfave/cli isn't involved. The 'DisableCompletePropagationRequirement()' option is set directly:

err = client.Challenge.SetDNS01Provider(provider, dns01.DisableCompletePropagationRequirement())
if err != nil {
  log.Printf("error <%v> at client.Challenge.SetDNS01Provider(), provider = %v", err, dns01Provider)
  return err
}

Maybe we are dealing with two independent issues ...

[ldez]

If the question is: how to disable the precheck?

The answer is:

err = client.Challenge.SetDNS01Provider(provider, dns01.WrapPreCheck(func(_, _, _ string, _ dns01.PreCheckFunc) (b bool, e error) {
	return true, nil
}))

[Klaus-Tockloth]

err = client.Challenge.SetDNS01Provider(provider, dns01.WrapPreCheck(func(_, _, _ string, _ dns01.PreCheckFunc) (b bool, e error) {
	return true, nil
}))

Thanks for explaining this.

[Klaus-Tockloth]

Version 2.6.0 has a fix concerning this issue, but it's still not working for me on macOS. Maybe a local problem. Could someone reproduce the issue?

./lego --version
lego version 2.6.0 darwin/amd64

LEGO_CA_CERTIFICATES=./pebble.minica.pem \
EXEC_PATH=./update-dns.sh \
./lego \
--server https://127.0.0.1:14000/dir \
--email [email protected] \
--accept-tos \
--domains gany-veggies.com \
--dns.disable-cp \
--dns exec \
--cert.timeout 60 \
run
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Obtaining bundled SAN certificate
2019/05/29 08:52:34 [INFO] [gany-veggies.com] AuthURL: https://127.0.0.1:14000/authZ/der3h4pt-fP01xFRKg6tK8cqwR_UAn5BlM7oCrrHVr0
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Could not find solver for: tls-alpn-01
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Could not find solver for: http-01
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: use dns-01 solver
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Preparing to solve DNS-01
2019/05/29 08:52:34 ./update-dns.sh present _acme-challenge.gany-veggies.com. BgSKGDD6mWT8KRqTuzg-gOZeLpeGL4QFK9xQSN0KtP0 --> return code 0 at 'present'
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Trying to solve DNS-01
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Checking DNS record propagation using [192.168.178.1:53 [fd00::3a10:d5ff:febe:db74]:53]
2019/05/29 08:52:34 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2019/05/29 08:52:34 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:36 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:38 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:40 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:42 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:44 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
2019/05/29 08:52:46 [INFO] [gany-veggies.com] acme: Waiting for DNS record propagation.
...