Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nifcloud: bug between v4.16.1 and v4.17.3 #2245

Open
3 tasks done
penM000 opened this issue Aug 21, 2024 · 3 comments
Open
3 tasks done

nifcloud: bug between v4.16.1 and v4.17.3 #2245

penM000 opened this issue Aug 21, 2024 · 3 comments
Labels
area/dnsprovider question

Comments

@penM000
Copy link

penM000 commented Aug 21, 2024

Welcome

  • Yes, I'm using a binary release within 2 latest releases.
  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've included all information below (version, config, etc).

What did you expect to see?

As with v4.16.1, v4.17.3 and later versions can issue certificates.

What did you see instead?

The certificate was successfully issued in v4.16.1, but the handshake with “https://dns.api.nifcloud.com” fails in v4.17.3 and later versions.

How do you use lego?

Docker image

Reproduction steps

Verify that the certificate can be issued with v4.16.1.

export [email protected]
export NIFCLOUD_ACCESS_KEY_ID=<>
export NIFCLOUD_SECRET_ACCESS_KEY=<>
export DOMAIN=sub.example.nifcloud.net
export SAVE_DIR=/opt/lego
export LEGO_VERSION=v4.16.1
sudo docker run --rm --env  NIFCLOUD_ACCESS_KEY_ID=$NIFCLOUD_ACCESS_KEY_ID --env NIFCLOUD_SECRET_ACCESS_KEY=$NIFCLOUD_SECRET_ACCESS_KEY -v $SAVE_DIR:/.lego goacme/lego:$LEGO_VERSION  --dns nifcloud -a --email $MAIL_ADDR --domains $DOMAIN run

Verify that the certificate cannot be issued with v4.17.3.

export [email protected]
export NIFCLOUD_ACCESS_KEY_ID=<>
export NIFCLOUD_SECRET_ACCESS_KEY=<>
export DOMAIN=sub.example.nifcloud.net
export SAVE_DIR=/opt/lego
export LEGO_VERSION=v4.17.4
sudo docker run --rm --env  NIFCLOUD_ACCESS_KEY_ID=$NIFCLOUD_ACCESS_KEY_ID --env NIFCLOUD_SECRET_ACCESS_KEY=$NIFCLOUD_SECRET_ACCESS_KEY -v $SAVE_DIR:/.lego goacme/lego:$LEGO_VERSION  --dns nifcloud -a --email $MAIL_ADDR --domains $DOMAIN run

Version of lego

lego version 4.16.1 linux/amd64
lego version 4.17.3 linux/amd64

Logs

$ export LEGO_VERSION=v4.16.1
$ sudo docker run --rm --env  NIFCLOUD_ACCESS_KEY_ID=$NIFCLOUD_ACCESS_KEY_ID --env NIFCLOUD_SECRET_ACCESS_KEY=$NIFCLOUD_SECRET_ACCESS_KEY -v $SAVE_DIR:/.lego goacme/lego:$LEGO_VERSION  --dns nifcloud -a --email $MAIL_ADDR --domains $DOMAIN run
2024/08/21 06:39:06 [INFO] [sub.example.nifcloud.net] acme: Obtaining bundled SAN certificate
2024/08/21 06:39:07 [INFO] [sub.example.nifcloud.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/393043367796
2024/08/21 06:39:07 [INFO] [sub.example.nifcloud.net] acme: Could not find solver for: tls-alpn-01
2024/08/21 06:39:07 [INFO] [sub.example.nifcloud.net] acme: Could not find solver for: http-01
2024/08/21 06:39:07 [INFO] [sub.example.nifcloud.net] acme: use dns-01 solver
2024/08/21 06:39:07 [INFO] [sub.example.nifcloud.net] acme: Preparing to solve DNS-01
2024/08/21 06:39:09 [INFO] Wait for nifcloud [timeout: 2m0s, interval: 4s]
2024/08/21 06:39:09 [INFO] [sub.example.nifcloud.net] acme: Trying to solve DNS-01
2024/08/21 06:39:09 [INFO] [sub.example.nifcloud.net] acme: Checking DNS record propagation. [nameservers=8.8.8.8:53,8.8.4.4:53]
2024/08/21 06:39:11 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/08/21 06:39:11 [INFO] [sub.example.nifcloud.net] acme: Waiting for DNS record propagation.
2024/08/21 06:39:13 [INFO] [sub.example.nifcloud.net] acme: Waiting for DNS record propagation.
2024/08/21 06:39:16 [INFO] [sub.example.nifcloud.net] acme: Waiting for DNS record propagation.
2024/08/21 06:39:23 [INFO] [sub.example.nifcloud.net] The server validated our request
2024/08/21 06:39:23 [INFO] [sub.example.nifcloud.net] acme: Cleaning DNS-01 challenge
2024/08/21 06:39:25 [INFO] Wait for nifcloud [timeout: 2m0s, interval: 4s]
2024/08/21 06:39:26 [INFO] [sub.example.nifcloud.net] acme: Validations succeeded; requesting certificates
2024/08/21 06:39:27 [INFO] [sub.example.nifcloud.net] Server responded with a certificate.

$ export LEGO_VERSION=v4.17.3
$ sudo docker run --rm --env  NIFCLOUD_ACCESS_KEY_ID=$NIFCLOUD_ACCESS_KEY_ID --env NIFCLOUD_SECRET_ACCESS_KEY=$NIFCLOUD_SECRET_ACCESS_KEY -v $SAVE_DIR:/.lego goacme/lego:$LEGO_VERSION  --dns nifcloud -a --email $MAIL_ADDR --domains $DOMAIN run
2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: Obtaining bundled SAN certificate
2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/393044192476
2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: Could not find solver for: tls-alpn-01
2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: Could not find solver for: http-01
2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: use dns-01 solver
2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: Preparing to solve DNS-01
2024/08/21 06:41:45 [INFO] [sub.example.nifcloud.net] acme: Cleaning DNS-01 challenge
2024/08/21 06:41:46 [WARN] [sub.example.nifcloud.net] acme: cleaning up failed: nifcloud: failed to change record set: unable to communicate with the API server: error: Post "https://dns.api.nifcloud.com/2012-12-12N2013-12-16/hostedzone/example.nifcloud.net/rrset": remote error: tls: handshake failure 
2024/08/21 06:41:46 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/393044192476
2024/08/21 06:41:46 Could not obtain certificates:
        error: one or more domains had a problem:
[sub.example.nifcloud.net] [sub.example.nifcloud.net] acme: error presenting token: nifcloud: failed to change record set: unable to communicate with the API server: error: Post "https://dns.api.nifcloud.com/2012-12-12N2013-12-16/hostedzone/example.nifcloud.net/rrset": remote error: tls: handshake failure

Go environment (if applicable)

$ go version && go env
# paste output here
@penM000 penM000 added the bug label Aug 21, 2024
@ldez
Copy link
Member

ldez commented Aug 21, 2024

Hello,

there is no change between v4.16.1 and v4.17.3 on the nifcloud package.

v4.16.1...v4.17.3

The only change is the Go version used to compile, so I guess the nifcloud certificates have an issue.

@ldez ldez added question and removed bug labels Aug 21, 2024
@ldez ldez changed the title There is a bug related to dns nifcloud between v4.16.1 and v4.17.3. nifcloud: bug between v4.16.1 and v4.17.3. Aug 21, 2024
@penM000
Copy link
Author

penM000 commented Aug 22, 2024

Hello.

We have confirmed the changes due to the go version change.
(https://tip.golang.org/doc/go1.22)

We have confirmed the following description.

By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes. reverted with the tlsrsakex=1 GODEBUG setting.

We have run “https://www.ssllabs.com/ssltest/” against “https://dns.api.nifcloud.com” and obtained the following results.

We expect this is due to a TLS cipher suite limitation caused by the go version change, not the certificate.

image

@ldez
Copy link
Member

ldez commented Aug 24, 2024
edited
Loading

So, as I expressed in my first comment, this is a problem with Nifcloud itself.
I don't think we will compile lego with tlsrsakex=1 just for nifcloud.

@ldez ldez changed the title nifcloud: bug between v4.16.1 and v4.17.3. nifcloud: bug between v4.16.1 and v4.17.3 Sep 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/dnsprovider question
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ldez @penM000