Comments (5)
If it is any help: I run integration tests against Pebble in my project, and my dns-01 tests succeed. So generally, it seems to work. However I am using a tiny and very simple DNS server, nothing sophisticated.
from pebble.
Is that DNS server also authoritative for your hostname under test?
I'm using system default recursive nameservers during my tests, and updating a real cloudflare dns zone in order to perform validations. I suspect this is the issue, as I'll be using some random recursive DNS resolvers that are honouring the NXDOMAIN ttl (as the domain I am using is a randomly generated subdomain).
from pebble.
I run Pebble in a docker container, and my test DNS server in a second docker container. The /etc/resolv.conf
of Pebble's container points to that DNS server's IP, so it is the only way for Pebble to resolve domains. This way I can also run http-01 validations for fake domains like example.com.
The server only does a minimal job. It reacts to A and TXT queries, and sends the responses that I have previously set. No TTL, no recursions.
I only mention this so you know that Pebble's dns-01 validation is not generally broken, but I don't want to rule out that there might be an issue.
from pebble.
I'm using system default recursive nameservers during my tests, and updating a real cloudflare dns zone in order to perform validations. I suspect this is the issue, as I'll be using some random recursive DNS resolvers that are honouring the NXDOMAIN ttl (as the domain I am using is a randomly generated subdomain).
Yup, that's the issue :-) I think we should do a better job of documenting this Pebble gotcha.
Boulder and the Let's Encrypt prod/staging stack use an Unbound instance to do the heavy lifting for DNS. We run a configuration (basically identical to this) that sets a very low max TTL to avoid caching problems for those environments. Boulder's test environment uses a fake recursive resolver that returns fibs. In both cases Boulder uses miekg/dns to talk to the specifically configured resolver (The fake one or the Unbound instance).
Ideally Pebble could be changed to do similar: config would point Pebble's DNS requests to a fake or otherwise customized recursive DNS server. @shred and I chatted about that way back in Jul 2017 in #33. Unfortunately my conclusion at the time was that it would mean pulling in miekg/dns
to Pebble and doing a lot more custom DNS code. Presently (as you noted) Pebble uses net.LookupTXT
from the stdlib and Go uses the system DNS resolver unconditionally.
I think a solution like what @shred arrived at where you find a way to configure the system DNS for your integration tests unobtrusively with ✨ Container Magic ✨ is the best path forward. (edit: at least for the short term until there's time for more involved Pebble DNS rework).
from pebble.
I put out a PR to clarify some of Pebble's limitations, including this system DNS resolver "gotcha": #123
I'm going to close this issue for now since the problem is a known limitation with Pebble. I'll leave #33 open for tracking more intensive work to integrate more complex DNS handling.
Thanks!
from pebble.
Related Issues (20)
- Allow to force auth challenge HOT 1
- Implement the "dns-account-01" Challenge in Pebble HOT 9
- Full http logging HOT 1
- fix appveyor CI
- Support must-staple extension HOT 1
- Fix `golangci-lint` HOT 3
- Regression time limit exceeded / TimeoutError HOT 5
- Request for a new release HOT 6
- v2.5.0 docker push failed HOT 9
- ci: AppVeyor is broken HOT 1
- Remove DockerHub images of pebble and pebble-challtestsrv HOT 4
- Cannot set DNS server in Docker image HOT 10
- Docker: Use hostname instead of IP addresses HOT 7
- New Certificates aren't getting Ready HOT 2
- EAB with pebble 2.5.x HOT 12
- Pebble fails to start with externalAccountBinding test config
- The request specified an account that does not exist, [certbot and pebble] HOT 2
- The key authorization file from the server did not match this challenge HOT 1
- Pebble seems to reuse challenges object for different orders HOT 2
- Support profile selection HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pebble.