lego 4.8 -> 4.9 "could not find zone for domain" if using CNAME *

[hrolofs]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

Hello,

I have a domain on deSEC and there I have a CNAME entry * for a server behind my Fritz!Box

CNAME   *   myserver.XXXXXXXXXXXXXXX.myfritz.net.

Till lego 4.8 everything works fine. Starting with lego 4.9 I can't request certificates with this CNAME entry.

I got the following output by using the lego binary

4.9 with CNAME

2022/12/27 16:54:23 [INFO] [exampledomain.dedyn.io] acme: Obtaining bundled SAN certificate
2022/12/27 16:54:24 [INFO] [exampledomain.dedyn.io] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/4755156613
2022/12/27 16:54:24 [INFO] [exampledomain.dedyn.io] acme: Could not find solver for: tls-alpn-01
2022/12/27 16:54:24 [INFO] [exampledomain.dedyn.io] acme: Could not find solver for: http-01
2022/12/27 16:54:24 [INFO] [exampledomain.dedyn.io] acme: use dns-01 solver
2022/12/27 16:54:24 [INFO] [exampledomain.dedyn.io] acme: Preparing to solve DNS-01
2022/12/27 16:54:24 [INFO] [exampledomain.dedyn.io] acme: Cleaning DNS-01 challenge
2022/12/27 16:54:24 [WARN] [exampledomain.dedyn.io] acme: cleaning up failed: desec: could not find zone for domain "exampledomain.dedyn.io" and fqdn "myserver.XXXXXXXXXXXXXXX.myfritz.net." : unexpected response code 'REFUSED' for myserver.XXXXXXXXXXXXXXX.myfritz.net.
2022/12/27 16:54:24 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/4755156613
2022/12/27 16:54:24 Could not obtain certificates:
        error: one or more domains had a problem:
[exampledomain.dedyn.io] [exampledomain.dedyn.io] acme: error presenting token: desec: could not find zone for domain "exampledomain.dedyn.io" and fqdn "myserver.XXXXXXXXXXXXXXX.myfritz.net." : unexpected response code 'REFUSED' for myserver.XXXXXXXXXXXXXXX.myfritz.net.

If I remove the CNAME entry * it works like with 4.8 before.

Any idea what changed between 4.8 and 4.9 that makes this problem by using a CNAME entry *?

for each test, I removed the local .lego directory.

Regards, Henry

What did you see instead?

successful certification request like with lego 4.8

How do you use lego?

Binary

Reproduction steps

I use this small script for testing

#!/bin/bash

rm -rf .lego

#export LEGODIR=lego_v4.8.0_linux_386
export LEGODIR=lego_v4.9.0_linux_386
#export LEGODIR=lego_v4.9.1_linux_386

### root@nuc:/MyData1/Docker/Build/ACME# ./lego dnshelp -c desec
### Configuration for deSEC.io.
### Code:   'desec'
### Since:  'v3.7.0'
###
### Credentials:
###   - "DESEC_TOKEN":  Domain token
###
### Additional Configuration:
###   - "DESEC_HTTP_TIMEOUT":         API request timeout
###   - "DESEC_POLLING_INTERVAL":     Time between DNS propagation check
###   - "DESEC_PROPAGATION_TIMEOUT":  Maximum waiting time for DNS propagation
###   - "DESEC_TTL":                  The TTL of the TXT record used for the DNS challenge
###
### More information: https://go-acme.github.io/lego/dns/desec

export DESEC_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#export DESEC_POLLING_INTERVAL=
#export DESEC_PROPAGATION_TIMEOUT=
#export DESEC_TTL=

${LEGODIR}/lego --server=https://acme-staging-v02.api.letsencrypt.org/directory -a --email "my.mail@test.com" --dns desec --dns.resolvers "ns1.desec.io" --dns.resolvers "ns2.desec.org"  --domains "exampledomain.dedyn.io" run

Version of lego

ok: lego version 4.8.0 linux/386
error: lego version 4.9.0 linux/386
error: lego version 4.9.1 linux/386

Logs

# paste output here

Go environment (if applicable)

$ go version && go env
# paste output here

[ldez]

duplicate of #1754

[hrolofs]

Hi,

thanks for your fast response.

i have added

export LEGO_DISABLE_CNAME_SUPPORT=true

to my test script and also to my docker environment (traefik) and it works :-)

Many Thanks, Henry