rfc2136 with CNAME broken on recent versions

[marzzzello]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

I expect to receive a certificate for sub.example.com, *.sub.example.com via rfc2136 dns challenge.

What did you see instead?

Lego v4.9.0 to v4.10.2 fails with

2023/03/09 20:14:24 Could not obtain certificates:
	error: one or more domains had a problem:
[*.sub.example.com] [*.sub.example.com] acme: error presenting token: rfc2136: failed to insert: unexpected response code 'REFUSED' for example.dyndnsprovider.com.
[sub.example.com] [sub.example.com] acme: error presenting token: rfc2136: failed to insert: unexpected response code 'REFUSED' for example.dyndnsprovider.com.

Lego v4.8.0 still works.

How do you use lego?

Other

Reproduction steps

1. go install github.com/go-acme/lego/v4/cmd/lego@v4.10.2
2. set env vars and run lego

   export RFC2136_NAMESERVER=ns1.nsserver.foo
   export RFC2136_TSIG_KEY=acme-foo
   export RFC2136_TSIG_SECRET=removed
   export RFC2136_TSIG_ALGORITHM=hmac-sha512.
   lego -a --email me@example.com --dns rfc2136 --domains sub.example.com --domains "*.sub.example.com" --server https://acme-staging-v02.api.letsencrypt.org/directory run

3. get error (see logs below)
4. go install github.com/go-acme/lego/v4/cmd/lego@v4.8.0
5. run lego again
6. cert is generated

Version of lego

lego version dev linux/amd64
(version is 4.10.2 but is not shown with go install method)

Logs

2023/03/09 20:14:21 No key found for account me@example.com. Generating a P256 key.
2023/03/09 20:14:21 Saved key to /home/me/projects/legotest/.lego/accounts/acme-staging-v02.api.letsencrypt.org/me@example.com/keys/me@example.com.key
2023/03/09 20:14:22 [INFO] acme: Registering account for me@example.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/home/me/projects/legotest/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2023/03/09 20:14:22 [INFO] [sub.example.com, *.sub.example.com] acme: Obtaining bundled SAN certificate
2023/03/09 20:14:23 [INFO] [*.sub.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5659276734
2023/03/09 20:14:23 [INFO] [sub.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5659276744
2023/03/09 20:14:23 [INFO] [*.sub.example.com] acme: use dns-01 solver
2023/03/09 20:14:23 [INFO] [sub.example.com] acme: Could not find solver for: tls-alpn-01
2023/03/09 20:14:23 [INFO] [sub.example.com] acme: Could not find solver for: http-01
2023/03/09 20:14:23 [INFO] [sub.example.com] acme: use dns-01 solver
2023/03/09 20:14:23 [INFO] [*.sub.example.com] acme: Preparing to solve DNS-01
2023/03/09 20:14:23 [INFO] Found CNAME entry for "_acme-challenge.sub.example.com.": "example.dyndnsprovider.com."
2023/03/09 20:14:23 [INFO] [*.sub.example.com] acme: Cleaning DNS-01 challenge
2023/03/09 20:14:23 [INFO] Found CNAME entry for "_acme-challenge.sub.example.com.": "example.dyndnsprovider.com."
2023/03/09 20:14:23 [WARN] [*.sub.example.com] acme: cleaning up failed: rfc2136: failed to remove: unexpected response code 'REFUSED' for example.dyndnsprovider.com. 
2023/03/09 20:14:23 [INFO] [sub.example.com] acme: Preparing to solve DNS-01
2023/03/09 20:14:23 [INFO] Found CNAME entry for "_acme-challenge.sub.example.com.": "example.dyndnsprovider.com."
2023/03/09 20:14:23 [INFO] [sub.example.com] acme: Cleaning DNS-01 challenge
2023/03/09 20:14:23 [INFO] Found CNAME entry for "_acme-challenge.sub.example.com.": "example.dyndnsprovider.com."
2023/03/09 20:14:23 [WARN] [sub.example.com] acme: cleaning up failed: rfc2136: failed to remove: unexpected response code 'REFUSED' for example.dyndnsprovider.com. 
2023/03/09 20:14:23 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5659276734
2023/03/09 20:14:24 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5659276744
2023/03/09 20:14:24 Could not obtain certificates:
	error: one or more domains had a problem:
[*.sub.example.com] [*.sub.example.com] acme: error presenting token: rfc2136: failed to insert: unexpected response code 'REFUSED' for example.dyndnsprovider.com.
[sub.example.com] [sub.example.com] acme: error presenting token: rfc2136: failed to insert: unexpected response code 'REFUSED' for example.dyndnsprovider.com.

Go environment (if applicable)

$ go version && go env
go version go1.20.1 linux/amd64
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/me/.cache/go-build"
GOENV="/home/me/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/me/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/me/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3942128052=/tmp/go-build -gno-record-gcc-switches"

[ldez]

Hello,

I guess you are using CNAME wildcards.

You have to set the env var LEGO_DISABLE_CNAME_SUPPORT to true.

related to #1792, #1754, #1800

[marzzzello]

Thanks for the quick reply.
Yes, that works. Maybe include that in the error message or some better explanation