sgp's picture

Hi there!

I have some experience with issuing certs but have never issued them via lexicon/dehydrated (and obviously via confconsole). I'm using TKDC 18.1.
I have delegated my subdomain (dc1.example.com) to another provider (luadns), because my current one (desec) isn't supported by lexicon.

Now I was trying to issue a cert for dc1.example.com with dns-01 and got the following error: "lexicon.exceptions.AuthenticationError: No domain found". I've manually changed /usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/_private/providers/luadns.py for debugging purposes and got that self.domain is example.com (and not dc1.example.com). Then I've read that lexicon should be configured for the subdomain cases: https://dns-lexicon.github.io/dns-lexicon/user_guide.html#resolution-of-... . According to the docs, it can be solved via multiple ways (I would prefer pathing --resolve-zone-name to lexicon, though).

So, my question is: how should I set confconsole to resolve zones? I could try to set the python venv var but:
1. I don't have much python experience. And even setting the venv var is giving me hard time.
2. I have hope that there is already a more elegant solution present.

Forum: 
Jeremy Davis's picture

I haven't used a delegated sub domain, but given what you've shared and my reading of the lexicon docs, I think editing /etc/dehydrated/confconsole.hook.sh & adding the ''--resolve-zone-name' switch to the call to 'turnkey-lexicon' (it's just a wrapper around 'lexicon' in the venv) should do the job.

In the meantime I'll open an issue re supporting your scenario. But please let me know how you go either way.

sgp's picture

Added "--resolve-zone-name" to the both calls of turnkey-lexicon. Unfortunately, it didn't work (self.domain is still "example.com"). Moreover, I've checked confconsole.hook.sh after issue cert try, and there were no flags. Tried this multiple times. Seems like confconsole.hook.sh is getting regenerated before issuing a cert.
Jeremy Davis's picture

I think I know what is going on and owe you an apology. I didn't look closely enough at the code - most of which I wrote or at least refactored - *facepalm*

Looking closer at our dehydrated-wrapper script I can see that /etc/dehydrated/confconsole.hook.sh will always be overwritten by the relevant hook from /usr/share/confconsole.

I think that the easiest way for you to work around this for now is to do the same tweak you've already tried, but in the /usr/share/confconsole/dehydrated-confconsole.hook-dns-01.sh script instead. Assuming that I'm not missing something, when it overwrites /etc/dehydrated/confconsole.hook.sh it should overwrite it with your tweaked script.

FWIW tweaking /usr/share files is generally not a good idea. That's because they are owned by the relevant deb package. Installation (reinstall or update) of the relevant package will overwrite any files there without notice. In this instance I think that's an acceptable risk as any other way of working around this issue that I can think of will have the same issue.

The "proper" fix for this would be for me to add DNS delegation support to confconsole now and push an updated confconsole package to our repo and get you to install it. But I'm not yet exactly sure how to best make that update. I'd like to not just support your use case, but also ensure that any end user dehydrated hook script modifications are honored.

I'm pretty confident that that will work, but if it doesn't please let me know.

FYI this workaround will only become an issue if Confconsole is (re)installed and it doesn't have the noted changes AND you rerun the Confconsole Let's Encrypt plugin.

Assuming that my suggested tweak works, then it's unlikely that you will want to rerun the Let's Encrypt plugin any time soon. And assuming that I update Confconsole as I intend to (when I get a chance) even that won't be an issue.

sgp's picture

Edited /usr/share/confconsole/letsencrypt/dehydrated-confconsole.hook-dns-01.sh as you suggested. self.domain is still example.com (and not dc1.example.com).

I've checked /etc/dehydrated/confconsole.hook.sh after failure -- it seems like changes to dehydrated-confconsole.hook-dns-01.sh have been applied (you were right).

Now I don't even have suggestions. Should I look into turnkey-lexicon?
Jeremy Davis's picture

FWIW, I just had a quick look and it seems that both 'tldextract' (required for '--delegate') and 'dnspython' (required for '--resolve-zone-name') are both installed in the lexicon venv. So with the right switch it should "just work".

I've also opened an issue: https://github.com/turnkeylinux/tracker/issues/2026

Add new comment