I am trying to setup SWAG for the first time. I use FreeDNS and am trying to get this container to generate a Wildcard cert for my domain from ZeroSSL using DNS validation. The trouble is, it never creates or updates any records at FreeDNS. I have entered my credentials in dns-conf/freedns.ini and chmod’d the file to 600 so the container log would stop complaining about that.
So, the issue is, it doesn’t ever complete domain validation and never issues a cert. Perhaps more importantly, I cannot find a log entry anywhere that indicates why it is failing or for what I should be looking at.
If I change it to issue for specific subdomains and do http validation it works fine. So I don’t think there is any issue with the ZeroSSL portion, just the domain validation with FreeDNS.
Can anyone help me find those logs so I can help myself diagnose the issue? At this point I am completely blind, not knowing much about this container and software stack. I am very familiar with DNS and PKI. Any help would be greatly appreciated.
Here is a scrubbed log from the container log output for what it’s worth.
chown: cannot dereference ‘/config/keys/letsencrypt’: No such file or directory
awk: /config/etc/letsencrypt/renewal/domain.com.conf: No such file or directory
awk: /config/etc/letsencrypt/renewal/domain.com.conf: No such file or directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificate found with name domain.com (expected /etc/letsencrypt/renewal/domain.com.conf).
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
All authorizations were not finalized by the CA.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] done
───────────────────────────────────────
User UID: 99
User GID: 100
───────────────────────────────────────
generating self-signed keys in /config/keys, you can replace these with your own keys if required
**** Permissions could not be set. This is probably because your volume mounts are remote or read-only. ****
**** The app may not work properly and we will not provide support for it. ****
Variables set:
PUID=99
PGID=100
TZ=America/Denver URL=domain.com
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=dns
CERTPROVIDER=zerossl
DNSPLUGIN=freedns EMAIL=email@domain.com
STAGING=true
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
ZeroSSL does not support staging mode, ignoring STAGING variable
ZeroSSL is selected as the cert provider, registering cert with email@domain.com
SUBDOMAINS entered, processing
Wildcard cert for domain.com will be requested
E-mail address entered: email@domain.com
dns validation via freedns plugin is selected
Retrieving EAB from ZeroSSL
Generating new certificate
Account registered.
Requesting a certificate for *.domain.com
Waiting 120 seconds for DNS changes to propagate
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/freedns.ini file.
As far as I know, none of my referenced volumes are remote or read only, so I am not sure what that log entry is all about. Permissions look good from the review I have done so far.
That log doesn’t even exist/get written on my system by the way.
That produces the following:
Saving debug log to /var/log/letsencrypt/letsencrypt.log <----Again, file doesn’t exist
Plugins selected: Authenticator dns-freedns, Installer cpanel
Requesting a certificate for *.domain.com
Performing the following challenges:
dns-01 challenge for domain.com
insert new txt record <------ This never gets created, or at least I never see it in my management panel
Waiting 120 seconds for DNS changes to propagate
This timer does not seem to be honored at all. Whatever mine is getting hung up on waits for much longer than 2 minutes, probably closer to 30, though I haven’t timed it yet. Even if I adjust the timeout, it doesn’t honor my setting, hangs forever before producing the final message shown in my second post.
As you can see from your logs you are not running a supported config. I suggest you join discord, open a thread, provide your docker compose and container logs and we go from there.
I suspect you are using a remote mount for /config which we do not support or recommend